feat(helm): add metrics endpoint and optional ServiceMonitor support

[mesutoezdil]

Revives #1435 which was closed by stalebot. The controller already supports METRICS_BIND_ADDRESS and METRICS_SECURE via flags, this just wires them up properly in the chart.

When controller.metrics.enabled is true the chart sets the env vars, exposes the metrics port on the Deployment and Service, and optionally creates a ServiceMonitor for Prometheus Operator.

Usage:

controller:
  metrics:
    enabled: true
    port: 9093
    secure: false
    serviceMonitor:
      enabled: true
      labels:
        release: prometheus

Closes #1369

[Copilot]

Pull request overview

This PR adds Helm-chart support for exposing the controller’s existing metrics endpoint and optionally creating a Prometheus Operator ServiceMonitor, so observability can be enabled from chart values instead of manual env/service customization.

Changes:

• Adds controller.metrics values for enabling metrics, choosing the port, configuring secure mode, and toggling ServiceMonitor creation.
• Wires metrics settings into the controller ConfigMap, Deployment, and Service so the endpoint is exposed when enabled.
• Adds Helm unit tests covering Service, Deployment, and ServiceMonitor rendering for the new metrics options.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
helm/kagent/values.yaml	Adds chart values for controller metrics and ServiceMonitor settings.
helm/kagent/tests/controller-servicemonitor_test.yaml	Adds render tests for the new ServiceMonitor template.
helm/kagent/tests/controller-service_test.yaml	Verifies the controller Service adds a metrics port when enabled.
helm/kagent/tests/controller-deployment_test.yaml	Verifies the controller Deployment/ConfigMap pick up metrics ports and env vars.
helm/kagent/templates/controller-servicemonitor.yaml	Introduces the optional Prometheus Operator ServiceMonitor.
helm/kagent/templates/controller-service.yaml	Exposes the metrics port on the controller Service.
helm/kagent/templates/controller-deployment.yaml	Exposes the metrics port on the controller container.
helm/kagent/templates/controller-configmap.yaml	Sets metrics-related env vars consumed by the controller.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[danielorbach]

Hey — I've put up an alternative shape for #1369 in #1803. The main substantive difference is RBAC: the controller binary defaults --metrics-secure=true, which engages controller-runtime's WithAuthenticationAndAuthorization filter on /metrics. That filter calls TokenReview and SubjectAccessReview against the API server for every scrape, so the controller's ServiceAccount needs create rights on authentication.k8s.io/tokenreviews and authorization.k8s.io/subjectaccessreviews. As things stand here, enabling metrics with secure-serving on (the default) returns 5xx on every scrape because those rights aren't granted, and there's no unbound metrics-reader ClusterRole for cluster operators to bind to their scraper's ServiceAccount.

The kubebuilder/operator-sdk default — and what the kmcp sub-chart already shipped in this same umbrella does — is two ClusterRoles plus a single auth ClusterRoleBinding. That's the shape #1803 takes. It also uses a separate dedicated metrics Service rather than reusing the existing one, again matching kmcp. ServiceMonitor is deferred there.

Both shapes should solve #1369; happy to converge in either direction if maintainers have a preference.

[mesutoezdil]

@danielorbach Added metrics-auth-role (ClusterRole + binding) for the controller SA's TokenReview/SubjectAccessReview rights, and an unbound metrics-reader ClusterRole operators can bind their scraper SA to. Both gated on controller.metrics.enabled. If the dedicated metrics Service shape from #1803 is preferred, we can add that too @EItanya.