Skip to content

[release-4.21] OCPBUGS-75884: feat(updates): enable CVO metrics access with RHOBS monitoring flag#7632

Open
openshift-cherrypick-robot wants to merge 1 commit intoopenshift:release-4.21from
openshift-cherrypick-robot:cherry-pick-7399-to-release-4.21
Open

[release-4.21] OCPBUGS-75884: feat(updates): enable CVO metrics access with RHOBS monitoring flag#7632
openshift-cherrypick-robot wants to merge 1 commit intoopenshift:release-4.21from
openshift-cherrypick-robot:cherry-pick-7399-to-release-4.21

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Feb 4, 2026

This is an automated cherry-pick of #7399

/assign celebdor

/cherrypick release-4.20

@Chee-Lu
feat(updates): enable CVO metrics access with RHOBS monitoring flag
ec5c207 
When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to
RHOBS Prometheus for conditional update risk evaluation.

Add --cvo-prometheus-url flag to allow overriding the default Prometheus
endpoint. This provides flexibility for future changes (e.g., if ROSA
changes the service name) or for platforms with different monitoring
architectures (e.g., ARO HCP's self-managed Prometheus). When not
specified, platform-appropriate defaults are used.

The CVO deployment logic routes to different metrics endpoints based on
the monitoring stack:

- RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
- CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

For RHOBS (ROSA HCP), we always pass --metrics-ca-bundle-file and
--metrics-token-file from the service account. CVO only uses these files
if they exist, so passing them is safe even for HTTP endpoints that don't
require TLS or authentication. This approach allows switching to a
TLS-authenticated endpoint in the future by just changing the URL,
without requiring code changes.

Key changes:

- CVO deployment enables metrics access when either --rhobs-monitoring
  (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access
  (for self-managed HyperShift on OpenShift) is set
- Add --cvo-prometheus-url flag to configure CVO Prometheus endpoint
- Network policies updated to allow egress to the appropriate monitoring
  endpoint based on stack configuration
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 4, 2026
Merged
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 4, 2026
edited
Loading

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 4, 2026

@openshift-cherrypick-robot: Jira Issue OCPBUGS-69447 has been cloned as Jira Issue OCPBUGS-75884. Will retitle bug to link to clone.
/retitle [release-4.21] OCPBUGS-75884: feat(updates): enable CVO metrics access with RHOBS monitoring flag

Details

In response to this:

This is an automated cherry-pick of #7399

/assign celebdor

/cherrypick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title [release-4.21] OCPBUGS-69447: feat(updates): enable CVO metrics access with RHOBS monitoring flag [release-4.21] OCPBUGS-75884: feat(updates): enable CVO metrics access with RHOBS monitoring flag Feb 4, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 4, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 4, 2026

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-75884, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #7399

/assign celebdor

/cherrypick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from devguyio and muraee February 4, 2026 08:47
@openshift-ci openshift-ci bot added the area/cli Indicates the PR includes changes for CLI label Feb 4, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign bryan-cox for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels Feb 4, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devguyio devguyio Awaiting requested review from devguyio

@muraee muraee Awaiting requested review from muraee

Assignees

@celebdor celebdor

Labels

area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@openshift-cherrypick-robot @openshift-ci-robot @celebdor @Chee-Lu