From e124bbf8077d8497eb2f7d731cc4067db17dd13b Mon Sep 17 00:00:00 2001 From: "Optimus (AI Agent)" Date: Thu, 5 Mar 2026 11:06:15 +0000 Subject: [PATCH 1/4] feat(helm): add support for enabling metrics endpoint and optional ServiceMonitor Closes #1369 Add first-class Helm values for metrics configuration: - controller.metrics.enabled: enables the metrics endpoint - controller.metrics.port: configurable metrics port (default 9093) - controller.metrics.secure: HTTPS vs HTTP toggle - controller.metrics.serviceMonitor.*: Prometheus Operator ServiceMonitor When enabled, the chart: - Sets METRICS_BIND_ADDRESS and METRICS_SECURE env vars in the configmap - Adds a metrics port to the controller deployment and service - Optionally creates a ServiceMonitor with configurable labels, interval, scrapeTimeout, and relabeling configs Co-Authored-By: Claude Opus 4.6 Signed-off-by: Optimus (AI Agent) --- .../templates/controller-configmap.yaml | 4 + .../templates/controller-deployment.yaml | 5 ++ helm/kagent/templates/controller-service.yaml | 6 ++ .../templates/controller-servicemonitor.yaml | 33 ++++++++ .../tests/controller-deployment_test.yaml | 51 +++++++++++- .../kagent/tests/controller-service_test.yaml | 26 +++++- .../tests/controller-servicemonitor_test.yaml | 83 +++++++++++++++++++ helm/kagent/values.yaml | 23 +++++ 8 files changed, 229 insertions(+), 2 deletions(-) create mode 100644 helm/kagent/templates/controller-servicemonitor.yaml create mode 100644 helm/kagent/tests/controller-servicemonitor_test.yaml diff --git a/helm/kagent/templates/controller-configmap.yaml b/helm/kagent/templates/controller-configmap.yaml index ed4ed0ecb..99f136a62 100644 --- a/helm/kagent/templates/controller-configmap.yaml +++ b/helm/kagent/templates/controller-configmap.yaml @@ -71,3 +71,7 @@ data: {{- if and .Values.controller.agentDeployment .Values.controller.agentDeployment.serviceAccountName (not (eq .Values.controller.agentDeployment.serviceAccountName "")) }} DEFAULT_SERVICE_ACCOUNT_NAME: {{ .Values.controller.agentDeployment.serviceAccountName | quote }} {{- end }} + {{- if .Values.controller.metrics.enabled }} + METRICS_BIND_ADDRESS: {{ printf ":%v" .Values.controller.metrics.port | quote }} + METRICS_SECURE: {{ .Values.controller.metrics.secure | quote }} + {{- end }} diff --git a/helm/kagent/templates/controller-deployment.yaml b/helm/kagent/templates/controller-deployment.yaml index 2909cdc78..a01c4b0ec 100644 --- a/helm/kagent/templates/controller-deployment.yaml +++ b/helm/kagent/templates/controller-deployment.yaml @@ -78,6 +78,11 @@ spec: - name: http containerPort: {{ .Values.controller.service.ports.targetPort }} protocol: TCP + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} resources: {{- toYaml .Values.controller.resources | nindent 12 }} securityContext: diff --git a/helm/kagent/templates/controller-service.yaml b/helm/kagent/templates/controller-service.yaml index 54933c355..37c6a0319 100644 --- a/helm/kagent/templates/controller-service.yaml +++ b/helm/kagent/templates/controller-service.yaml @@ -12,5 +12,11 @@ spec: targetPort: {{ .Values.controller.service.ports.targetPort }} protocol: TCP name: controller + {{- if .Values.controller.metrics.enabled }} + - port: {{ .Values.controller.metrics.port }} + targetPort: {{ .Values.controller.metrics.port }} + protocol: TCP + name: metrics + {{- end }} selector: {{- include "kagent.controller.selectorLabels" . | nindent 4 }} diff --git a/helm/kagent/templates/controller-servicemonitor.yaml b/helm/kagent/templates/controller-servicemonitor.yaml new file mode 100644 index 000000000..3d1bf53c8 --- /dev/null +++ b/helm/kagent/templates/controller-servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kagent.fullname" . }}-controller + namespace: {{ include "kagent.namespace" . }} + labels: + {{- include "kagent.controller.labels" . | nindent 4 }} + {{- with .Values.controller.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kagent.controller.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics + interval: {{ .Values.controller.metrics.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.controller.metrics.serviceMonitor.scrapeTimeout }} + {{- if .Values.controller.metrics.secure }} + scheme: https + tlsConfig: + insecureSkipVerify: true + {{- end }} + {{- with .Values.controller.