Skip to content

fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition #1005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 7 commits into from
Nov 25, 2025
Merged

fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition #1005

openshift-merge-bot merged 7 commits into from
Nov 25, 2025

Conversation

@akhilnittala
Copy link
Contributor

@akhilnittala akhilnittala commented Nov 13, 2025
edited
Loading

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind bug

/kind cleanup
/kind failing-test
/kind enhancement
/kind documentation
/kind code-refactoring

What does this PR do / why we need it:
The latest Prometheus upgrade enforces stricter security practices by requiring the use of Secrets and ConfigMaps for bearer tokens and TLS CA configurations. However, our current implementation references bearerTokenFile and tlsConfig.caFile using absolute filesystem paths. This approach is no longer permitted, as Prometheus now prohibits direct filesystem access for these files. As a result, the Prometheus Operator logs show errors when it attempts to access these paths.
Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:
https://issues.redhat.com/browse/GITOPS-7992
Fixes #?
https://issues.redhat.com/browse/GITOPS-7992
Test acceptance criteria:

  • Unit Test
  • E2E Test

How to test changes / Special notes to the reviewer:

  • install gitops operator on oc cluster

  • make this change in cluster-monitoring-configmap like below

kind: ConfigMap
apiVersion: v1
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
  uid: 8d390161-acc1-4409-809d-638359caeb40
  resourceVersion: '1966303'
  creationTimestamp: '2025-11-08T20:14:19Z'
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"config.yaml":"prometheusK8s:\n  retention: 3d\n"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"cluster-monitoring-config","namespace":"openshift-monitoring"}}
  managedFields:
    - manager: kubectl-client-side-apply
      operation: Update
      apiVersion: v1
      time: '2025-11-08T20:14:19Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:data': {}
        'f:metadata':
          'f:annotations':
            .: {}
            'f:kubectl.kubernetes.io/last-applied-configuration': {}
    - manager: Mozilla
      operation: Update
      apiVersion: v1
      time: '2025-11-13T08:48:04Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:data':
          'f:config.yaml': {}
data:
  config.yaml: |
    enableUserWorkload: true
    prometheusK8s:
      retention: 3d
  • check prometheus operator pod logs using command "oc logs -f prometheus-operator-b6ccc8c9d-s86q4 -n openshift-user-workload-monitoring"

@akhilnittala
fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is atte…
227c865 
…mpting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala <nakhil@redhat.com>
@openshift-ci
Copy link

openshift-ci bot commented Nov 13, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the kind/bug Something isn't working label Nov 13, 2025
@akhilnittala
Merge branch 'master' into usr/akhil/GITOPS-7992
03012b6
@akhilnittala
fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is atte…
82fc6ed 
…mpting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala <nakhil@redhat.com>
@akhilnittala akhilnittala marked this pull request as ready for review November 16, 2025 17:51
@openshift-ci openshift-ci bot requested review from jgwest and trdoyle81 November 16, 2025 17:52
@akhilnittala
fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is atte…
9d22845 
…mpting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala <nakhil@redhat.com>
@akhilnittala
fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is atte…
254fae4 
…mpting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala <nakhil@redhat.com>
@akhilnittala
fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is atte…
4a3c072 
…mpting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala <nakhil@redhat.com>
@svghadi
Copy link
Member

svghadi commented Nov 17, 2025

/retest

@akhilnittala
Copy link
Contributor Author

akhilnittala commented Nov 17, 2025

/retest-required

@akhilnittala
fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is atte…
c991018 
…mpting to use a bearerTokenFile configuration in its endpoints definition

Signed-off-by: akhil nittala <nakhil@redhat.com>
anandf
anandf approved these changes Nov 19, 2025
View reviewed changes
Copy link
Member

@anandf anandf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

svghadi
svghadi approved these changes Nov 25, 2025
View reviewed changes
Copy link
Member

@svghadi svghadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Nov 25, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 25, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: svghadi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@svghadi
Copy link
Member

svghadi commented Nov 25, 2025

/cherry-pick v1.19
/cherry-pick v1.18
/cherry-pick v1.17

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Nov 25, 2025

@svghadi: once the present PR merges, I will cherry-pick it on top of v1.17, v1.18, v1.19 in new PRs and assign them to you.

In response to this:

/cherry-pick v1.19
/cherry-pick v1.18
/cherry-pick v1.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot bot merged commit e941094 into redhat-developer:master Nov 25, 2025
16 checks passed
@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Nov 25, 2025

@svghadi: new pull request created: #1014

In response to this:

/cherry-pick v1.19
/cherry-pick v1.18
/cherry-pick v1.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Nov 25, 2025
Open
@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Nov 25, 2025

@svghadi: #1005 failed to apply on top of branch "v1.18":

Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Using index info to reconstruct a base tree...
A	test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go
Falling back to patching base and 3-way merge...
Auto-merging test/openshift/e2e/ginkgo/sequential/1-104_validate_prometheus_alert_test.go
CONFLICT (content): Merge conflict in test/openshift/e2e/ginkgo/sequential/1-104_validate_prometheus_alert_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0006 fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

In response to this:

/cherry-pick v1.19
/cherry-pick v1.18
/cherry-pick v1.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Nov 25, 2025

@svghadi: #1005 failed to apply on top of branch "v1.17":

Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Applying: fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
Using index info to reconstruct a base tree...
A	test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go
Falling back to patching base and 3-way merge...
Auto-merging test/openshift/e2e/ginkgo/sequential/1-104_validate_prometheus_alert_test.go
CONFLICT (content): Merge conflict in test/openshift/e2e/ginkgo/sequential/1-104_validate_prometheus_alert_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0006 fix: openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition

In response to this:

/cherry-pick v1.19
/cherry-pick v1.18
/cherry-pick v1.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

svghadi
svghadi reviewed Nov 25, 2025
View reviewed changes
bundle/manifests/openshift-gitops-operator-metrics-bearer-token_v1_secret.yaml
metadata:
annotations:
kubernetes.io/service-account.name: openshift-gitops-operator-controller-manager
name: openshift-gitops-operator-metrics-bearer-token
Copy link
Member

@svghadi svghadi Nov 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be name this as openshift-gitops-operator-metrics-monitor-bearer-token for consistency ? Sorry, I should have requested this before merging.

Copy link
Contributor Author

@akhilnittala akhilnittala Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure sid, will do and create a pr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svghadi svghadi svghadi approved these changes

@anandf anandf anandf approved these changes

@jgwest jgwest Awaiting requested review from jgwest

@trdoyle81 trdoyle81 Awaiting requested review from trdoyle81

Assignees

@svghadi svghadi

Labels

approved kind/bug Something isn't working lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@akhilnittala @svghadi @openshift-cherrypick-robot @anandf