feat: SECURESIGN-3184: ensure ServiceMonitors are only created when r…

api/v1alpha1/common.go

@@ -35,6 +35,19 @@ type MonitoringConfig struct {
 	//+kubebuilder:validation:XValidation:rule=(self || !oldSelf),message=Feature cannot be disabled
 	//+kubebuilder:default:=true
 	Enabled bool `json:"enabled"`
+	// If true, the Operator will create ServiceMonitor resources for metrics collection.
+	// When not specified, defaults to true on OpenShift and false on other platforms.
+	//+optional
+	ServiceMonitor *bool `json:"serviceMonitor,omitempty"`
+}
+
+// IsServiceMonitorEnabled returns whether ServiceMonitor resources should be created.
+// If ServiceMonitor is explicitly set, returns that value, otherwise returns the default.
+func (m *MonitoringConfig) IsServiceMonitorEnabled(defaultVal bool) bool {
+	if m.ServiceMonitor != nil {
+		return *m.ServiceMonitor
+	}
+	return defaultVal
 }
 
 type MonitoringWithTLogConfig struct {

api/v1alpha1/common_test.go

@@ -0,0 +1,80 @@
+package v1alpha1
+
+import (
+	"testing"
+
+	"k8s.io/utils/ptr"
+)
+
+func TestMonitoringConfig_IsServiceMonitorEnabled(t *testing.T) {
+	tests := []struct {
+		name           string
+		config         MonitoringConfig
+		isOpenShift    bool
+		expectedResult bool
+	}{
+		{
+			name: "ServiceMonitor explicitly set to true",
+			config: MonitoringConfig{
+				Enabled:        true,
+				ServiceMonitor: ptr.To(true),
+			},
+			isOpenShift:    false,
+			expectedResult: true,
+		},
+		{
+			name: "ServiceMonitor explicitly set to false",
+			config: MonitoringConfig{
+				Enabled:        true,
+				ServiceMonitor: ptr.To(false),
+			},
+			isOpenShift:    true,
+			expectedResult: false,
+		},
+		{
+			name: "ServiceMonitor nil on OpenShift defaults to true",
+			config: MonitoringConfig{
+				Enabled:        true,
+				ServiceMonitor: nil,
+			},
+			isOpenShift:    true,
+			expectedResult: true,
+		},
+		{
+			name: "ServiceMonitor nil on non-OpenShift defaults to false",
+			config: MonitoringConfig{
+				Enabled:        true,
+				ServiceMonitor: nil,
+			},
+			isOpenShift:    false,
+			expectedResult: false,
+		},
+		{
+			name: "ServiceMonitor explicitly true overrides platform on non-OpenShift",
+			config: MonitoringConfig{
+				Enabled:        true,
+				ServiceMonitor: ptr.To(true),
+			},
+			isOpenShift:    false,
+			expectedResult: true,
+		},
+		{
+			name: "ServiceMonitor explicitly false overrides platform on OpenShift",
+			config: MonitoringConfig{
+				Enabled:        true,
+				ServiceMonitor: ptr.To(false),
+			},
+			isOpenShift:    true,
+			expectedResult: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.config.IsServiceMonitorEnabled(tt.isOpenShift)
+			if result != tt.expectedResult {
+				t.Errorf("IsServiceMonitorEnabled() = %v, want %v", result, tt.expectedResult)
+			}
+		})
+	}
+}

config/crd/bases/rhtas.redhat.com_ctlogs.yaml

@@ -971,6 +971,11 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  serviceMonitor:
+                    description: |-
+                      If true, the Operator will create ServiceMonitor resources for metrics collection.
+                      When not specified, defaults to true on OpenShift and false on other platforms.
+                    type: boolean
                 required:
                 - enabled
                 type: object

config/crd/bases/rhtas.redhat.com_fulcios.yaml

@@ -1290,6 +1290,11 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  serviceMonitor:
+                    description: |-
+                      If true, the Operator will create ServiceMonitor resources for metrics collection.
+                      When not specified, defaults to true on OpenShift and false on other platforms.
+                    type: boolean
                 required:
                 - enabled
                 type: object

config/crd/bases/rhtas.redhat.com_rekors.yaml

@@ -1263,6 +1263,11 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  serviceMonitor:
+                    description: |-
+                      If true, the Operator will create ServiceMonitor resources for metrics collection.
+                      When not specified, defaults to true on OpenShift and false on other platforms.
+                    type: boolean
                   tlog:
                     description: Configuration for Rekor transparency log monitoring
                     properties:

