From 74e22a3cffb46ab798cfa5bc4bec5b85049402e3 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 11 Mar 2026 14:31:05 +0600
Subject: [PATCH 1/6] charts: replace bearerTokenFile with metrics token
 secrets

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../templates/metrics-token-secret.yaml              | 12 ++++++++++++
 .../templates/servicemonitor.yaml                    |  4 +++-
 .../webhook/monitoring/metrics-token-secret.yaml     | 12 ++++++++++++
 .../templates/webhook/monitoring/servicemonitor.yaml |  4 +++-
 .../templates/metrics-token-secret.yaml              | 12 ++++++++++++
 .../templates/servicemonitor.yaml                    |  4 +++-
 6 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
 create mode 100644 charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
 create mode 100644 charts/docker-machine-operator/templates/metrics-token-secret.yaml

diff --git a/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml b/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
new file mode 100644
index 00000000..3210c39e
--- /dev/null
+++ b/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if eq "prometheus.io/operator" ( include "monitoring.agent" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "capa-vpc-peering-operator.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "capa-vpc-peering-operator.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "capa-vpc-peering-operator.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
\ No newline at end of file
diff --git a/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml b/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
index ed2ad6b1..508feca0 100644
--- a/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
+++ b/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
@@ -19,7 +19,9 @@ spec:
       {{- include "capa-vpc-peering-operator.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: api
-    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    bearerTokenSecret:
+      key: token
+      name: {{ include "capa-vpc-peering-operator.fullname" . }}-metrics-token
     scheme: https
     tlsConfig:
       ca:
diff --git a/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml b/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
new file mode 100644
index 00000000..ed540d91
--- /dev/null
+++ b/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if and (eq .Values.monitoring.agent "prometheus.io/operator") .Values.monitoring.operator }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "capi-ops-manager.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "capi-ops-manager.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "capi-ops-manager.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
\ No newline at end of file
diff --git a/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml b/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
index b322fa36..8534306f 100644
--- a/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
+++ b/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
@@ -22,7 +22,9 @@ spec:
   endpoints:
   {{- if .Values.monitoring.operator }}
   - port: https
-    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    bearerTokenSecret:
+      key: token
+      name: {{ include "capi-ops-manager.fullname" . }}-metrics-token
     path: /metrics
     scheme: https
     tlsConfig:
diff --git a/charts/docker-machine-operator/templates/metrics-token-secret.yaml b/charts/docker-machine-operator/templates/metrics-token-secret.yaml
new file mode 100644
index 00000000..5dfbf672
--- /dev/null
+++ b/charts/docker-machine-operator/templates/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if eq "prometheus.io/operator" ( include "monitoring.agent" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "docker-machine-operator.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "docker-machine-operator.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "docker-machine-operator.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
\ No newline at end of file
diff --git a/charts/docker-machine-operator/templates/servicemonitor.yaml b/charts/docker-machine-operator/templates/servicemonitor.yaml
index e7849318..1a8f0393 100644
--- a/charts/docker-machine-operator/templates/servicemonitor.yaml
+++ b/charts/docker-machine-operator/templates/servicemonitor.yaml
@@ -19,7 +19,9 @@ spec:
       {{- include "docker-machine-operator.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: api
-    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    bearerTokenSecret:
+      key: token
+      name: {{ include "docker-machine-operator.fullname" . }}-metrics-token
     scheme: https
     tlsConfig:
       ca:

From 0511f8815fb45be3c7f61da116bd85de9e8977e2 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 11 Mar 2026 14:36:21 +0600
Subject: [PATCH 2/6] charts: add ServiceMonitor and metrics token for aws/gcp
 credential managers

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../templates/metrics-token-secret.yaml       | 12 +++++++
 .../templates/servicemonitor.yaml             | 35 +++++++++++++++++++
 charts/aws-credential-manager/values.yaml     |  9 +++++
 .../templates/metrics-token-secret.yaml       | 12 +++++++
 .../templates/servicemonitor.yaml             | 35 +++++++++++++++++++
 charts/gcp-credential-manager/values.yaml     |  9 +++++
 6 files changed, 112 insertions(+)
 create mode 100644 charts/aws-credential-manager/templates/metrics-token-secret.yaml
 create mode 100644 charts/aws-credential-manager/templates/servicemonitor.yaml
 create mode 100644 charts/gcp-credential-manager/templates/metrics-token-secret.yaml
 create mode 100644 charts/gcp-credential-manager/templates/servicemonitor.yaml

