CM-1112: Fix cluster-monitoring set as annotation instead of label

[sebrandon1]

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from discovering the namespace for metrics scraping.

Note on existing clusters: The operator's static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless — monitoring only checks for the label.

Cluster verification (OCP 4.19)

Before — label missing, only annotation set:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
(empty)

After — label correctly set:

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels}'
{
    "kubernetes.io/metadata.name": "cert-manager",
    "openshift.io/cluster-monitoring": "true",
    "pod-security.kubernetes.io/audit": "restricted",
    "pod-security.kubernetes.io/audit-version": "latest",
    "pod-security.kubernetes.io/warn": "restricted",
    "pod-security.kubernetes.io/warn-version": "latest"
}

The old annotation remains on existing clusters (additive merge), which is harmless:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

Fixes #336

Test plan

• Unit tests pass (make test)
• Verified on live OCP 4.19 cluster: label present after applying fix
• CI e2e tests pass

Summary by CodeRabbit

• Chores
  • Updated the cert-manager namespace manifest so the cluster monitoring setting is now applied via metadata.labels instead of metadata.annotations.

[openshift-ci-robot]

@sebrandon1: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from scraping cert-manager metrics.

Note on existing clusters: The operator static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless -- monitoring only checks for the label.

Fixes #336

Test plan

• Unit tests pass (make test)
• Verify oc get ns cert-manager -o jsonpath='{.metadata.labels}' includes openshift.io/cluster-monitoring: "true" after operator reconciles
• Verify cert-manager metrics appear in cluster monitoring after the fix

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e378b68d-6a26-489f-b562-52c8d1d6f99b

📥 Commits

Reviewing files that changed from the base of the PR and between 7987812 and e6de6a6.

📒 Files selected for processing (2)

• bindata/cert-manager-deployment/cert-manager-namespace.yaml
• pkg/operator/assets/bindata.go

✅ Files skipped from review due to trivial changes (1)

• bindata/cert-manager-deployment/cert-manager-namespace.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/assets/bindata.go

---

Walkthrough

The cert-manager Namespace manifest and its embedded bindata asset apply openshift.io/cluster-monitoring: "true" as a metadata label instead of an annotation; both source YAML and generated asset were updated accordingly.

Changes

Cluster-monitoring label correction

Layer / File(s)	Summary
Namespace metadata label relocation bindata/cert-manager-deployment/cert-manager-namespace.yaml, pkg/operator/assets/bindata.go	openshift.io/cluster-monitoring: "true" is moved from metadata.annotations to metadata.labels in the Namespace manifest and the generated bindata bytes are updated to match.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: moving cluster-monitoring from annotations to labels in the cert-manager namespace manifest.
Linked Issues check	✅ Passed	The pull request fully addresses issue #336 by correcting the placement of openshift.io/cluster-monitoring from annotations to labels in the namespace manifest and regenerating bindata.go.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing the cluster-monitoring label placement; no unrelated modifications are present in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR only modifies two non-test files: a YAML manifest and a generated binary asset file. No Ginkgo test code was introduced, so check is not applicable.
Test Structure And Quality	✅ Passed	This PR modifies only configuration files (YAML manifest and generated Go assets), not test code. The check requires reviewing Ginkgo test structure, which is not applicable here.
Microshift Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests. Changes are limited to a Kubernetes manifest file and its auto-generated asset representation. MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests; only modifies manifest and regenerates bindata. Check for SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies a namespace metadata label (moving openshift.io/cluster-monitoring to labels), not deployment scheduling. No topology-sensitive constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR changes only YAML manifest and generated bindata file; no modifications to process-level code (main, init, test suites) or stdout writes that could violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests. It only modifies a YAML manifest (moving cluster-monitoring key from annotations to labels) and regenerates bindata.go. The IPv6/Disconnected Network check app...
No-Weak-Crypto	✅ Passed	PR contains no weak crypto, custom crypto, or insecure comparisons; changes are only Kubernetes namespace label configuration without any cryptographic code.
Container-Privileges	✅ Passed	PR changes only involve moving cluster monitoring label from annotations to labels in a Namespace manifest. No container privilege escalation settings (privileged, hostPID, hostNetwork, hostIPC, SY...
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no logging statements exposing passwords, tokens, API keys, PII, session IDs, or customer data. Changes are limited to moving a Kubernetes label in namespace manifest and regenerating e...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1112 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from discovering the namespace for metrics scraping.

Note on existing clusters: The operator's static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless — monitoring only checks for the label.

Cluster verification (OCP 4.19)

Before — label missing, only annotation set:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
(empty)

After — label correctly set:

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels}'
{
   "kubernetes.io/metadata.name": "cert-manager",
   "openshift.io/cluster-monitoring": "true",
   "pod-security.kubernetes.io/audit": "restricted",
   "pod-security.kubernetes.io/audit-version": "latest",
   "pod-security.kubernetes.io/warn": "restricted",
   "pod-security.kubernetes.io/warn-version": "latest"
}

The old annotation remains on existing clusters (additive merge), which is harmless:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

Fixes #336

Test plan

• Unit tests pass (make test)
• Verified on live OCP 4.19 cluster: label present after applying fix
• CI e2e tests pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator-tech-preview	e6de6a6	link	false	/test e2e-operator-tech-preview
ci/prow/e2e-operator	e6de6a6	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.