feat: Allow ServiceMonitor port and scheme change (#139)

* feat: Allow ServiceMonitor port and scheme change

Signed-off-by: Jocelyn Thode <jocelyn@thode.email>

* feat: Add extraPorts to server Service

Signed-off-by: Jocelyn Thode <jocelyn@thode.email>

* chore: upgrade to 0.25.2

Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>

---------

Signed-off-by: Jocelyn Thode <jocelyn@thode.email>
Signed-off-by: Pascal Reeb <pascal.reeb@secretz.io>
Co-authored-by: Pascal Reeb <pascal.reeb@secretz.io>

Author: jocelynthode

CHANGELOG.md

@@ -1,5 +1,10 @@
 ## Unreleased
 
+### 0.25.2
+
+- feat: Allow ServiceMonitor port and scheme change
+- feat: Add extraPorts to server Service
+
 ### 0.25.1
 
 - fix(snapshotAgent): change extraVolumes to list instead of object

charts/openbao/Chart.yaml

@@ -3,7 +3,7 @@
 
 apiVersion: v2
 name: openbao
-version: 0.25.1
+version: 0.25.2
 appVersion: v2.5.0
 kubeVersion: ">= 1.30.0-0"
 description: Official OpenBao Chart
@@ -26,12 +26,12 @@ annotations:
   charts.openshift.io/name: Openbao
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
-    - kind: fixed
+    - kind: changed
       description: |
-        fix(snapshotAgent): change extraVolumes to list instead of object
-      links:
-        - name: OpenBao 2.5.0 Release
-          url: https://github.com/openbao/openbao/releases/tag/v2.5.0
+        feat: Allow ServiceMonitor port and scheme change
+    - kind: changed
+      description: |
+        feat: Add extraPorts to server Service
 maintainers:
   - name: OpenBao
     email: openbao-security@lists.openssf.org

charts/openbao/README.md

@@ -1,6 +1,6 @@
 # openbao
 
-![Version: 0.25.1](https://img.shields.io/badge/Version-0.25.1-informational?style=flat-square) ![AppVersion: v2.5.0](https://img.shields.io/badge/AppVersion-v2.5.0-informational?style=flat-square)
+![Version: 0.25.2](https://img.shields.io/badge/Version-0.25.2-informational?style=flat-square) ![AppVersion: v2.5.0](https://img.shields.io/badge/AppVersion-v2.5.0-informational?style=flat-square)
 
 Official OpenBao Chart
 
@@ -279,6 +279,7 @@ Kubernetes: `>= 1.30.0-0`
 | server.service.enabled | bool | `true` |  |
 | server.service.externalTrafficPolicy | string | `"Cluster"` |  |
 | server.service.extraLabels | object | `{}` |  |
+| server.service.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the server service in dynamic way. |
 | server.service.instanceSelector.enabled | bool | `true` |  |
 | server.service.ipFamilies | list | `[]` |  |
 | server.service.ipFamilyPolicy | string | `""` |  |
@@ -316,6 +317,8 @@ Kubernetes: `>= 1.30.0-0`
 | serverTelemetry.serviceMonitor.authorization | object | `{}` |  |
 | serverTelemetry.serviceMonitor.enabled | bool | `false` |  |
 | serverTelemetry.serviceMonitor.interval | string | `"30s"` |  |
+| serverTelemetry.serviceMonitor.port | string | `""` | Port which Prometheus uses when scraping metrics. If empty will use `openbao.scheme` helper for its value |
+| serverTelemetry.serviceMonitor.scheme | string | `""` | scheme to use when Prometheus scrapes metrics. If empty will use `openbao.scheme` helper for its value |
 | serverTelemetry.serviceMonitor.scrapeClass | string | `""` |  |
 | serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` |  |
 | serverTelemetry.serviceMonitor.selectors | object | `{}` |  |

charts/openbao/templates/prometheus-servicemonitor.yaml

@@ -37,10 +37,10 @@ spec:
       openbao-internal: "true"
       {{- end }}
   endpoints:
-  - port: {{ include "openbao.scheme" . }}
+  - port: {{ .Values.serverTelemetry.serviceMonitor.port | default (include "openbao.scheme" .) }}
     interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
     scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
-    scheme: {{ include "openbao.scheme" . | lower }}
+    scheme: {{ .Values.serverTelemetry.serviceMonitor.scheme | default (include "openbao.scheme" .) | lower }}
     path: /v1/sys/metrics
     params:
       format:

charts/openbao/templates/server-service.yaml

@@ -51,6 +51,9 @@ spec:
     - name: https-internal
       port: 8201
       targetPort: 8201
+  {{- if .Values.server.service.extraPorts -}}
+  {{ toYaml .Values.server.service.extraPorts | nindent 4}}
+  {{- end }}
   selector:
     app.kubernetes.io/name: {{ include "openbao.name" . }}
     {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}

charts/openbao/values.yaml

@@ -868,6 +868,14 @@ server:
     port: 8200
     # Target port to which the service should be mapped to
     targetPort: 8200
+
+    # -- extraPorts is a list of extra ports. Specified as a YAML list.
+    # This is useful if you need to add additional ports to the server service in dynamic way.
+    extraPorts: []
+    # - name: metrics
+    #   port: 9101
+    #   targetPort: 9101
+
     # Extra annotations for the service definition. This can either be YAML or a
     # YAML-formatted multi-line templated string map of the annotations to apply
     # to the service.
@@ -1414,6 +1422,12 @@ serverTelemetry:
     #  release: prometheus
     selectors: {}
 
+    # -- Port which Prometheus uses when scraping metrics. If empty will use `openbao.scheme` helper for its value
+    port: ""
+
+    # -- scheme to use when Prometheus scrapes metrics. If empty will use `openbao.scheme` helper for its value
+    scheme: ""
+
     # Interval at which Prometheus scrapes metrics
     interval: 30s
 

test/unit/prometheus-servicemonitor.bats

@@ -110,6 +110,7 @@ load _helpers
 
   [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ]
   [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "http" ]
+  [ "$(echo "$output" | yq -r '.spec.endpoints[0].scheme')" = "http" ]
 }
 
 @test "prometheus/ServiceMonitor-server: assertEndpoints TLS" {
@@ -122,6 +123,31 @@ load _helpers
 
   [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ]
   [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ]
+  [ "$(echo "$output" | yq -r '.spec.endpoints[0].scheme')" = "https" ]
+}
+
+@test "prometheus/ServiceMonitor-server: assertEndpointsPort update" {
+  cd `chart_dir`
+  local output=$( (helm template \
+    --show-only templates/prometheus-servicemonitor.yaml \
+    --set 'serverTelemetry.serviceMonitor.enabled=true' \
+    --set 'serverTelemetry.serviceMonitor.port=metrics-tls' \
+    .) | tee /dev/stderr)
+
+  [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "metrics-tls" ]
+}
+
+@test "prometheus/ServiceMonitor-server: assertEndpointsScheme update" {
+  cd `chart_dir`
+  local output=$( (helm template \
+    --show-only templates/prometheus-servicemonitor.yaml \
+    --set 'serverTelemetry.serviceMonitor.enabled=true' \
+    --set 'global.tlsDisable=false' \
+    --set 'serverTelemetry.serviceMonitor.scheme=http' \
+    .) | tee /dev/stderr)
+
+  [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ]
+  [ "$(echo "$output" | yq -r '.spec.endpoints[0].scheme')" = "http" ]
 }
 
 @test "prometheus/ServiceMonitor-server: tlsConfig default" {

test/unit/server-service.bats

@@ -421,6 +421,37 @@ load _helpers
   [ "${actual}" = "https" ]
 }
 
+@test "server/Service: extraPorts assert is empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-service.yaml \
+      . | tee /dev/stderr)
+  [ "$(echo "$actual" | yq -r '.spec.ports | length')" = "2" ]
+}
+
+@test "server/Service: adds extra ports" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/server-service.yaml \
+      --set 'server.service.extraPorts[0].port=9101' \
+      --set 'server.service.extraPorts[0].targetPort=9101' \
+      --set 'server.service.extraPorts[0].name=metrics' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[] | select(.name == "metrics")' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+      yq -r '.port' | tee /dev/stderr)
+  [ "${actual}" = "9101" ]
+
+  local actual=$(echo $object |
+      yq -r '.targetPort' | tee /dev/stderr)
+  [ "${actual}" = "9101" ]
+
+  local actual=$(echo $object |
+      yq -r '.name' | tee /dev/stderr)
+  [ "${actual}" = "metrics" ]
+}
+
 # duplicated in server-ha-active-service.bats
 @test "server/Service: NodePort assert externalTrafficPolicy" {
   cd `chart_dir`