fix(helm): derive metrics targetPort from bindAddress

danielorbach · danielorbach · commit 9cbc534ef7b5 · 2026-05-10T17:23:33.000+03:00
The earlier commits exposed both `controller.metrics.bindAddress` and `controller.metrics.service.targetPort` as independent values, so a user could shift the runtime bind without moving the Service target and end up with a Service that points at a port the controller binary is not listening on. Drop the separate `service.targetPort` knob and derive both the container port and the Service targetPort from `bindAddress` via `regexFind`, matching the `kmcp` sub-chart's pattern. Add a test that asserts the derived ports stay in sync when `bindAddress` is customised, plus a regression test that documents the `controller.env` escape hatch (user-supplied env vars are emitted after chart defaults, so the user's value wins at runtime). The escape hatch still cannot move the Service target; values.yaml now flags this. Addresses review feedback on kagent-dev#1803. Signed-off-by: Daniel Orbach <ddorbach@gmail.com>
diff --git a/helm/kagent/templates/controller-deployment.yaml b/helm/kagent/templates/controller-deployment.yaml
@@ -105,7 +105,7 @@ spec:
               protocol: TCP
             {{- if .Values.controller.metrics.enabled }}
             - name: metrics
-              containerPort: {{ .Values.controller.metrics.service.targetPort }}
+              containerPort: {{ .Values.controller.metrics.bindAddress | regexFind "[0-9]+" | int }}
               protocol: TCP
             {{- end }}
           resources:
diff --git a/helm/kagent/templates/controller-metrics-service.yaml b/helm/kagent/templates/controller-metrics-service.yaml
@@ -11,7 +11,7 @@ spec:
   ports:
     - name: {{ ternary "https" "http-metrics" .Values.controller.metrics.secureServing }}
       port: {{ .Values.controller.metrics.service.port }}
-      targetPort: {{ .Values.controller.metrics.service.targetPort }}
+      targetPort: {{ .Values.controller.metrics.bindAddress | regexFind "[0-9]+" | int }}
       protocol: TCP
   selector:
     {{- include "kagent.controller.selectorLabels" . | nindent 4 }}
diff --git a/helm/kagent/tests/controller-deployment_test.yaml b/helm/kagent/tests/controller-deployment_test.yaml
@@ -562,12 +562,11 @@ tests:
             name: METRICS_SECURE
             value: "false"
 
-  - it: should reflect custom bind address and target port
+  - it: should derive metrics container port from bindAddress
     template: controller-deployment.yaml
     set:
       controller.metrics.enabled: true
       controller.metrics.bindAddress: ":9443"
-      controller.metrics.service.targetPort: 9443
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
@@ -580,3 +579,22 @@ tests:
             name: metrics
             containerPort: 9443
             protocol: TCP
+
+  - it: should let controller.env override the chart-supplied metrics env
+    template: controller-deployment.yaml
+    set:
+      controller.metrics.enabled: true
+      controller.env:
+        - name: METRICS_BIND_ADDRESS
+          value: "0"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: METRICS_BIND_ADDRESS
+            value: ":8443"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: METRICS_BIND_ADDRESS
+            value: "0"
diff --git a/helm/kagent/tests/controller-metrics-service_test.yaml b/helm/kagent/tests/controller-metrics-service_test.yaml
@@ -39,11 +39,11 @@ tests:
           path: spec.ports[0].protocol
           value: TCP
 
-  - it: should respect custom port and targetPort
+  - it: should derive targetPort from bindAddress
     set:
       controller.metrics.enabled: true
+      controller.metrics.bindAddress: ":9443"
       controller.metrics.service.port: 9443
-      controller.metrics.service.targetPort: 9443
     asserts:
       - equal:
           path: spec.ports[0].port
diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml
@@ -230,7 +230,12 @@ controller:
   # -- Prometheus-style /metrics endpoint for the controller manager.
   # When enabled, provisions a dedicated metrics Service plus the ClusterRoles
   # required for authenticated scrapes. Bind `<fullname>-metrics-reader` to
-  # your Prometheus ServiceAccount to grant scrape access.
+  # your Prometheus ServiceAccount to grant scrape access. The Service
+  # targetPort and pod containerPort are derived from `bindAddress` so the
+  # two cannot drift; only the cluster-facing `service.port` is independently
+  # configurable. Overriding `METRICS_BIND_ADDRESS` via `controller.env`
+  # changes the runtime bind but not the Service — keep `service.port`
+  # aligned manually if you take that escape hatch.
   # @default -- disabled
   metrics:
     enabled: false
@@ -239,7 +244,6 @@ controller:
     service:
       type: ClusterIP
       port: 8443
-      targetPort: 8443
   env: []
   envFrom: []
 