diff --git a/charts/aws-credential-manager/templates/metrics-token-secret.yaml b/charts/aws-credential-manager/templates/metrics-token-secret.yaml
new file mode 100644
index 00000000..2efde3f1
--- /dev/null
+++ b/charts/aws-credential-manager/templates/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "aws-credential-manager.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
\ No newline at end of file
diff --git a/charts/aws-credential-manager/templates/servicemonitor.yaml b/charts/aws-credential-manager/templates/servicemonitor.yaml
new file mode 100644
index 00000000..a81fc04d
--- /dev/null
+++ b/charts/aws-credential-manager/templates/servicemonitor.yaml
@@ -0,0 +1,35 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.monitoring.serviceMonitor.labels }}
+    {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- else }}
+    {{- include "aws-credential-manager.selectorLabels" . | nindent 4 }}
+  {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "aws-credential-manager.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - targetPort: 9443
+    bearerTokenSecret:
+      key: token
+      name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+    path: /metrics
+    scheme: https
+    tlsConfig:
+      ca:
+        secret:
+          name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+          key: ca.crt
+      serverName: "{{ include "aws-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
+{{- end }}
\ No newline at end of file
diff --git a/charts/aws-credential-manager/values.yaml b/charts/aws-credential-manager/values.yaml
index 1313bce2..7d1aee63 100644
--- a/charts/aws-credential-manager/values.yaml
+++ b/charts/aws-credential-manager/values.yaml
@@ -126,3 +126,12 @@ apiserver:
     serverCrt: ""
     # Private key for the serving certificate used by webhook server.
     serverKey: ""
+
+monitoring:
+  # Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")
+  agent: ""
+  serviceMonitor:
+    # Specify the labels for ServiceMonitor.
+    # Prometheus crd will select ServiceMonitor using these labels.
+    # Only usable when monitoring agent is `prometheus.io/operator`.
+    labels: {}
diff --git a/charts/gcp-credential-manager/templates/metrics-token-secret.yaml b/charts/gcp-credential-manager/templates/metrics-token-secret.yaml
new file mode 100644
index 00000000..f2a0dcb8
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gcp-credential-manager.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "gcp-credential-manager.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
\ No newline at end of file
diff --git a/charts/gcp-credential-manager/templates/servicemonitor.yaml b/charts/gcp-credential-manager/templates/servicemonitor.yaml
new file mode 100644
index 00000000..ed8e59c6
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/servicemonitor.yaml
@@ -0,0 +1,35 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gcp-credential-manager.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.monitoring.serviceMonitor.labels }}
+    {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- else }}
+    {{- include "gcp-credential-manager.selectorLabels" . | nindent 4 }}
+  {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "gcp-credential-manager.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - targetPort: 9443
+    bearerTokenSecret:
+      key: token
+      name: {{ include "gcp-credential-manager.fullname" . }}-metrics-token
+    path: /metrics
+    scheme: https
+    tlsConfig:
+      ca:
+        secret:
+          name: {{ include "gcp-credential-manager.fullname" . }}-apiserver-cert
+          key: ca.crt
+      serverName: "{{ include "gcp-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
+{{- end }}
\ No newline at end of file
diff --git a/charts/gcp-credential-manager/values.yaml b/charts/gcp-credential-manager/values.yaml
index 4cb62a5f..bc6e81ba 100644
--- a/charts/gcp-credential-manager/values.yaml
+++ b/charts/gcp-credential-manager/values.yaml
@@ -105,3 +105,12 @@ apiserver:
     serverCrt: ""
     # Private key for the serving certificate used by webhook server.
     serverKey: ""
+
+monitoring:
+  # Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")
+  agent: ""
+  serviceMonitor:
+    # Specify the labels for ServiceMonitor.
+    # Prometheus crd will select ServiceMonitor using these labels.
+    # Only usable when monitoring agent is `prometheus.io/operator`.
+    labels: {}

From 28ff5e756162f547264da62cd802ad8eb2d6de1a Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 11 Mar 2026 14:43:12 +0600
Subject: [PATCH 3/6] charts: add trailing blank newline to new templates

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../aws-credential-manager/templates/metrics-token-secret.yaml  | 2 +-
 charts/aws-credential-manager/templates/servicemonitor.yaml     | 2 +-
 .../templates/metrics-token-secret.yaml                         | 2 +-
 .../templates/webhook/monitoring/metrics-token-secret.yaml      | 2 +-
 .../docker-machine-operator/templates/metrics-token-secret.yaml | 2 +-
 .../gcp-credential-manager/templates/metrics-token-secret.yaml  | 2 +-
 charts/gcp-credential-manager/templates/servicemonitor.yaml     | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/charts/aws-credential-manager/templates/metrics-token-secret.yaml b/charts/aws-credential-manager/templates/metrics-token-secret.yaml
index 2efde3f1..24364413 100644
--- a/charts/aws-credential-manager/templates/metrics-token-secret.yaml
+++ b/charts/aws-credential-manager/templates/metrics-token-secret.yaml
@@ -9,4 +9,4 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ include "aws-credential-manager.serviceAccountName" . }}
 type: kubernetes.io/service-account-token
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/aws-credential-manager/templates/servicemonitor.yaml b/charts/aws-credential-manager/templates/servicemonitor.yaml
index a81fc04d..6c989a89 100644
--- a/charts/aws-credential-manager/templates/servicemonitor.yaml
+++ b/charts/aws-credential-manager/templates/servicemonitor.yaml
@@ -32,4 +32,4 @@ spec:
           name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
           key: ca.crt
       serverName: "{{ include "aws-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml b/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
index 3210c39e..3b5e8652 100644
--- a/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
+++ b/charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
@@ -9,4 +9,4 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ include "capa-vpc-peering-operator.serviceAccountName" . }}
 type: kubernetes.io/service-account-token
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml b/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
index ed540d91..778d394f 100644
--- a/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
+++ b/charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
@@ -9,4 +9,4 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ include "capi-ops-manager.serviceAccountName" . }}
 type: kubernetes.io/service-account-token
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/docker-machine-operator/templates/metrics-token-secret.yaml b/charts/docker-machine-operator/templates/metrics-token-secret.yaml
index 5dfbf672..f81a0855 100644
--- a/charts/docker-machine-operator/templates/metrics-token-secret.yaml
+++ b/charts/docker-machine-operator/templates/metrics-token-secret.yaml
@@ -9,4 +9,4 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ include "docker-machine-operator.serviceAccountName" . }}
 type: kubernetes.io/service-account-token
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/gcp-credential-manager/templates/metrics-token-secret.yaml b/charts/gcp-credential-manager/templates/metrics-token-secret.yaml
index f2a0dcb8..45f64da4 100644
--- a/charts/gcp-credential-manager/templates/metrics-token-secret.yaml
+++ b/charts/gcp-credential-manager/templates/metrics-token-secret.yaml
@@ -9,4 +9,4 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ include "gcp-credential-manager.serviceAccountName" . }}
 type: kubernetes.io/service-account-token
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/gcp-credential-manager/templates/servicemonitor.yaml b/charts/gcp-credential-manager/templates/servicemonitor.yaml
index ed8e59c6..081a438a 100644
--- a/charts/gcp-credential-manager/templates/servicemonitor.yaml
+++ b/charts/gcp-credential-manager/templates/servicemonitor.yaml
@@ -32,4 +32,4 @@ spec:
           name: {{ include "gcp-credential-manager.fullname" . }}-apiserver-cert
           key: ca.crt
       serverName: "{{ include "gcp-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
-{{- end }}
\ No newline at end of file
+{{- end }}

From 73a63c078c21b4aad4f5cd903c92b11325e1e71f Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 11 Mar 2026 15:28:16 +0600
Subject: [PATCH 4/6] charts/apis: add monitoring schema for credential
 managers

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../v1alpha1/aws_credential_manager_types.go  |  3 ++-
 .../v1alpha1/gcp_credential_manager_types.go  |  3 ++-
 .../v1alpha1/zz_generated.deepcopy.go         |  2 ++
 charts/aws-credential-manager/README.md       |  2 ++
 .../values.openapiv3_schema.yaml              | 20 +++++++++++++++++++
 charts/gcp-credential-manager/README.md       |  2 ++
 .../values.openapiv3_schema.yaml              | 20 +++++++++++++++++++
 7 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/apis/installer/v1alpha1/aws_credential_manager_types.go b/apis/installer/v1alpha1/aws_credential_manager_types.go
index 8ebb7327..b2d2acac 100644
--- a/apis/installer/v1alpha1/aws_credential_manager_types.go
+++ b/apis/installer/v1alpha1/aws_credential_manager_types.go
@@ -83,7 +83,8 @@ type AwsCredentialManagerSpec struct {
 	Volumes        []core.Volume      `json:"volumes"`
 	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
 	// +optional
-	Distro shared.DistroSpec `json:"distro"`
+	Distro     shared.DistroSpec `json:"distro"`
+	Monitoring Monitoring        `json:"monitoring"`
 	// +optional
 	Apiserver AwsCredentialManagerApiserver `json:"apiserver"`
 	// +optional
diff --git a/apis/installer/v1alpha1/gcp_credential_manager_types.go b/apis/installer/v1alpha1/gcp_credential_manager_types.go
index 60c95a14..0d835adf 100644
--- a/apis/installer/v1alpha1/gcp_credential_manager_types.go
+++ b/apis/installer/v1alpha1/gcp_credential_manager_types.go
@@ -83,7 +83,8 @@ type GcpCredentialManagerSpec struct {
 	Volumes        []core.Volume      `json:"volumes"`
 	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
 	// +optional
-	Distro shared.DistroSpec `json:"distro"`
+	Distro     shared.DistroSpec `json:"distro"`
+	Monitoring Monitoring        `json:"monitoring"`
 	// +optional
 	Apiserver GcpCredentialManagerApiserver `json:"apiserver"`
 	// +optional
diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go
index 81f87f99..81dab37e 100644
--- a/apis/installer/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go
@@ -180,6 +180,7 @@ func (in *AwsCredentialManagerSpec) DeepCopyInto(out *AwsCredentialManagerSpec)
 		}
 	}
 	out.Distro = in.Distro
+	in.Monitoring.DeepCopyInto(&out.Monitoring)
 	out.Apiserver = in.Apiserver
 	out.BucketAccessor = in.BucketAccessor
 }
@@ -773,6 +774,7 @@ func (in *GcpCredentialManagerSpec) DeepCopyInto(out *GcpCredentialManagerSpec)
 		}
 	}
 	out.Distro = in.Distro
+	in.Monitoring.DeepCopyInto(&out.Monitoring)
 	out.Apiserver = in.Apiserver
 	out.BucketAccessor = in.BucketAccessor
 }
diff --git a/charts/aws-credential-manager/README.md b/charts/aws-credential-manager/README.md
index f766a017..7f2a66ae 100644
--- a/charts/aws-credential-manager/README.md
+++ b/charts/aws-credential-manager/README.md
@@ -97,6 +97,8 @@ The following table lists the configurable parameters of the `aws-credential-man
 | apiserver.servingCerts.caCrt          | CA certficate used by serving certificate of webhook server.                                                                                                                                                                                      | <code>""</code>                                                                                                                                                                                |
 | apiserver.servingCerts.serverCrt      | Serving certficate used by webhook server.                                                                                                                                                                                                        | <code>""</code>                                                                                                                                                                                |
 | apiserver.servingCerts.serverKey      | Private key for the serving certificate used by webhook server.                                                                                                                                                                                   | <code>""</code>                                                                                                                                                                                |
+| monitoring.agent                      | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")                                                                                                                                              | <code>""</code>                                                                                                                                                                                |
+| monitoring.serviceMonitor.labels      | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`.                                                                               | <code>{}</code>                                                                                                                                                                                |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/aws-credential-manager/values.openapiv3_schema.yaml b/charts/aws-credential-manager/values.openapiv3_schema.yaml
index 3125a200..845a208d 100644
--- a/charts/aws-credential-manager/values.openapiv3_schema.yaml
+++ b/charts/aws-credential-manager/values.openapiv3_schema.yaml
@@ -610,6 +610,25 @@ properties:
         format: int32
         type: integer
     type: object
+  monitoring:
+    properties:
+      agent:
+        enum:
+        - prometheus.io
+        - prometheus.io/operator
+        - prometheus.io/builtin
+        type: string
+      serviceMonitor:
+        properties:
+          labels:
+            additionalProperties:
+              type: string
+            type: object
+        type: object
+    required:
+    - agent
+    - serviceMonitor
+    type: object
   nameOverride:
     type: string
   nodeSelector:
@@ -1774,6 +1793,7 @@ properties:
     type: array
 required:
 - image
+- monitoring
 - replicaCount
 - service
 - serviceAccount
diff --git a/charts/gcp-credential-manager/README.md b/charts/gcp-credential-manager/README.md
index 513b2876..1e6607e8 100644
--- a/charts/gcp-credential-manager/README.md
+++ b/charts/gcp-credential-manager/README.md
@@ -97,6 +97,8 @@ The following table lists the configurable parameters of the `gcp-credential-man
 | apiserver.servingCerts.caCrt          | CA certficate used by serving certificate of webhook server.                                                                                                                                                                                      | <code>""</code>                                                                                                                                                                                |
 | apiserver.servingCerts.serverCrt      | Serving certficate used by webhook server.                                                                                                                                                                                                        | <code>""</code>                                                                                                                                                                                |
 | apiserver.servingCerts.serverKey      | Private key for the serving certificate used by webhook server.                                                                                                                                                                                   | <code>""</code>                                                                                                                                                                                |
+| monitoring.agent                      | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")                                                                                                                                              | <code>""</code>                                                                                                                                                                                |
+| monitoring.serviceMonitor.labels      | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`.                                                                               | <code>{}</code>                                                                                                                                                                                |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/gcp-credential-manager/values.openapiv3_schema.yaml b/charts/gcp-credential-manager/values.openapiv3_schema.yaml
index 01cbc7d5..19e7a00d 100644
--- a/charts/gcp-credential-manager/values.openapiv3_schema.yaml
+++ b/charts/gcp-credential-manager/values.openapiv3_schema.yaml
@@ -610,6 +610,25 @@ properties:
         format: int32
         type: integer
     type: object
+  monitoring:
+    properties:
+      agent:
+        enum:
+        - prometheus.io
+        - prometheus.io/operator
+        - prometheus.io/builtin
+        type: string
+      serviceMonitor:
+        properties:
+          labels:
+            additionalProperties:
+              type: string
+            type: object
+        type: object
+    required:
+    - agent
+    - serviceMonitor
+    type: object
   nameOverride:
     type: string
   nodeSelector:
@@ -1774,6 +1793,7 @@ properties:
     type: array
 required:
 - image
+- monitoring
 - replicaCount
 - service
 - serviceAccount

From 8305860fd778877b8928c1dd0c3cc8b12c614aff Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 11 Mar 2026 16:41:55 +0600
Subject: [PATCH 5/6] Use authorization block in ServiceMonitor endpoints

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../aws-credential-manager/templates/servicemonitor.yaml  | 8 +++++---
 .../templates/servicemonitor.yaml                         | 8 +++++---
 .../templates/webhook/monitoring/servicemonitor.yaml      | 8 +++++---
 .../docker-machine-operator/templates/servicemonitor.yaml | 8 +++++---
 .../gcp-credential-manager/templates/servicemonitor.yaml  | 8 +++++---
 5 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/charts/aws-credential-manager/templates/servicemonitor.yaml b/charts/aws-credential-manager/templates/servicemonitor.yaml
index 6c989a89..fb63b90c 100644
--- a/charts/aws-credential-manager/templates/servicemonitor.yaml
+++ b/charts/aws-credential-manager/templates/servicemonitor.yaml
@@ -21,9 +21,11 @@ spec:
       {{- include "aws-credential-manager.selectorLabels" . | nindent 6 }}
   endpoints:
   - targetPort: 9443
-    bearerTokenSecret:
-      key: token
-      name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+    authorization:
+      credentials:
+        key: token
+        name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+      type: Bearer
     path: /metrics
     scheme: https
     tlsConfig:
diff --git a/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml b/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
index 508feca0..a8dc6653 100644
--- a/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
+++ b/charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
@@ -19,9 +19,11 @@ spec:
       {{- include "capa-vpc-peering-operator.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: api
-    bearerTokenSecret:
-      key: token
-      name: {{ include "capa-vpc-peering-operator.fullname" . }}-metrics-token
+    authorization:
+      credentials:
+        key: token
+        name: {{ include "capa-vpc-peering-operator.fullname" . }}-metrics-token
+      type: Bearer
     scheme: https
     tlsConfig:
       ca:
diff --git a/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml b/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
index 8534306f..3fcc1b22 100644
--- a/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
+++ b/charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
@@ -22,9 +22,11 @@ spec:
   endpoints:
   {{- if .Values.monitoring.operator }}
   - port: https
-    bearerTokenSecret:
-      key: token
-      name: {{ include "capi-ops-manager.fullname" . }}-metrics-token
+    authorization:
+      credentials:
+        key: token
+        name: {{ include "capi-ops-manager.fullname" . }}-metrics-token
+      type: Bearer
     path: /metrics
     scheme: https
     tlsConfig:
diff --git a/charts/docker-machine-operator/templates/servicemonitor.yaml b/charts/docker-machine-operator/templates/servicemonitor.yaml
index 1a8f0393..6cb75518 100644
--- a/charts/docker-machine-operator/templates/servicemonitor.yaml
+++ b/charts/docker-machine-operator/templates/servicemonitor.yaml
@@ -19,9 +19,11 @@ spec:
       {{- include "docker-machine-operator.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: api
-    bearerTokenSecret:
-      key: token
-      name: {{ include "docker-machine-operator.fullname" . }}-metrics-token
+    authorization:
+      credentials:
+        key: token
+        name: {{ include "docker-machine-operator.fullname" . }}-metrics-token
+      type: Bearer
     scheme: https
     tlsConfig:
       ca:
diff --git a/charts/gcp-credential-manager/templates/servicemonitor.yaml b/charts/gcp-credential-manager/templates/servicemonitor.yaml
index 081a438a..cc8402b4 100644
--- a/charts/gcp-credential-manager/templates/servicemonitor.yaml
+++ b/charts/gcp-credential-manager/templates/servicemonitor.yaml
@@ -21,9 +21,11 @@ spec:
       {{- include "gcp-credential-manager.selectorLabels" . | nindent 6 }}
   endpoints:
   - targetPort: 9443
-    bearerTokenSecret:
-      key: token
-      name: {{ include "gcp-credential-manager.fullname" . }}-metrics-token
+    authorization:
+      credentials:
+        key: token
+        name: {{ include "gcp-credential-manager.fullname" . }}-metrics-token
+      type: Bearer
     path: /metrics
     scheme: https
     tlsConfig:

