Skip to content

bearerTokenFile causing the ServiceMonitor resource is rejected for new projects #7003

New issue
New issue
Open
Open
bearerTokenFile causing the ServiceMonitor resource is rejected for new projects#7003
Labels
language/goIssue is related to a Go operator project
@aaronmcohen

Description

@aaronmcohen
aaronmcohen
opened on Oct 7, 2025

Bug Report

The generated monitor.yaml uses BearerTokenFile for authentication. This is rejected by Openshift.

Per the Redhat documentation. https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/monitoring/index#sample-yaml-authentication-with-a-bearer-token

Important
Do not use bearerTokenFile to configure bearer token. If you use the bearerTokenFile configuration, the ServiceMonitor resource is rejected.

cat ./config/prometheus/monitor.yaml

# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    control-plane: controller-manager
    app.kubernetes.io/name: src
    app.kubernetes.io/managed-by: kustomize
  name: controller-manager-metrics-monitor
  namespace: system
spec:
  endpoints:
    - path: /metrics
      port: https # Ensure this is the name of the port that exposes HTTPS metrics
      scheme: https
      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
      tlsConfig:
        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
        # certificate verification, exposing the system to potential man-in-the-middle attacks.
        # For production environments, it is recommended to use cert-manager for automatic TLS certificate management.
        # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml,
        # which securely references the certificate from the 'metrics-server-cert' secret.
        insecureSkipVerify: true
  selector:
    matchLabels:
      control-plane: controller-manager
      app.kubernetes.io/name: src

What did you do?

  • Generate a new operator project operator-sdk init --plugins go/v4 --domain example.org --owner "Your name"
  • Deploy operator to an Openshift cluster
  • Setup monitoring

What did you expect to see?

Operator Metrics

What did you see instead? Under which circumstances?

evel=warn ts=2025-08-16T03:11:11.114337652Z caller=resource_selector.go:126 component=prometheus-controller msg="skipping servicemonitor" error="it accesses file system via bearer token file which Prometheus specification prohibits"

Environment

Operator type:

/language go

Kubernetes cluster type:

$ operator-sdk version

operator-sdk version: "v1.41.1", commit: "69ee6d4077ff769a8513571343a96f3cb8ca35ef", kubernetes version: "v1.33.1", go version: "go1.24.5", GOOS: "darwin", GOARCH: "arm64"

$ go version (if language is Go)

go version go1.25.1 darwin/arm64

$ kubectl version

kubectl version
Client Version: v1.34.1
Kustomize Version: v5.7.1

Possible Solution

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    language/goIssue is related to a Go operator project

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions