fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

akhilnittala · akhilnittala · commit b1a5ead77e9d · 2025-12-08T13:11:11.000+05:30
Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;
diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml
@@ -180,7 +180,7 @@ metadata:
     capabilities: Deep Insights
     console.openshift.io/plugins: '["gitops-plugin"]'
     containerImage: quay.io/redhat-developer/gitops-operator
-    createdAt: "2025-07-30T13:03:16Z"
+    createdAt: "2025-12-08T07:34:14Z"
     description: Enables teams to adopt GitOps principles for managing cluster configurations
       and application delivery across hybrid multi-cluster Kubernetes environments.
     features.operators.openshift.io/disconnected: "true"
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-bearer-token_v1_secret.yaml b/bundle/manifests/openshift-gitops-operator-metrics-bearer-token_v1_secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: openshift-gitops-operator-controller-manager
+  name: openshift-gitops-operator-metrics-monitor-bearer-token
+type: kubernetes.io/service-account-token
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-monitor-bearer-token_v1_secret.yaml b/bundle/manifests/openshift-gitops-operator-metrics-monitor-bearer-token_v1_secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: openshift-gitops-operator-controller-manager
+  name: openshift-gitops-operator-metrics-monitor-bearer-token
+type: kubernetes.io/service-account-token
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-monitor-ca-bundle_v1_configmap.yaml b/bundle/manifests/openshift-gitops-operator-metrics-monitor-ca-bundle_v1_configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    openshift.io/description: This ConfigMap is used for Prometheus monitoring of
+      the GitOps Operator.
+    openshift.io/display-name: GitOps Operator Prometheus Monitor ConfigMap
+    openshift.io/owning-component: service-ca
+    service.beta.openshift.io/inject-cabundle: "true"
+  name: openshift-gitops-operator-metrics-monitor-ca-bundle
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/bundle/manifests/openshift-gitops-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
@@ -6,13 +6,18 @@ metadata:
   name: openshift-gitops-operator-metrics-monitor
 spec:
   endpoints:
-  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+  - bearerTokenSecret:
+      key: token
+      name: openshift-gitops-operator-metrics-monitor-bearer-token
     interval: 30s
     path: /metrics
     port: metrics
     scheme: https
     tlsConfig:
-      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      ca:
+        configMap:
+          key: service-ca.crt
+          name: openshift-gitops-operator-metrics-monitor-ca-bundle
       serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
   selector:
     matchLabels:
diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml
@@ -1,22 +1,46 @@
-
-# Prometheus Monitor Service (Metrics)
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: metrics-monitor-bearer-token
+  namespace: openshift-gitops-operator
+  annotations:
+    kubernetes.io/service-account.name: openshift-gitops-operator-controller-manager
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    openshift.io/description: This ConfigMap is used for Prometheus monitoring of the GitOps Operator.
+    openshift.io/display-name: GitOps Operator Prometheus Monitor ConfigMap
+    openshift.io/owning-component: service-ca
+    service.beta.openshift.io/inject-cabundle: "true"
+  name: metrics-monitor-ca-bundle
+  namespace: openshift-gitops-operator
+---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
+  name: metrics-monitor
+  namespace: openshift-gitops-operator
   labels:
     control-plane: gitops-operator
-  name: metrics-monitor
-  namespace: system
 spec:
+  selector:
+    matchLabels:
+      control-plane: gitops-operator
   endpoints:
-    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      path: /metrics
+    - bearerTokenSecret:
+        name: openshift-gitops-operator-metrics-monitor-bearer-token
+        key: token
       interval: 30s
+      path: /metrics
       port: metrics
       scheme: https
       tlsConfig:
-        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
-        serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
-  selector:
-    matchLabels:
-      control-plane: gitops-operator
+        ca:
+          configMap:
+            name: openshift-gitops-operator-metrics-monitor-ca-bundle
+            key: service-ca.crt
+        serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
diff --git a/test/openshift/e2e/ginkgo/sequential/1-104_validate_prometheus_alert_test.go b/test/openshift/e2e/ginkgo/sequential/1-104_validate_prometheus_alert_test.go
@@ -6,6 +6,7 @@ import (
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture"
 	k8sFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/k8s"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -34,18 +35,29 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 			Eventually(sm).Should(k8sFixture.ExistByName())
 
 			Expect(sm.Spec.Endpoints).Should(Equal([]monitoringv1.Endpoint{{
-				BearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token",
-				Interval:        monitoringv1.Duration("30s"),
-				Path:            "/metrics",
-				Port:            "metrics",
-				Scheme:          "https",
+				BearerTokenSecret: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: "openshift-gitops-operator-metrics-monitor-bearer-token",
+					},
+					Key: "token",
+				},
+				Interval: monitoringv1.Duration("30s"),
+				Path:     "/metrics",
+				Port:     "metrics",
+				Scheme:   "https",
 				TLSConfig: &monitoringv1.TLSConfig{
 					SafeTLSConfig: monitoringv1.SafeTLSConfig{
-						CA:         monitoringv1.SecretOrConfigMap{},
+						CA: monitoringv1.SecretOrConfigMap{
+							ConfigMap: &corev1.ConfigMapKeySelector{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: "openshift-gitops-operator-metrics-monitor-ca-bundle",
+								},
+								Key: "service-ca.crt",
+							},
+						},
 						Cert:       monitoringv1.SecretOrConfigMap{},
 						ServerName: "openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc",
 					},
-					CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",
 				},
 			}}))
 
