fix: gate ServiceMonitor on CRD availability and add auth for secure metrics

Address review feedback:
- Gate ServiceMonitor rendering on .Capabilities.APIVersions.Has to avoid
  failures on clusters without Prometheus Operator CRDs
- Add bearerTokenFile for service account auth when secure metrics enabled
- Add test for CRD unavailability scenario
- Add test for bearerTokenFile in secure mode

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Optimus (AI Agent) <agent@fulcria.com>

Author: optimus-fulcria

helm/kagent/templates/controller-servicemonitor.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -21,6 +21,7 @@ spec:
       scheme: https
       tlsConfig:
         insecureSkipVerify: true
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       {{- end }}
       {{- with .Values.controller.metrics.serviceMonitor.metricRelabelings }}
       metricRelabelings:

helm/kagent/tests/controller-servicemonitor_test.yaml

@@ -15,7 +15,18 @@ tests:
       - hasDocuments:
           count: 0
 
+  - it: should not render when CRD is not available
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
   - it: should render when both metrics and serviceMonitor are enabled
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1
     set:
       controller.metrics.enabled: true
       controller.metrics.serviceMonitor.enabled: true
@@ -29,6 +40,9 @@ tests:
           value: RELEASE-NAME-controller
 
   - it: should have correct endpoint configuration
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1
     set:
       controller.metrics.enabled: true
       controller.metrics.port: 9093
@@ -47,6 +61,9 @@ tests:
           value: 10s
 
   - it: should use HTTPS scheme when metrics are secure
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1
     set:
       controller.metrics.enabled: true
       controller.metrics.secure: true
@@ -55,8 +72,14 @@ tests:
       - equal:
           path: spec.endpoints[0].scheme
           value: https
+      - equal:
+          path: spec.endpoints[0].bearerTokenFile
+          value: /var/run/secrets/kubernetes.io/serviceaccount/token
 
   - it: should include additional labels
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1
     set:
       controller.metrics.enabled: true
       controller.metrics.serviceMonitor.enabled: true
@@ -68,6 +91,9 @@ tests:
           value: prometheus
 
   - it: should have correct selector labels
+    capabilities:
+      apiVersions:
+        - monitoring.coreos.com/v1
     set:
       controller.metrics.enabled: true
       controller.metrics.serviceMonitor.enabled: true