feat(helm): add opt-in controller metrics Service

danielorbach · danielorbach · commit 43add2d473bb · 2026-05-06T03:31:20.000+03:00
Surface the controller manager's /metrics endpoint through a dedicated
Service so cluster scrapers can target it without port-forwarding to
individual pods. The new resource is gated on `controller.metrics.enabled`
and defaults off so existing installations are unchanged.

The Service mirrors the kmcp sub-chart layout (separate metrics Service,
named `https` port) to keep the umbrella chart internally consistent and
to let users author one ServiceMonitor pattern that targets both
controllers. RBAC and Deployment wiring follow in subsequent commits.
diff --git a/helm/kagent/templates/controller-metrics-service.yaml b/helm/kagent/templates/controller-metrics-service.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.controller.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "kagent.fullname" . }}-controller-metrics
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.controller.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.controller.metrics.service.type }}
+  ports:
+    - name: {{ ternary "https" "http-metrics" .Values.controller.metrics.secureServing }}
+      port: {{ .Values.controller.metrics.service.port }}
+      targetPort: {{ .Values.controller.metrics.service.targetPort }}
+      protocol: TCP
+  selector:
+    {{- include "kagent.controller.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/helm/kagent/tests/controller-metrics-service_test.yaml b/helm/kagent/tests/controller-metrics-service_test.yaml
@@ -0,0 +1,93 @@
+suite: test controller metrics service
+templates:
+  - controller-metrics-service.yaml
+tests:
+  - it: should not render by default
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should render when metrics are enabled
+    set:
+      controller.metrics.enabled: true
+    asserts:
+      - isKind:
+          of: Service
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-controller-metrics
+      - equal:
+          path: spec.type
+          value: ClusterIP
+      - hasDocuments:
+          count: 1
+
+  - it: should expose https port from values
+    set:
+      controller.metrics.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].name
+          value: https
+      - equal:
+          path: spec.ports[0].port
+          value: 8443
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8443
+      - equal:
+          path: spec.ports[0].protocol
+          value: TCP
+
+  - it: should respect custom port and targetPort
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.service.port: 9443
+      controller.metrics.service.targetPort: 9443
+    asserts:
+      - equal:
+          path: spec.ports[0].port
+          value: 9443
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should rename port when secure serving disabled
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.secureServing: false
+    asserts:
+      - equal:
+          path: spec.ports[0].name
+          value: http-metrics
+
+  - it: should select controller pods
+    set:
+      controller.metrics.enabled: true
+    asserts:
+      - equal:
+          path: spec.selector["app.kubernetes.io/name"]
+          value: kagent
+      - equal:
+          path: spec.selector["app.kubernetes.io/instance"]
+          value: RELEASE-NAME
+      - equal:
+          path: spec.selector["app.kubernetes.io/component"]
+          value: controller
+
+  - it: should be in correct namespace
+    set:
+      controller.metrics.enabled: true
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: NAMESPACE
+
+  - it: should use custom namespace when overridden
+    set:
+      controller.metrics.enabled: true
+      namespaceOverride: "custom-namespace"
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: custom-namespace
diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml
@@ -222,6 +222,19 @@ controller:
     ports:
       port: 8083
       targetPort: 8083
+  # -- Prometheus-style /metrics endpoint for the controller manager.
+  # When enabled, provisions a dedicated metrics Service plus the ClusterRoles
+  # required for authenticated scrapes. Bind `<fullname>-metrics-reader` to
+  # your Prometheus ServiceAccount to grant scrape access.
+  # @default -- disabled
+  metrics:
+    enabled: false
+    bindAddress: ":8443"
+    secureServing: true
+    service:
+      type: ClusterIP
+      port: 8443
+      targetPort: 8443
   env: []
   envFrom: []
 
