Skip to content

charts: use service-account token secret for ServiceMonitor auth #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tamalsaha merged 6 commits into from
Mar 11, 2026
Merged

charts: use service-account token secret for ServiceMonitor auth #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
74e22a3
charts: replace bearerTokenFile with metrics token secrets
tamalsaha Mar 11, 2026
0511f88
charts: add ServiceMonitor and metrics token for aws/gcp credential m…
tamalsaha Mar 11, 2026
28ff5e7
charts: add trailing blank newline to new templates
tamalsaha Mar 11, 2026
73a63c0
charts/apis: add monitoring schema for credential managers
tamalsaha Mar 11, 2026
8305860
Use authorization block in ServiceMonitor endpoints
tamalsaha Mar 11, 2026
3869a2d
Use static service account names for aws/gcp credential managers
tamalsaha Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions apis/installer/v1alpha1/aws_credential_manager_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,14 @@ type AwsCredentialManagerSpec struct {
// +optional
LivenessProbe *core.Probe `json:"livenessProbe"`
// +optional
ReadinessProbe *core.Probe `json:"readinessProbe"`
Service ServiceSpec `json:"service"`
ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
Volumes []core.Volume `json:"volumes"`
VolumeMounts []core.VolumeMount `json:"volumeMounts"`
ReadinessProbe *core.Probe `json:"readinessProbe"`
Service ServiceSpec `json:"service"`
ServiceAccount StaticServiceAccountSpec `json:"serviceAccount"`
Volumes []core.Volume `json:"volumes"`
VolumeMounts []core.VolumeMount `json:"volumeMounts"`
// +optional
Distro shared.DistroSpec `json:"distro"`
Distro shared.DistroSpec `json:"distro"`
Monitoring Monitoring `json:"monitoring"`
// +optional
Apiserver AwsCredentialManagerApiserver `json:"apiserver"`
// +optional
Expand Down
13 changes: 7 additions & 6 deletions apis/installer/v1alpha1/gcp_credential_manager_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,14 @@ type GcpCredentialManagerSpec struct {
// +optional
LivenessProbe *core.Probe `json:"livenessProbe"`
// +optional
ReadinessProbe *core.Probe `json:"readinessProbe"`
Service ServiceSpec `json:"service"`
ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
Volumes []core.Volume `json:"volumes"`
VolumeMounts []core.VolumeMount `json:"volumeMounts"`
ReadinessProbe *core.Probe `json:"readinessProbe"`
Service ServiceSpec `json:"service"`
ServiceAccount StaticServiceAccountSpec `json:"serviceAccount"`
Volumes []core.Volume `json:"volumes"`
VolumeMounts []core.VolumeMount `json:"volumeMounts"`
// +optional
Distro shared.DistroSpec `json:"distro"`
Distro shared.DistroSpec `json:"distro"`
Monitoring Monitoring `json:"monitoring"`
// +optional
Apiserver GcpCredentialManagerApiserver `json:"apiserver"`
// +optional
Expand Down
6 changes: 6 additions & 0 deletions apis/installer/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@ type ServiceAccountSpec struct {
Annotations map[string]string `json:"annotations"`
}

type StaticServiceAccountSpec struct {
Create bool `json:"create"`
//+optional
Annotations map[string]string `json:"annotations"`
}

// +kubebuilder:validation:Enum=prometheus.io;prometheus.io/operator;prometheus.io/builtin
type MonitoringAgent string

Expand Down
24 changes: 24 additions & 0 deletions apis/installer/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion charts/aws-credential-manager/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ The following table lists the configurable parameters of the `aws-credential-man
| fullnameOverride | | <code>""</code> |
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
| serviceAccount.annotations | Annotations to add to the service account | <code>{}</code> |
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podLabels | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
Expand Down Expand Up @@ -97,6 +96,8 @@ The following table lists the configurable parameters of the `aws-credential-man
| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | <code>""</code> |
| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | <code>""</code> |
| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | <code>""</code> |
| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | <code>""</code> |
| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | <code>{}</code> |


Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
Expand Down
6 changes: 1 addition & 5 deletions charts/aws-credential-manager/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
Create the name of the service account to use
*/}}
{{- define "aws-credential-manager.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "aws-credential-manager.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
aws-credential-manager
{{- end }}

