charts: add ServiceMonitor and metrics token for aws/gcp credential managers

tamalsaha · tamalsaha · commit 0511f8815fb4 · 2026-03-11T14:36:21.000+06:00
Signed-off-by: Tamal Saha &lt;tamal@appscode.com&gt;
diff --git a/charts/aws-credential-manager/templates/metrics-token-secret.yaml b/charts/aws-credential-manager/templates/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "aws-credential-manager.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
diff --git a/charts/aws-credential-manager/templates/servicemonitor.yaml b/charts/aws-credential-manager/templates/servicemonitor.yaml
@@ -0,0 +1,35 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.monitoring.serviceMonitor.labels }}
+    {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- else }}
+    {{- include "aws-credential-manager.selectorLabels" . | nindent 4 }}
+  {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "aws-credential-manager.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - targetPort: 9443
+    bearerTokenSecret:
+      key: token
+      name: {{ include "aws-credential-manager.fullname" . }}-metrics-token
+    path: /metrics
+    scheme: https
+    tlsConfig:
+      ca:
+        secret:
+          name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+          key: ca.crt
+      serverName: "{{ include "aws-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
+{{- end }}
diff --git a/charts/aws-credential-manager/values.yaml b/charts/aws-credential-manager/values.yaml
@@ -126,3 +126,12 @@ apiserver:
     serverCrt: ""
     # Private key for the serving certificate used by webhook server.
     serverKey: ""
+
+monitoring:
+  # Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")
+  agent: ""
+  serviceMonitor:
+    # Specify the labels for ServiceMonitor.
+    # Prometheus crd will select ServiceMonitor using these labels.
+    # Only usable when monitoring agent is `prometheus.io/operator`.
+    labels: {}
diff --git a/charts/gcp-credential-manager/templates/metrics-token-secret.yaml b/charts/gcp-credential-manager/templates/metrics-token-secret.yaml
@@ -0,0 +1,12 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gcp-credential-manager.fullname" . }}-metrics-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "gcp-credential-manager.serviceAccountName" . }}
+type: kubernetes.io/service-account-token
+{{- end }}
diff --git a/charts/gcp-credential-manager/templates/servicemonitor.yaml b/charts/gcp-credential-manager/templates/servicemonitor.yaml
@@ -0,0 +1,35 @@
+{{- if eq .Values.monitoring.agent "prometheus.io/operator" }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gcp-credential-manager.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.monitoring.serviceMonitor.labels }}
+    {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }}
+    {{ $key }}: {{ $val }}
+    {{- end }}
+  {{- else }}
+    {{- include "gcp-credential-manager.selectorLabels" . | nindent 4 }}
+  {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "gcp-credential-manager.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - targetPort: 9443
+    bearerTokenSecret:
+      key: token
+      name: {{ include "gcp-credential-manager.fullname" . }}-metrics-token
+    path: /metrics
+    scheme: https
+    tlsConfig:
+      ca:
+        secret:
+          name: {{ include "gcp-credential-manager.fullname" . }}-apiserver-cert
+          key: ca.crt
+      serverName: "{{ include "gcp-credential-manager.webhookServiceName" . }}.{{ .Release.Namespace }}.svc"
+{{- end }}
diff --git a/charts/gcp-credential-manager/values.yaml b/charts/gcp-credential-manager/values.yaml
@@ -105,3 +105,12 @@ apiserver:
     serverCrt: ""
     # Private key for the serving certificate used by webhook server.
     serverKey: ""
+
+monitoring:
+  # Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")
+  agent: ""
+  serviceMonitor:
+    # Specify the labels for ServiceMonitor.
+    # Prometheus crd will select ServiceMonitor using these labels.
+    # Only usable when monitoring agent is `prometheus.io/operator`.
+    labels: {}
