Skip to content

Chart Network Observer incldue ServiceMonitor #2314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
c-kruse wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Chart Network Observer incldue ServiceMonitor #2314

c-kruse wants to merge 1 commit into from

Conversation

@c-kruse
Copy link
Contributor

@c-kruse c-kruse commented Nov 11, 2025

Adds options to enable configuring a ServiceMonitor in conjunction with auth.strategy = "openshift".

Conditionally creates:

  • auth.openshift.bearerTokenAuth configuration to allow bearer token delegation by default when openshift auth is selected.
  • New ClusterRole and ClusterRoleBindings Resources to grant openshift auth proxy access to subjectaccessreviews for passed bearer tokens when enabled.
  • ServiceMonitor configuration
  • New ServiceAccount, Role, RoleBinding, and service-account-token Secret for ServiceMonitor to authenticate with auth proxy when enabled. Works with default configuration of auth.openshift.bearerTokenAuth.

@c-kruse
Chart Network Observer incldue ServiceMonitor
f809e8c 
Adds options to enable configuring a ServiceMonitor in conjunction with
auth.strategy = "openshift".

Conditionally creates:
- auth.openshift.bearerTokenAuth configuration to allow bearer token
  delegation by default when openshift auth is selected.
- New ClusterRole and ClusterRoleBindings Resources to grant openshift
  auth proxy access to subjectaccessreviews for passed bearer tokens
  when enabled.
- ServiceMonitor configuration
- New ServiceAccount, Role, RoleBinding, and service-account-token
  Secret for ServiceMonitor to authenticate with auth proxy when
  enabled. Works with default configuration of
  auth.openshift.bearerTokenAuth.

Signed-off-by: Christian Kruse <christian@c-kruse.com>
@c-kruse
Copy link
Contributor Author

c-kruse commented Nov 11, 2025

@vsomwanshi I see you have been struggling with instrumenting the network observer with openshift auth and a ServiceMonitor. I have also been struggling to find a nice way to do this. Here is one idea.

Interested in your thoughts on this approach vs. finding a way to bypass the proxy.

*disclaimer - this is very rough and subject to change. The idea is that a values.yaml like this could get it all running (likely with some careful naming and management to avoid conflicts in the required cluster scoped resources.

serviceMonitor:
  create: true
  bearerTokenSecret:
    enabled: true

auth:
  strategy: openshift
  openshift:
    bearerTokenAuth:
      createClusterRole: true
      createClusterRoleBinding: true

tls:
  skupperIssued: false
  openshiftIssued: true

route:
  enabled: true

@c-kruse c-kruse mentioned this pull request Nov 12, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgiorgetti fgiorgetti Awaiting requested review from fgiorgetti fgiorgetti will be requested when the pull request is marked ready for review fgiorgetti is a code owner

@nluaces nluaces Awaiting requested review from nluaces nluaces will be requested when the pull request is marked ready for review nluaces is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@c-kruse