fix(helm): address review comments on metrics ServiceMonitor

mesutoezdil · mesutoezdil · commit 2008de2a5f8b · 2026-05-05T21:49:04.000+02:00
- Gate ServiceMonitor on Capabilities.APIVersions to avoid install failures
  on clusters without Prometheus Operator CRDs
- Add scheme/tlsConfig to ServiceMonitor endpoint when secure=true
- Document secure default and NodePort exposure in values.yaml

Signed-off-by: mesutoezdil &lt;mesudozdil@gmail.com&gt;
diff --git a/helm/kagent/templates/controller-servicemonitor.yaml b/helm/kagent/templates/controller-servicemonitor.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -17,4 +17,9 @@ spec:
   - port: metrics
     interval: {{ .Values.controller.metrics.serviceMonitor.interval }}
     scrapeTimeout: {{ .Values.controller.metrics.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.controller.metrics.secure }}
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+    {{- end }}
 {{- end }}
diff --git a/helm/kagent/tests/controller-servicemonitor_test.yaml b/helm/kagent/tests/controller-servicemonitor_test.yaml
@@ -7,20 +7,40 @@ tests:
       - hasDocuments:
           count: 0
 
-  - it: should not render when only metrics.enabled is true
+  - it: should not render when CRD is not installed
     set:
       controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
     asserts:
       - hasDocuments:
           count: 0
 
-  - it: should render ServiceMonitor when both enabled
+  - it: should render ServiceMonitor when both enabled and CRD present
     set:
       controller.metrics.enabled: true
       controller.metrics.serviceMonitor.enabled: true
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1/ServiceMonitor
     asserts:
       - isKind:
           of: ServiceMonitor
       - equal:
           path: spec.endpoints[0].port
           value: metrics
+
+  - it: should add TLS config when secure is true
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.secure: true
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1/ServiceMonitor
+    asserts:
+      - equal:
+          path: spec.endpoints[0].scheme
+          value: https
+      - equal:
+          path: spec.endpoints[0].tlsConfig.insecureSkipVerify
+          value: true
diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml
@@ -225,6 +225,8 @@ controller:
   metrics:
     enabled: false
     port: 9093
+    # -- The controller binary defaults to secure=true. Set to false for plain HTTP scraping (most common).
+    # Note: when the controller Service type is NodePort or LoadBalancer the metrics port will be externally reachable.
     secure: false
     serviceMonitor:
       enabled: false
