GCP-690 - feat: add GMP PodMonitoring support

[cristianoveiga]

Summary

• Add charts/templates/podmonitoring.yaml — creates a monitoring.googleapis.com/v1/PodMonitoring resource for Google Managed Prometheus scraping
• Add monitoring.podMonitoring section to charts/values.yaml (disabled by default)
• Update docs/metrics.md with GMP integration section
• Regenerate charts/README.md via helm-docs

Context

GKE clusters using Google Managed Prometheus (GMP) use PodMonitoring CRDs (monitoring.googleapis.com/v1) for scraping rather than Prometheus Operator's ServiceMonitor (monitoring.coreos.com/v1). This adds a parallel scraping path for GMP environments. Both serviceMonitor and podMonitoring can be independently enabled.

Test plan

• helm template renders PodMonitoring correctly when monitoring.podMonitoring.enabled=true
• PodMonitoring resource shows ConfigurationCreateSuccess on a GMP-enabled cluster
• Metrics appear in Cloud Monitoring after enabling
• Default (enabled: false) renders no PodMonitoring resource
• Existing serviceMonitor behavior unchanged

🤖 Generated with Claude Code

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-amarin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@cristianoveiga, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 44 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4f70cb79-b235-4c70-8766-38d5db892468

📥 Commits

Reviewing files that changed from the base of the PR and between ffcdb1f and 86e7f51.

📒 Files selected for processing (5)

• Makefile
• charts/README.md
• charts/templates/podmonitoring.yaml
• charts/values.yaml
• docs/metrics.md

📝 Walkthrough

Walkthrough

Adds Google Managed Prometheus (GMP) support to the Helm chart via a new monitoring.podMonitoring configuration block in values.yaml. A new charts/templates/podmonitoring.yaml conditionally renders a monitoring.googleapis.com/v1 PodMonitoring CRD when enabled is set, targeting the metrics port at /metrics with configurable scrape interval. TLS scheme and insecureSkipVerify are applied when config.metrics.tls.enabled is true. Metric relabeling is conditionally emitted. The charts/README.md Values documentation is reorganized to document the new keys, and docs/metrics.md receives a subsection explaining GMP integration.

Security note: The tlsConfig.insecureSkipVerify option disables certificate validation during scrape (CWE-295). Review operator-provided values to ensure this is intentional and restricted to development/testing environments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description provides comprehensive context covering the changes, the GMP use case distinction from Prometheus Operator, and a test plan aligned with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only Helm YAML templates and Markdown documentation; no Go source code (.go files) with logging statements (slog/log/logr/zap/fmt.Print*) present.
No Hardcoded Secrets	✅ Passed	PR introduces GMP PodMonitoring support with no hardcoded secrets, API keys, tokens, passwords, private keys, base64 strings >32 chars, or credential-embedded URLs. All values use safe defaults.
No Weak Cryptography	✅ Passed	PR contains only Helm YAML templates and documentation—no cryptographic primitives, implementations, or weak crypto patterns detected.
No Injection Vectors	✅ Passed	No injection vectors detected. PR adds Helm template and values for GMP—no Go code changes. String interpolation in templates uses expected duration values; input provably trusted (hardcoded defaul...
No Privileged Containers	✅ Passed	PR adds GMP monitoring via PodMonitoring CRD template and values—no pod specs, privilege escalation, or insecure host settings. Existing secure security contexts (runAsUser=65532, allowPrivilegeEsc...
No Pii Or Sensitive Data In Logs	✅ Passed	PR modifies only Helm templates, values, and documentation with no logging statements that expose PII, session IDs, request/response bodies, or credentials.
Title check	✅ Passed	The title 'GCP-690 - feat: add GMP PodMonitoring support' directly reflects the main change: adding Google Managed Prometheus PodMonitoring support to the Helm chart.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @cristianoveiga. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/templates/podmonitoring.yaml`:
- Around line 17-23: The PodMonitoring endpoint configuration in the monitoring
endpoint block does not account for the configurable TLS mode in
config.metrics.tls.enabled, which means GMP scraping will fail silently when TLS
is enabled. Add conditional logic around the endpoint definition to include
TLS-aware settings (such as scheme and tlsConfig) when
config.metrics.tls.enabled is true, ensuring the endpoint uses https and
appropriate TLS configuration instead of always defaulting to HTTP.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 54db6172-5019-433e-ba0b-8b7da29479a6

📥 Commits

Reviewing files that changed from the base of the PR and between 77cf070 and 5c9a46b.

📒 Files selected for processing (4)

• charts/README.md
• charts/templates/podmonitoring.yaml
• charts/values.yaml
• docs/metrics.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[ciaranRoche]

/ok-to-test

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	88 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[cristianoveiga]

/test validate-commits

[ciaranRoche]

If you have a look in the makefile - https://github.com/openshift-hyperfleet/hyperfleet-api/blob/main/Makefile#L330

We have dedicated helm template test cases for ServiceMonitor, can you add similar here for PodMonitoring please, just to ensure we catch any syntax or template rendering issues please