Skip to content

[release-4.19] OCPBUGS-76531: feat(updates): enable CVO metrics access with RHOBS monitoring flag#7698

Open
gaol wants to merge 3 commits intoopenshift:release-4.19from
gaol:419_cvo_try
Open

[release-4.19] OCPBUGS-76531: feat(updates): enable CVO metrics access with RHOBS monitoring flag#7698
gaol wants to merge 3 commits intoopenshift:release-4.19from
gaol:419_cvo_try

Conversation

@gaol
Copy link
Contributor

@gaol gaol commented Feb 11, 2026

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com//browse/OCPBUGS-76531

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Chee-Lu and others added 2 commits February 11, 2026 16:07
@Chee-Lu @gaol
feat(updates): enable CVO metrics access with RHOBS monitoring flag
dfe5e2b 
When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to
RHOBS Prometheus for conditional update risk evaluation.

Add --cvo-prometheus-url flag to allow overriding the default Prometheus
endpoint. This provides flexibility for future changes (e.g., if ROSA
changes the service name) or for platforms with different monitoring
architectures (e.g., ARO HCP's self-managed Prometheus). When not
specified, platform-appropriate defaults are used.

The CVO deployment logic routes to different metrics endpoints based on
the monitoring stack:

- RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
- CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

For RHOBS (ROSA HCP), we always pass --metrics-ca-bundle-file and
--metrics-token-file from the service account. CVO only uses these files
if they exist, so passing them is safe even for HTTP endpoints that don't
require TLS or authentication. This approach allows switching to a
TLS-authenticated endpoint in the future by just changing the URL,
without requiring code changes.

Key changes:

- CVO deployment enables metrics access when either --rhobs-monitoring
  (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access
  (for self-managed HyperShift on OpenShift) is set
- Add --cvo-prometheus-url flag to configure CVO Prometheus endpoint
- Network policies updated to allow egress to the appropriate monitoring
  endpoint based on stack configuration
@gaol
Adds metrics.k8s.io pods get rule for control-plan-operator role when…
510632a 
… monitoring is enabled on rosa
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 11, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 11, 2026

@gaol: This pull request references Jira Issue OCPBUGS-76531, which is invalid:

  • expected dependent Jira Issue OCPBUGS-76324 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com//browse/OCPBUGS-76531

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 11, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot requested review from enxebre and hasueki February 11, 2026 08:30
@openshift-ci openshift-ci bot added the area/cli Indicates the PR includes changes for CLI label Feb 11, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 11, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gaol
Once this PR has been reviewed and has the lgtm label, please assign csrwng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels Feb 11, 2026
@gaol
Copy link
Contributor Author

gaol commented Feb 11, 2026

/retest-required

1 similar comment
@gaol
Copy link
Contributor Author

gaol commented Feb 12, 2026

/retest-required

@gaol
Copy link
Contributor Author

gaol commented Feb 12, 2026

/retest-required

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 12, 2026
edited
Loading

@gaol: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-images db7703c link true /test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gaol
Copy link
Contributor Author

gaol commented Feb 25, 2026

/test verify

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enxebre enxebre Awaiting requested review from enxebre

@hasueki hasueki Awaiting requested review from hasueki

Assignees

No one assigned

Labels

area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gaol @openshift-ci-robot @Chee-Lu