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.metrics.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/helm/kagent/tests/controller-deployment_test.yaml b/helm/kagent/tests/controller-deployment_test.yaml index 2b43c31be..db22ffca0 100644 --- a/helm/kagent/tests/controller-deployment_test.yaml +++ b/helm/kagent/tests/controller-deployment_test.yaml @@ -239,4 +239,53 @@ tests: - isNull: path: spec.template.spec.volumes - isNull: - path: spec.template.spec.containers[0].volumeMounts \ No newline at end of file + path: spec.template.spec.containers[0].volumeMounts + + - it: should not include metrics port by default + template: controller-deployment.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].ports + count: 1 + + - it: should include metrics port when enabled + template: controller-deployment.yaml + set: + controller: + metrics: + enabled: true + port: 9093 + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].ports + count: 2 + - equal: + path: spec.template.spec.containers[0].ports[1].name + value: metrics + - equal: + path: spec.template.spec.containers[0].ports[1].containerPort + value: 9093 + + - it: should set metrics env vars in configmap when enabled + template: controller-configmap.yaml + set: + controller: + metrics: + enabled: true + port: 9093 + secure: false + asserts: + - equal: + path: data.METRICS_BIND_ADDRESS + value: ":9093" + - equal: + path: data.METRICS_SECURE + value: "false" + + - it: should not set metrics env vars when disabled + template: controller-configmap.yaml + asserts: + - notExists: + path: data.METRICS_BIND_ADDRESS + - notExists: + path: data.METRICS_SECURE \ No newline at end of file diff --git a/helm/kagent/tests/controller-service_test.yaml b/helm/kagent/tests/controller-service_test.yaml index f3bb1d97b..61fff4db8 100644 --- a/helm/kagent/tests/controller-service_test.yaml +++ b/helm/kagent/tests/controller-service_test.yaml @@ -68,4 +68,28 @@ tests: asserts: - equal: path: metadata.namespace - value: custom-namespace \ No newline at end of file + value: custom-namespace + + - it: should not include metrics port by default + asserts: + - lengthEqual: + path: spec.ports + count: 1 + + - it: should include metrics port when metrics are enabled + set: + controller.metrics.enabled: true + controller.metrics.port: 9093 + asserts: + - lengthEqual: + path: spec.ports + count: 2 + - equal: + path: spec.ports[1].name + value: metrics + - equal: + path: spec.ports[1].port + value: 9093 + - equal: + path: spec.ports[1].targetPort + value: 9093 \ No newline at end of file diff --git a/helm/kagent/tests/controller-servicemonitor_test.yaml b/helm/kagent/tests/controller-servicemonitor_test.yaml new file mode 100644 index 000000000..a09f9fde1 --- /dev/null +++ b/helm/kagent/tests/controller-servicemonitor_test.yaml @@ -0,0 +1,83 @@ +suite: test controller servicemonitor +templates: + - controller-servicemonitor.yaml +tests: + - it: should not render when metrics are disabled + asserts: + - hasDocuments: + count: 0 + + - it: should not render when metrics enabled but serviceMonitor disabled + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should render when both metrics and serviceMonitor are enabled + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceMonitor + - equal: + path: metadata.name + value: RELEASE-NAME-controller + + - it: should have correct endpoint configuration + set: + controller.metrics.enabled: true + controller.metrics.port: 9093 + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.interval: 30s + controller.metrics.serviceMonitor.scrapeTimeout: 10s + asserts: + - equal: + path: spec.endpoints[0].port + value: metrics + - equal: + path: spec.endpoints[0].interval + value: 30s + - equal: + path: spec.endpoints[0].scrapeTimeout + value: 10s + + - it: should use HTTPS scheme when metrics are secure + set: + controller.metrics.enabled: true + controller.metrics.secure: true + controller.metrics.serviceMonitor.enabled: true + asserts: + - equal: + path: spec.endpoints[0].scheme + value: https + + - it: should include additional labels + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.additionalLabels: + release: prometheus + asserts: + - equal: + path: metadata.labels.release + value: prometheus + + - it: should have correct selector labels + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + asserts: + - equal: + path: spec.selector.matchLabels["app.kubernetes.io/name"] + value: kagent + - equal: + path: spec.selector.matchLabels["app.kubernetes.io/instance"] + value: RELEASE-NAME + - equal: + path: spec.selector.matchLabels["app.kubernetes.io/component"] + value: controller diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index 7f6142dd8..1544f30ec 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -126,6 +126,29 @@ controller: ports: port: 8083 targetPort: 8083 + # -- Prometheus metrics configuration + metrics: + # -- Enable the metrics endpoint + enabled: false + # -- Port for the metrics endpoint + port: 9093 + # -- Serve metrics via HTTPS (true) or HTTP (false) + secure: false + # -- Deploy a Prometheus Operator ServiceMonitor + serviceMonitor: + # -- Create a ServiceMonitor resource + enabled: false + # -- Additional labels for the ServiceMonitor (e.g. release: prometheus) + additionalLabels: {} + # -- Scrape interval + interval: 30s + # -- Scrape timeout + scrapeTimeout: 10s + # -- Metric relabeling configs + metricRelabelings: [] + # -- Relabeling configs + relabelings: [] + env: [] envFrom: [] From e73deb76c02e9f19d24c7d88fb0c2da877254096 Mon Sep 17 00:00:00 2001 From: "Optimus (AI Agent)" Date: Thu, 5 Mar 2026 11:33:08 +0000 Subject: [PATCH 2/4] fix: gate ServiceMonitor on CRD availability and add auth for secure metrics Address review feedback: - Gate ServiceMonitor rendering on .Capabilities.APIVersions.Has to avoid failures on clusters without Prometheus Operator CRDs - Add bearerTokenFile for service account auth when secure metrics enabled - Add test for CRD unavailability scenario - Add test for bearerTokenFile in secure mode Co-Authored-By: Claude Opus 4.6 Signed-off-by: Optimus (AI Agent) --- .../templates/controller-servicemonitor.yaml | 3 ++- .../tests/controller-servicemonitor_test.yaml | 26 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/helm/kagent/templates/controller-servicemonitor.yaml b/helm/kagent/templates/controller-servicemonitor.yaml index 3d1bf53c8..89f5b49c1 100644 --- a/helm/kagent/templates/controller-servicemonitor.yaml +++ b/helm/kagent/templates/controller-servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }} +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -21,6 +21,7 @@ spec: scheme: https tlsConfig: insecureSkipVerify: true + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token {{- end }} {{- with .Values.controller.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: diff --git a/helm/kagent/tests/controller-servicemonitor_test.yaml b/helm/kagent/tests/controller-servicemonitor_test.yaml index a09f9fde1..02535234b 100644 --- a/helm/kagent/tests/controller-servicemonitor_test.yaml +++ b/helm/kagent/tests/controller-servicemonitor_test.yaml @@ -15,7 +15,18 @@ tests: - hasDocuments: count: 0 + - it: should not render when CRD is not available + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 0 + - it: should render when both metrics and serviceMonitor are enabled + capabilities: + apiVersions: + - monitoring.coreos.com/v1 set: controller.metrics.enabled: true controller.metrics.serviceMonitor.enabled: true @@ -29,6 +40,9 @@ tests: value: RELEASE-NAME-controller - it: should have correct endpoint configuration + capabilities: + apiVersions: + - monitoring.coreos.com/v1 set: controller.metrics.enabled: true controller.metrics.port: 9093 @@ -47,6 +61,9 @@ tests: value: 10s - it: should use HTTPS scheme when metrics are secure + capabilities: + apiVersions: + - monitoring.coreos.com/v1 set: controller.metrics.enabled: true controller.metrics.secure: true @@ -55,8 +72,14 @@ tests: - equal: path: spec.endpoints[0].scheme value: https + - equal: + path: spec.endpoints[0].bearerTokenFile + value: /var/run/secrets/kubernetes.io/serviceaccount/token - it: should include additional labels + capabilities: + apiVersions: + - monitoring.coreos.com/v1 set: controller.metrics.enabled: true controller.metrics.serviceMonitor.enabled: true @@ -68,6 +91,9 @@ tests: value: prometheus - it: should have correct selector labels + capabilities: + apiVersions: + - monitoring.coreos.com/v1 set: controller.metrics.enabled: true controller.metrics.serviceMonitor.enabled: true From 91193050ac152bcfad0ef07072cf96a0cb84d50c Mon Sep 