fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition (#1005)

akhilnittala · web-flow · commit e9410940f23f · 2025-11-25T07:52:03.000Z
* fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;

* fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;

* fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;

* fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;

* fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;

* fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;

---------

Signed-off-by: akhil nittala &lt;nakhil@redhat.com&gt;
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-bearer-token_v1_secret.yaml b/bundle/manifests/openshift-gitops-operator-metrics-bearer-token_v1_secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: openshift-gitops-operator-controller-manager
+  name: openshift-gitops-operator-metrics-bearer-token
+type: kubernetes.io/service-account-token
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-monitor-ca-bundle_v1_configmap.yaml b/bundle/manifests/openshift-gitops-operator-metrics-monitor-ca-bundle_v1_configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    openshift.io/description: This ConfigMap is used for Prometheus monitoring of
+      the GitOps Operator.
+    openshift.io/display-name: GitOps Operator Prometheus Monitor ConfigMap
+    openshift.io/owning-component: service-ca
+    service.beta.openshift.io/inject-cabundle: "true"
+  name: openshift-gitops-operator-metrics-monitor-ca-bundle
diff --git a/bundle/manifests/openshift-gitops-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/bundle/manifests/openshift-gitops-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
@@ -6,13 +6,18 @@ metadata:
   name: openshift-gitops-operator-metrics-monitor
 spec:
   endpoints:
-  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+  - bearerTokenSecret:
+      key: token
+      name: openshift-gitops-operator-metrics-bearer-token
     interval: 30s
     path: /metrics
     port: metrics
     scheme: https
     tlsConfig:
-      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      ca:
+        configMap:
+          key: service-ca.crt
+          name: openshift-gitops-operator-metrics-monitor-ca-bundle
       serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
   selector:
     matchLabels:
diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml
@@ -1,22 +1,46 @@
-
-# Prometheus Monitor Service (Metrics)
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: metrics-bearer-token
+  namespace: openshift-gitops-operator
+  annotations:
+    kubernetes.io/service-account.name: openshift-gitops-operator-controller-manager
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    openshift.io/description: This ConfigMap is used for Prometheus monitoring of the GitOps Operator.
+    openshift.io/display-name: GitOps Operator Prometheus Monitor ConfigMap
+    openshift.io/owning-component: service-ca
+    service.beta.openshift.io/inject-cabundle: "true"
+  name: metrics-monitor-ca-bundle
+  namespace: openshift-gitops-operator
+---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
+  name: metrics-monitor
+  namespace: openshift-gitops-operator
   labels:
     control-plane: gitops-operator
-  name: metrics-monitor
-  namespace: system
 spec:
+  selector:
+    matchLabels:
+      control-plane: gitops-operator
   endpoints:
-    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      path: /metrics
+    - bearerTokenSecret:
+        name: openshift-gitops-operator-metrics-bearer-token
+        key: token
       interval: 30s
+      path: /metrics
       port: metrics
       scheme: https
       tlsConfig:
-        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        ca:
+          configMap:
+            name: openshift-gitops-operator-metrics-monitor-ca-bundle
+            key: service-ca.crt
         serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
-  selector:
-    matchLabels:
-      control-plane: gitops-operator
diff --git a/test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go b/test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go
@@ -3,18 +3,21 @@ package parallel
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	corev1 "k8s.io/api/core/v1"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture"
 	k8sFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/k8s"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 	Context("1-104_validate_prometheus_alert", func() {
 
 		BeforeEach(func() {
-
 			fixture.EnsureParallelCleanSlate()
 		})
 
@@ -33,19 +36,29 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 			}
 			Eventually(sm).Should(k8sFixture.ExistByName())
 
-			Expect(sm.Spec.Endpoints).Should(Equal([]monitoringv1.Endpoint{{
-				BearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token",
-				Interval:        monitoringv1.Duration("30s"),
-				Path:            "/metrics",
-				Port:            "metrics",
-				Scheme:          "https",
+			Expect(sm.Spec.Endpoints).To(Equal([]monitoringv1.Endpoint{{
+				BearerTokenSecret: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: "openshift-gitops-operator-metrics-bearer-token",
+					},
+					Key: "token",
+				},
+				Interval: monitoringv1.Duration("30s"),
+				Path:     "/metrics",
+				Port:     "metrics",
+				Scheme:   "https",
 				TLSConfig: &monitoringv1.TLSConfig{
 					SafeTLSConfig: monitoringv1.SafeTLSConfig{
-						CA:         monitoringv1.SecretOrConfigMap{},
-						Cert:       monitoringv1.SecretOrConfigMap{},
+						CA: monitoringv1.SecretOrConfigMap{
+							ConfigMap: &corev1.ConfigMapKeySelector{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: "openshift-gitops-operator-metrics-monitor-ca-bundle",
+								},
+								Key: "service-ca.crt",
+							},
+						},
 						ServerName: "openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc",
 					},
-					CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",
 				},
 			}}))
 
@@ -57,5 +70,4 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 			}))
 		})
 	})
-
 })