From 3869a2d48f419bba754e15a988ec5f9c38646d29 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Thu, 12 Mar 2026 00:34:08 +0600
Subject: [PATCH 6/6] Use static service account names for aws/gcp credential
 managers

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../v1alpha1/aws_credential_manager_types.go  | 10 ++++-----
 .../v1alpha1/gcp_credential_manager_types.go  | 10 ++++-----
 apis/installer/v1alpha1/types.go              |  6 +++++
 .../v1alpha1/zz_generated.deepcopy.go         | 22 +++++++++++++++++++
 charts/aws-credential-manager/README.md       |  1 -
 .../templates/_helpers.tpl                    |  6 +----
 .../templates/serviceaccount.yaml             |  2 +-
 .../values.openapiv3_schema.yaml              |  2 --
 charts/aws-credential-manager/values.yaml     |  3 ---
 charts/gcp-credential-manager/README.md       |  1 -
 .../templates/_helpers.tpl                    |  6 +----
 ...ng-webhook.yaml  => mutating-webhook.yaml} |  0
 .../templates/serviceaccount.yaml             |  2 +-
 .../values.openapiv3_schema.yaml              |  2 --
 charts/gcp-credential-manager/values.yaml     |  3 ---
 15 files changed, 42 insertions(+), 34 deletions(-)
 rename charts/gcp-credential-manager/templates/{mutating-webhook.yaml  => mutating-webhook.yaml} (100%)