17 00:00:00 2001 From: "Optimus (AI Agent)" Date: Fri, 6 Mar 2026 21:43:26 +0000 Subject: [PATCH 3/4] refactor: move metrics port to dedicated ClusterIP service Per review feedback, metrics should not be exposed on the main controller service which may be a LoadBalancer. This creates a separate ClusterIP service for metrics scraping. - Remove metrics port from controller-service.yaml - Add controller-metrics-service.yaml (ClusterIP, metrics only) - Update ServiceMonitor selector to target the metrics service Co-Authored-By: Claude Opus 4.6 Signed-off-by: Optimus (AI Agent) --- .../templates/controller-metrics-service.yaml | 19 +++++++++++++++++++ helm/kagent/templates/controller-service.yaml | 6 ------ .../templates/controller-servicemonitor.yaml | 1 + 3 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 helm/kagent/templates/controller-metrics-service.yaml diff --git a/helm/kagent/templates/controller-metrics-service.yaml b/helm/kagent/templates/controller-metrics-service.yaml new file mode 100644 index 000000000..ef1b75606 --- /dev/null +++ b/helm/kagent/templates/controller-metrics-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.controller.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kagent.fullname" . }}-controller-metrics + namespace: {{ include "kagent.namespace" . }} + labels: + {{- include "kagent.controller.labels" . | nindent 4 }} + app.kubernetes.io/component: metrics +spec: + type: ClusterIP + ports: + - port: {{ .Values.controller.metrics.port }} + targetPort: {{ .Values.controller.metrics.port }} + protocol: TCP + name: metrics + selector: + {{- include "kagent.controller.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/helm/kagent/templates/controller-service.yaml b/helm/kagent/templates/controller-service.yaml index 37c6a0319..54933c355 100644 --- a/helm/kagent/templates/controller-service.yaml +++ b/helm/kagent/templates/controller-service.yaml @@ -12,11 +12,5 @@ spec: targetPort: {{ .Values.controller.service.ports.targetPort }} protocol: TCP name: controller - {{- if .Values.controller.metrics.enabled }} - - port: {{ .Values.controller.metrics.port }} - targetPort: {{ .Values.controller.metrics.port }} - protocol: TCP - name: metrics - {{- end }} selector: {{- include "kagent.controller.selectorLabels" . | nindent 4 }} diff --git a/helm/kagent/templates/controller-servicemonitor.yaml b/helm/kagent/templates/controller-servicemonitor.yaml index 89f5b49c1..aaaa002e7 100644 --- a/helm/kagent/templates/controller-servicemonitor.yaml +++ b/helm/kagent/templates/controller-servicemonitor.yaml @@ -13,6 +13,7 @@ spec: selector: matchLabels: {{- include "kagent.controller.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: metrics endpoints: - port: metrics interval: {{ .Values.controller.metrics.serviceMonitor.interval }} From 2b221652e9470b6b03850329078d5718520582a5 Mon Sep 17 00:00:00 2001 From: "Optimus (AI Agent)" Date: Wed, 11 Mar 2026 19:18:19 +0000 Subject: [PATCH 4/4] fix: address Copilot review feedback on ServiceMonitor auth and selector labels - Add configurable bearerTokenSecret as alternative to the default bearerTokenFile, allowing users to override Prometheus auth via values (defaults to SA token file when not set) - Fix duplicate YAML keys in ServiceMonitor selector and metrics Service labels by using kagent.selectorLabels/kagent.labels instead of kagent.controller.selectorLabels/kagent.controller.labels - Update controller-service test to reflect metrics port move to dedicated service - Add test for bearerTokenSecret override - Fix selector label test to expect component: metrics Co-Authored-By: Claude Opus 4.6 Signed-off-by: Optimus (AI Agent) --- .../templates/controller-metrics-service.yaml | 2 +- .../templates/controller-servicemonitor.yaml | 7 ++++- .../kagent/tests/controller-service_test.yaml | 20 +++---------- .../tests/controller-servicemonitor_test.yaml | 30 +++++++++++++++++-- helm/kagent/values.yaml | 8 +++++ 5 files changed, 47 insertions(+), 20 deletions(-) diff --git a/helm/kagent/templates/controller-metrics-service.yaml b/helm/kagent/templates/controller-metrics-service.yaml index ef1b75606..bfcfdfd17 100644 --- a/helm/kagent/templates/controller-metrics-service.yaml +++ b/helm/kagent/templates/controller-metrics-service.yaml @@ -5,7 +5,7 @@ metadata: name: {{ include "kagent.fullname" . }}-controller-metrics namespace: {{ include "kagent.namespace" . }} labels: - {{- include "kagent.controller.labels" . | nindent 4 }} + {{- include "kagent.labels" . | nindent 4 }} app.kubernetes.io/component: metrics spec: type: ClusterIP diff --git a/helm/kagent/templates/controller-servicemonitor.yaml b/helm/kagent/templates/controller-servicemonitor.yaml index aaaa002e7..4f14db201 100644 --- a/helm/kagent/templates/controller-servicemonitor.yaml +++ b/helm/kagent/templates/controller-servicemonitor.yaml @@ -12,7 +12,7 @@ metadata: spec: selector: matchLabels: - {{- include "kagent.controller.selectorLabels" . | nindent 6 }} + {{- include "kagent.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: metrics endpoints: - port: metrics @@ -22,8 +22,13 @@ spec: scheme: https tlsConfig: insecureSkipVerify: true + {{- with .Values.controller.metrics.serviceMonitor.bearerTokenSecret }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- else }} bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token {{- end }} + {{- end }} {{- with .Values.controller.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: {{- toYaml . | nindent 8 }} diff --git a/helm/kagent/tests/controller-service_test.yaml b/helm/kagent/tests/controller-service_test.yaml index 61fff4db8..b7e394250 100644 --- a/helm/kagent/tests/controller-service_test.yaml +++ b/helm/kagent/tests/controller-service_test.yaml @@ -70,26 +70,14 @@ tests: path: metadata.namespace value: custom-namespace - - it: should not include metrics port by default - asserts: - - lengthEqual: - path: spec.ports - count: 1 - - - it: should include metrics port when metrics are enabled + - it: should only have controller port (metrics use dedicated service) set: controller.metrics.enabled: true controller.metrics.port: 9093 asserts: - lengthEqual: path: spec.ports - count: 2 - - equal: - path: spec.ports[1].name - value: metrics - - equal: - path: spec.ports[1].port - value: 9093 + count: 1 - equal: - path: spec.ports[1].targetPort - value: 9093 \ No newline at end of file + path: spec.ports[0].name + value: controller \ No newline at end of file diff --git a/helm/kagent/tests/controller-servicemonitor_test.yaml b/helm/kagent/tests/controller-servicemonitor_test.yaml index 02535234b..fa2de3e7d 100644 --- a/helm/kagent/tests/controller-servicemonitor_test.yaml +++ b/helm/kagent/tests/controller-servicemonitor_test.yaml @@ -60,7 +60,7 @@ tests: path: spec.endpoints[0].scrapeTimeout value: 10s - - it: should use HTTPS scheme when metrics are secure + - it: should use HTTPS scheme and default bearerTokenFile when metrics are secure capabilities: apiVersions: - monitoring.coreos.com/v1 @@ -75,6 +75,32 @@ tests: - equal: path: spec.endpoints[0].bearerTokenFile value: /var/run/secrets/kubernetes.io/serviceaccount/token + - isNull: + path: spec.endpoints[0].bearerTokenSecret + + - it: should use bearerTokenSecret when configured for secure metrics + capabilities: + apiVersions: + - monitoring.coreos.com/v1 + set: + controller.metrics.enabled: true + controller.metrics.secure: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.bearerTokenSecret: + name: my-prometheus-token + key: token + asserts: + - equal: + path: spec.endpoints[0].scheme + value: https + - equal: + path: spec.endpoints[0].bearerTokenSecret.name + value: my-prometheus-token + - equal: + path: spec.endpoints[0].bearerTokenSecret.key + value: token + - isNull: + path: spec.endpoints[0].bearerTokenFile - it: should include additional labels capabilities: @@ -106,4 +132,4 @@ tests: value: RELEASE-NAME - equal: path: spec.selector.matchLabels["app.kubernetes.io/component"] - value: controller + value: metrics diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index 1544f30ec..31b1236ac 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -144,6 +144,14 @@ controller: interval: 30s # -- Scrape timeout scrapeTimeout: 10s + # -- Override the default bearerTokenFile with a Kubernetes Secret reference. + # When set and secure=true, uses bearerTokenSecret instead of the default + # service account token file for Prometheus authentication. + # Example: + # bearerTokenSecret: + # name: my-prometheus-token + # key: token + bearerTokenSecret: {} # -- Metric relabeling configs metricRelabelings: [] # -- Relabeling configs