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -994,6 +994,11 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      serviceMonitor:
+                        description: |-
+                          If true, the Operator will create ServiceMonitor resources for metrics collection.
+                          When not specified, defaults to true on OpenShift and false on other platforms.
+                        type: boolean
                     required:
                     - enabled
                     type: object
@@ -2526,6 +2531,11 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      serviceMonitor:
+                        description: |-
+                          If true, the Operator will create ServiceMonitor resources for metrics collection.
+                          When not specified, defaults to true on OpenShift and false on other platforms.
+                        type: boolean
                     required:
                     - enabled
                     type: object
@@ -3876,6 +3886,11 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      serviceMonitor:
+                        description: |-
+                          If true, the Operator will create ServiceMonitor resources for metrics collection.
+                          When not specified, defaults to true on OpenShift and false on other platforms.
+                        type: boolean
                       tlog:
                         description: Configuration for Rekor transparency log monitoring
                         properties:
@@ -5494,6 +5509,11 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      serviceMonitor:
+                        description: |-
+                          If true, the Operator will create ServiceMonitor resources for metrics collection.
+                          When not specified, defaults to true on OpenShift and false on other platforms.
+                        type: boolean
                     required:
                     - enabled
                     type: object
@@ -8631,6 +8651,11 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      serviceMonitor:
+                        description: |-
+                          If true, the Operator will create ServiceMonitor resources for metrics collection.
+                          When not specified, defaults to true on OpenShift and false on other platforms.
+                        type: boolean
                     required:
                     - enabled
                     type: object

config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml

@@ -1003,6 +1003,11 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  serviceMonitor:
+                    description: |-
+                      If true, the Operator will create ServiceMonitor resources for metrics collection.
+                      When not specified, defaults to true on OpenShift and false on other platforms.
+                    type: boolean
                 required:
                 - enabled
                 type: object

config/crd/bases/rhtas.redhat.com_trillians.yaml

@@ -205,6 +205,11 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  serviceMonitor:
+                    description: |-
+                      If true, the Operator will create ServiceMonitor resources for metrics collection.
+                      When not specified, defaults to true on OpenShift and false on other platforms.
+                    type: boolean
                 required:
                 - enabled
                 type: object

internal/controller/ctlog/actions/monitoring.go

@@ -30,7 +30,9 @@ func (i monitoringAction) Name() string {
 
 func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.CTlog) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Monitoring.Enabled
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) &&
+		instance.Spec.Monitoring.Enabled &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }
 
 func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result {

internal/controller/fulcio/actions/monitoring.go

@@ -30,7 +30,9 @@ func (i monitoringAction) Name() string {
 
 func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Fulcio) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Monitoring.Enabled
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) &&
+		instance.Spec.Monitoring.Enabled &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }
 
 func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result {

internal/controller/rekor/actions/monitor/helper.go

@@ -3,8 +3,10 @@ package monitor
 import (
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/utils"
+	"github.com/securesign/operator/internal/utils/kubernetes"
 )
 
 func enabled(instance *v1alpha1.Rekor) bool {
-	return utils.IsEnabled(&instance.Spec.Monitoring.TLog.Enabled)
+	return utils.IsEnabled(&instance.Spec.Monitoring.TLog.Enabled) &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }

internal/controller/rekor/actions/server/monitoring.go

@@ -32,7 +32,9 @@ func (i monitoringAction) Name() string {
 
 func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Rekor) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Monitoring.Enabled
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) &&
+		instance.Spec.Monitoring.Enabled &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }
 
 func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor) *action.Result {

internal/controller/trillian/actions/logserver/monitoring.go

@@ -32,7 +32,9 @@ func (i monitoringAction) Name() string {
 
 func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Trillian) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Monitoring.Enabled
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) &&
+		instance.Spec.Monitoring.Enabled &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }
 
 func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trillian) *action.Result {

internal/controller/trillian/actions/logsigner/monitoring.go

@@ -32,7 +32,9 @@ func (i monitoringAction) Name() string {
 
 func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Trillian) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Monitoring.Enabled
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) &&
+		instance.Spec.Monitoring.Enabled &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }
 
 func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trillian) *action.Result {

internal/controller/tsa/actions/monitoring.go

@@ -30,7 +30,9 @@ func (i monitoringAction) Name() string {
 
 func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.TimestampAuthority) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Monitoring.Enabled
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) &&
+		instance.Spec.Monitoring.Enabled &&
+		instance.Spec.Monitoring.IsServiceMonitorEnabled(kubernetes.IsOpenShift())
 }
 
 func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.TimestampAuthority) *action.Result {