diff --git a/apis/installer/v1alpha1/aws_credential_manager_types.go b/apis/installer/v1alpha1/aws_credential_manager_types.go
index b2d2acac..bbd2aae4 100644
--- a/apis/installer/v1alpha1/aws_credential_manager_types.go
+++ b/apis/installer/v1alpha1/aws_credential_manager_types.go
@@ -77,11 +77,11 @@ type AwsCredentialManagerSpec struct {
 	// +optional
 	LivenessProbe *core.Probe `json:"livenessProbe"`
 	// +optional
-	ReadinessProbe *core.Probe        `json:"readinessProbe"`
-	Service        ServiceSpec        `json:"service"`
-	ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
-	Volumes        []core.Volume      `json:"volumes"`
-	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
+	ReadinessProbe *core.Probe              `json:"readinessProbe"`
+	Service        ServiceSpec              `json:"service"`
+	ServiceAccount StaticServiceAccountSpec `json:"serviceAccount"`
+	Volumes        []core.Volume            `json:"volumes"`
+	VolumeMounts   []core.VolumeMount       `json:"volumeMounts"`
 	// +optional
 	Distro     shared.DistroSpec `json:"distro"`
 	Monitoring Monitoring        `json:"monitoring"`
diff --git a/apis/installer/v1alpha1/gcp_credential_manager_types.go b/apis/installer/v1alpha1/gcp_credential_manager_types.go
index 0d835adf..797884a5 100644
--- a/apis/installer/v1alpha1/gcp_credential_manager_types.go
+++ b/apis/installer/v1alpha1/gcp_credential_manager_types.go
@@ -77,11 +77,11 @@ type GcpCredentialManagerSpec struct {
 	// +optional
 	LivenessProbe *core.Probe `json:"livenessProbe"`
 	// +optional
-	ReadinessProbe *core.Probe        `json:"readinessProbe"`
-	Service        ServiceSpec        `json:"service"`
-	ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
-	Volumes        []core.Volume      `json:"volumes"`
-	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
+	ReadinessProbe *core.Probe              `json:"readinessProbe"`
+	Service        ServiceSpec              `json:"service"`
+	ServiceAccount StaticServiceAccountSpec `json:"serviceAccount"`
+	Volumes        []core.Volume            `json:"volumes"`
+	VolumeMounts   []core.VolumeMount       `json:"volumeMounts"`
 	// +optional
 	Distro     shared.DistroSpec `json:"distro"`
 	Monitoring Monitoring        `json:"monitoring"`
diff --git a/apis/installer/v1alpha1/types.go b/apis/installer/v1alpha1/types.go
index bb43b3e2..5f89768f 100644
--- a/apis/installer/v1alpha1/types.go
+++ b/apis/installer/v1alpha1/types.go
@@ -42,6 +42,12 @@ type ServiceAccountSpec struct {
 	Annotations map[string]string `json:"annotations"`
 }
 
+type StaticServiceAccountSpec struct {
+	Create bool `json:"create"`
+	//+optional
+	Annotations map[string]string `json:"annotations"`
+}
+
 // +kubebuilder:validation:Enum=prometheus.io;prometheus.io/operator;prometheus.io/builtin
 type MonitoringAgent string
 
diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go
index 81dab37e..2c355112 100644
--- a/apis/installer/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go
@@ -943,3 +943,25 @@ func (in *ServingCerts) DeepCopy() *ServingCerts {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StaticServiceAccountSpec) DeepCopyInto(out *StaticServiceAccountSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticServiceAccountSpec.
+func (in *StaticServiceAccountSpec) DeepCopy() *StaticServiceAccountSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(StaticServiceAccountSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/charts/aws-credential-manager/README.md b/charts/aws-credential-manager/README.md
index 7f2a66ae..766caeb1 100644
--- a/charts/aws-credential-manager/README.md
+++ b/charts/aws-credential-manager/README.md
@@ -58,7 +58,6 @@ The following table lists the configurable parameters of the `aws-credential-man
 | fullnameOverride                      |                                                                                                                                                                                                                                                   | <code>""</code>                                                                                                                                                                                |
 | serviceAccount.create                 | Specifies whether a service account should be created                                                                                                                                                                                             | <code>true</code>                                                                                                                                                                              |
 | serviceAccount.annotations            | Annotations to add to the service account                                                                                                                                                                                                         | <code>{}</code>                                                                                                                                                                                |
-| serviceAccount.name                   | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                                                                                                            | <code>""</code>                                                                                                                                                                                |
 | podAnnotations                        |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
 | podLabels                             |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
 | podSecurityContext                    |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
diff --git a/charts/aws-credential-manager/templates/_helpers.tpl b/charts/aws-credential-manager/templates/_helpers.tpl
index 18034fa0..1ef127c9 100644
--- a/charts/aws-credential-manager/templates/_helpers.tpl
+++ b/charts/aws-credential-manager/templates/_helpers.tpl
@@ -54,11 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "aws-credential-manager.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "aws-credential-manager.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
+aws-credential-manager
 {{- end }}
 