{{/*
Expand Down
12 changes: 12 additions & 0 deletions charts/aws-credential-manager/templates/metrics-token-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-credential-manager.labels" . | nindent 4 }}
annotations:
kubernetes.io/service-account.name: {{ include "aws-credential-manager.serviceAccountName" . }}
type: kubernetes.io/service-account-token
{{- end }}
2 changes: 1 addition & 1 deletion charts/aws-credential-manager/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-credential-manager
name: {{ include "aws-credential-manager.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-credential-manager.labels" . | nindent 4 }}
Expand Down
37 changes: 37 additions & 0 deletions charts/aws-credential-manager/templates/servicemonitor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "aws-credential-manager.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- if .Values.monitoring.serviceMonitor.labels }}
{{- range $key, $val := .Values.monitoring.serviceMonitor.labels }}
{{ $key }}: {{ $val }}
{{- end }}
{{- else }}
{{- include "aws-credential-manager.selectorLabels" . | nindent 4 }}
{{- end }}
spec:
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
{{- include "aws-credential-manager.selectorLabels" . | nindent 6 }}
endpoints:
- targetPort: 9443
authorization:
credentials:
key: token
name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
type: Bearer
path: /metrics
scheme: https
tlsConfig:
ca:
secret:
name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
key: ca.crt
serverName: "{{ include "aws-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
{{- end }}
22 changes: 20 additions & 2 deletions charts/aws-credential-manager/values.openapiv3_schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -610,6 +610,25 @@ properties:
format: int32
type: integer
type: object
monitoring:
properties:
agent:
enum:
- prometheus.io
- prometheus.io/operator
- prometheus.io/builtin
type: string
serviceMonitor:
properties:
labels:
additionalProperties:
type: string
type: object
type: object
required:
- agent
- serviceMonitor
type: object
nameOverride:
type: string
nodeSelector:
Expand Down Expand Up @@ -912,8 +931,6 @@ properties:
type: object
create:
type: boolean
name:
type: string
required:
- create
type: object
Expand Down Expand Up @@ -1774,6 +1791,7 @@ properties:
type: array
required:
- image
- monitoring
- replicaCount
- service
- serviceAccount
Expand Down
12 changes: 9 additions & 3 deletions charts/aws-credential-manager/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,6 @@ serviceAccount:
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
Expand Down Expand Up @@ -126,3 +123,12 @@ apiserver:
serverCrt: ""
# Private key for the serving certificate used by webhook server.
serverKey: ""

monitoring:
# Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")
agent: ""
serviceMonitor:
# Specify the labels for ServiceMonitor.
# Prometheus crd will select ServiceMonitor using these labels.
# Only usable when monitoring agent is `prometheus.io/operator`.
labels: {}
12 changes: 12 additions & 0 deletions charts/capa-vpc-peering-operator/templates/metrics-token-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if eq "prometheus.io/operator" ( include "monitoring.agent" . ) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "capa-vpc-peering-operator.fullname" . }}-metrics-token
namespace: {{ .Release.Namespace }}
labels:
{{- include "capa-vpc-peering-operator.labels" . | nindent 4 }}
annotations:
kubernetes.io/service-account.name: {{ include "capa-vpc-peering-operator.serviceAccountName" . }}
type: kubernetes.io/service-account-token
{{- end }}
6 changes: 5 additions & 1 deletion charts/capa-vpc-peering-operator/templates/servicemonitor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ spec:
{{- include "capa-vpc-peering-operator.selectorLabels" . | nindent 6 }}
endpoints:
- port: api
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
authorization:
credentials:
key: token
name: {{ include "capa-vpc-peering-operator.fullname" . }}-metrics-token
type: Bearer
scheme: https
tlsConfig:
ca:
Expand Down
12 changes: 12 additions & 0 deletions charts/capi-ops-manager/templates/webhook/monitoring/metrics-token-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if and (eq .Values.monitoring.agent "prometheus.io/operator") .Values.monitoring.operator }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "capi-ops-manager.fullname" . }}-metrics-token
namespace: {{ .Release.Namespace }}
labels:
{{- include "capi-ops-manager.labels" . | nindent 4 }}
annotations:
kubernetes.io/service-account.name: {{ include "capi-ops-manager.serviceAccountName" . }}
type: kubernetes.io/service-account-token
{{- end }}
6 changes: 5 additions & 1 deletion charts/capi-ops-manager/templates/webhook/monitoring/servicemonitor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,11 @@ spec:
endpoints:
{{- if .Values.monitoring.operator }}
- port: https
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
authorization:
credentials:
key: token
name: {{ include "capi-ops-manager.fullname" . }}-metrics-token
type: Bearer
path: /metrics
scheme: https
tlsConfig:
Expand Down
12 changes: 12 additions & 0 deletions charts/docker-machine-operator/templates/metrics-token-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if eq "prometheus.io/operator" ( include "monitoring.agent" . ) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "docker-machine-operator.fullname" . }}-metrics-token
namespace: {{ .Release.Namespace }}
labels:
{{- include "docker-machine-operator.labels" . | nindent 4 }}
annotations:
kubernetes.io/service-account.name: {{ include "docker-machine-operator.serviceAccountName" . }}
type: kubernetes.io/service-account-token
{{- end }}
6 changes: 5 additions & 1 deletion charts/docker-machine-operator/templates/servicemonitor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ spec:
{{- include "docker-machine-operator.selectorLabels" . | nindent 6 }}
endpoints:
- port: api
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
authorization:
credentials:
key: token
name: {{ include "docker-machine-operator.fullname" . }}-metrics-token
type: Bearer
scheme: https
tlsConfig:
ca:
Expand Down
Loading
Loading