use authorization.credentials instead of bearerToekn

Gregory-Pereira · Gregory-Pereira · commit 79e2242e308e · 2026-03-27T12:47:50.000-07:00
Signed-off-by: greg pereira &lt;grpereir@redhat.com&gt;
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -41,21 +41,6 @@ patches:
   target:
     kind: Deployment
 
-
-replacements:
-- source:
-    kind: Deployment
-    name: controller-manager
-    fieldPath: metadata.namespace
-  targets:
-  - select:
-      kind: ServiceMonitor
-      group: monitoring.coreos.com
-      version: v1
-      name: controller-manager-metrics-monitor
-    fieldPaths:
-    - spec.namespaceSelector.matchNames.0
-
 # Uncomment the patches line if you enable Metrics and CertManager
 # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line.
 # This patch will protect the metrics with certManager self-signed certs.
diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
 - ../default
 - cluster-monitoring-view-binding.yaml
+- metrics-reader-token.yaml
 
 patches:
 - path: configmap-patch.yaml
@@ -22,5 +23,9 @@ patches:
   target:
     kind: Deployment
     name: controller-manager
+- path: monitor-auth-patch.yaml
+  target:
+    kind: ServiceMonitor
+    name: controller-manager-metrics-monitor
 
 namespace: workload-variant-autoscaler-system
diff --git a/config/openshift/metrics-reader-token.yaml b/config/openshift/metrics-reader-token.yaml
@@ -0,0 +1,12 @@
+# Long-lived SA token for Prometheus to authenticate to the WVA metrics endpoint.
+# Required on OpenShift because user-workload-monitoring Prometheus rejects
+# bearerTokenFile for security. The ServiceMonitor is patched (via
+# monitor-auth-patch.yaml) to reference this Secret instead.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: workload-variant-autoscaler-metrics-reader-token
+  namespace: system
+  annotations:
+    kubernetes.io/service-account.name: workload-variant-autoscaler-controller-manager
+type: kubernetes.io/service-account-token
diff --git a/config/openshift/monitor-auth-patch.yaml b/config/openshift/monitor-auth-patch.yaml
@@ -0,0 +1,21 @@
+# Replace bearerTokenFile with authorization.credentials for OpenShift
+# user-workload-monitoring compatibility. The user-workload Prometheus Operator
+# rejects bearerTokenFile ("it accesses file system via bearer token file which
+# Prometheus specification prohibits").
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: controller-manager-metrics-monitor
+  namespace: system
+spec:
+  endpoints:
+  - port: https
+    path: /metrics
+    interval: 10s
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+    authorization:
+      credentials:
+        name: workload-variant-autoscaler-metrics-reader-token
+        key: token