 {{/*
diff --git a/charts/aws-credential-manager/templates/serviceaccount.yaml b/charts/aws-credential-manager/templates/serviceaccount.yaml
index e0c38b25..d1da1db9 100644
--- a/charts/aws-credential-manager/templates/serviceaccount.yaml
+++ b/charts/aws-credential-manager/templates/serviceaccount.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: aws-credential-manager
+  name: {{ include "aws-credential-manager.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-credential-manager.labels" . | nindent 4 }}
diff --git a/charts/aws-credential-manager/values.openapiv3_schema.yaml b/charts/aws-credential-manager/values.openapiv3_schema.yaml
index 845a208d..56d440a2 100644
--- a/charts/aws-credential-manager/values.openapiv3_schema.yaml
+++ b/charts/aws-credential-manager/values.openapiv3_schema.yaml
@@ -931,8 +931,6 @@ properties:
         type: object
       create:
         type: boolean
-      name:
-        type: string
     required:
     - create
     type: object
diff --git a/charts/aws-credential-manager/values.yaml b/charts/aws-credential-manager/values.yaml
index 7d1aee63..55c09cb9 100644
--- a/charts/aws-credential-manager/values.yaml
+++ b/charts/aws-credential-manager/values.yaml
@@ -21,9 +21,6 @@ serviceAccount:
   create: true
   # Annotations to add to the service account
   annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
 podAnnotations: {}
 podLabels: {}
 podSecurityContext: {}
diff --git a/charts/gcp-credential-manager/README.md b/charts/gcp-credential-manager/README.md
index 1e6607e8..1af75bed 100644
--- a/charts/gcp-credential-manager/README.md
+++ b/charts/gcp-credential-manager/README.md
@@ -58,7 +58,6 @@ The following table lists the configurable parameters of the `gcp-credential-man
 | fullnameOverride                      |                                                                                                                                                                                                                                                   | <code>""</code>                                                                                                                                                                                |
 | serviceAccount.create                 | Specifies whether a service account should be created                                                                                                                                                                                             | <code>true</code>                                                                                                                                                                              |
 | serviceAccount.annotations            | Annotations to add to the service account                                                                                                                                                                                                         | <code>{}</code>                                                                                                                                                                                |
-| serviceAccount.name                   | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                                                                                                            | <code>""</code>                                                                                                                                                                                |
 | podAnnotations                        |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
 | podLabels                             |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
 | podSecurityContext                    |                                                                                                                                                                                                                                                   | <code>{}</code>                                                                                                                                                                                |
diff --git a/charts/gcp-credential-manager/templates/_helpers.tpl b/charts/gcp-credential-manager/templates/_helpers.tpl
index 1ba7a9e6..f9aad56e 100644
--- a/charts/gcp-credential-manager/templates/_helpers.tpl
+++ b/charts/gcp-credential-manager/templates/_helpers.tpl
@@ -54,11 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "gcp-credential-manager.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "gcp-credential-manager.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
+gcp-credential-manager
 {{- end }}
 
 {{/*
diff --git a/charts/gcp-credential-manager/templates/mutating-webhook.yaml  b/charts/gcp-credential-manager/templates/mutating-webhook.yaml
similarity index 100%
rename from charts/gcp-credential-manager/templates/mutating-webhook.yaml 
rename to charts/gcp-credential-manager/templates/mutating-webhook.yaml
diff --git a/charts/gcp-credential-manager/templates/serviceaccount.yaml b/charts/gcp-credential-manager/templates/serviceaccount.yaml
index bb96876a..6c261d67 100644
--- a/charts/gcp-credential-manager/templates/serviceaccount.yaml
+++ b/charts/gcp-credential-manager/templates/serviceaccount.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gcp-credential-manager
+  name: {{ include "gcp-credential-manager.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "gcp-credential-manager.labels" . | nindent 4 }}
diff --git a/charts/gcp-credential-manager/values.openapiv3_schema.yaml b/charts/gcp-credential-manager/values.openapiv3_schema.yaml
index 19e7a00d..188a2c22 100644
--- a/charts/gcp-credential-manager/values.openapiv3_schema.yaml
+++ b/charts/gcp-credential-manager/values.openapiv3_schema.yaml
@@ -931,8 +931,6 @@ properties:
         type: object
       create:
         type: boolean
-      name:
-        type: string
     required:
     - create
     type: object
diff --git a/charts/gcp-credential-manager/values.yaml b/charts/gcp-credential-manager/values.yaml
index bc6e81ba..3c7091e4 100644
--- a/charts/gcp-credential-manager/values.yaml
+++ b/charts/gcp-credential-manager/values.yaml
@@ -21,9 +21,6 @@ serviceAccount:
   create: true
   # Annotations to add to the service account
   annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
 podAnnotations: {}
 podLabels: {}
 podSecurityContext: {}