CM-1112: Fix cluster-monitoring set as annotation instead of label

[sebrandon1]

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from discovering the namespace for metrics scraping.

Note on existing clusters: The operator's static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless — monitoring only checks for the label.

Cluster verification (OCP 4.19)

Before — label missing, only annotation set:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
(empty)

After — label correctly set:

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels}'
{
    "kubernetes.io/metadata.name": "cert-manager",
    "openshift.io/cluster-monitoring": "true",
    "pod-security.kubernetes.io/audit": "restricted",
    "pod-security.kubernetes.io/audit-version": "latest",
    "pod-security.kubernetes.io/warn": "restricted",
    "pod-security.kubernetes.io/warn-version": "latest"
}

The old annotation remains on existing clusters (additive merge), which is harmless:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

Fixes #336

Test plan

• Unit tests pass (make test)
• Verified on live OCP 4.19 cluster: label present after applying fix
• CI e2e tests pass

Summary by CodeRabbit

• Chores
  • Updated the cert-manager namespace manifest so the cluster monitoring setting is applied via metadata.labels instead of metadata.annotations.

[openshift-ci-robot]

@sebrandon1: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from scraping cert-manager metrics.

Note on existing clusters: The operator static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless -- monitoring only checks for the label.

Fixes #336

Test plan

• Unit tests pass (make test)
• Verify oc get ns cert-manager -o jsonpath='{.metadata.labels}' includes openshift.io/cluster-monitoring: "true" after operator reconciles
• Verify cert-manager metrics appear in cluster monitoring after the fix

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 07e6ae43-4fe4-4faf-825a-36b3059dcebe

📥 Commits

Reviewing files that changed from the base of the PR and between f7307e6 and 7987812.

📒 Files selected for processing (2)

• bindata/cert-manager-deployment/cert-manager-namespace.yaml
• pkg/operator/assets/bindata.go

✅ Files skipped from review due to trivial changes (1)

• pkg/operator/assets/bindata.go

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/cert-manager-deployment/cert-manager-namespace.yaml

---

Walkthrough

The cert-manager Namespace manifest and its embedded bindata asset apply openshift.io/cluster-monitoring: "true" as a metadata label instead of an annotation; both source YAML and generated asset were updated accordingly.

Changes

Cluster-monitoring label correction

Layer / File(s)	Summary
Namespace metadata label relocation bindata/cert-manager-deployment/cert-manager-namespace.yaml, pkg/operator/assets/bindata.go	openshift.io/cluster-monitoring: "true" is moved from metadata.annotations to metadata.labels in the Namespace manifest and the generated bindata bytes are updated to match.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New Ginkgo e2e tests in test/e2e/observe_test.go use Prometheus/Thanos (monitoring stack unavailable on MicroShift) without [Skipped:MicroShift] or other protection markers.	Add [Skipped:MicroShift] label to "Monitoring and Metrics" Describe block or guard tests with IsMicroShiftCluster() check and g.Skip().
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New Ginkgo e2e tests in test/e2e/trustmanager_test.go assume multi-node clusters. Test "should apply custom affinity to deployment" (line 521) uses PodAntiAffinity with TopologyKey kubernetes.io/ho...	Add [Skipped:SingleReplicaTopology] label to the test name or guard with exutil.IsSingleNode() check that skips the test on SNO deployments, as SNO has only a single node making pod anti-affinity topology constraints inapplicable.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately identifies the main change: moving cluster-monitoring from annotation to label, matching the core objective of the PR.
Linked Issues check	✅ Passed	The PR changes directly address issue #336 by moving openshift.io/cluster-monitoring from metadata.annotations to metadata.labels as required.
Out of Scope Changes check	✅ Passed	The PR changes are limited to fixing the cluster-monitoring label placement; all modifications are directly related to the stated objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only manifest and generated asset files, not test files. The Ginkgo test name stability check is not applicable as no test files are modified.
Test Structure And Quality	✅ Passed	PR modifies only non-test files (cert-manager-namespace.yaml manifest and bindata.go asset). No Ginkgo test code was added or modified, making the custom test structure check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only changes namespace metadata (moving label from annotations), not deployment manifests or scheduling constraints; no topology-awareness issues introduced.
Ote Binary Stdout Contract	✅ Passed	PR changes only YAML manifest content and auto-generated bindata bytes; no process-level stdout writes introduced. Changes are data-only with no test framework code affected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes are only to a Kubernetes namespace YAML manifest and its generated asset file, which are out of scope for IPv6/disconnected network compatibil...
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography patterns, custom crypto implementations, or unsafe secret comparisons. Changes are limited to moving a monitoring label in a Namespace manifest and regenerating a b...
Container-Privileges	✅ Passed	No privileged containers, root access, SYS_ADMIN capabilities, or allowPrivilegeEscalation settings detected. All containers run as non-root with dropped capabilities and read-only filesystems.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements expose sensitive data. Changes only move a monitoring label in the namespace manifest and regenerate the asset file with no new logging introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1112 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from discovering the namespace for metrics scraping.

Note on existing clusters: The operator's static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless — monitoring only checks for the label.

Cluster verification (OCP 4.19)

Before — label missing, only annotation set:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
(empty)

After — label correctly set:

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels}'
{
   "kubernetes.io/metadata.name": "cert-manager",
   "openshift.io/cluster-monitoring": "true",
   "pod-security.kubernetes.io/audit": "restricted",
   "pod-security.kubernetes.io/audit-version": "latest",
   "pod-security.kubernetes.io/warn": "restricted",
   "pod-security.kubernetes.io/warn-version": "latest"
}

The old annotation remains on existing clusters (additive merge), which is harmless:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

Fixes #336

Test plan

• Unit tests pass (make test)
• Verified on live OCP 4.19 cluster: label present after applying fix
• CI e2e tests pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator-tech-preview	7987812	link	false	/test e2e-operator-tech-preview
ci/prow/e2e-operator	7987812	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.