CM-1112: Fix cluster-monitoring set as annotation instead of label

[sebrandon1]

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from discovering the namespace for metrics scraping.

Note on existing clusters: The operator's static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless — monitoring only checks for the label.

Cluster verification (OCP 4.19)

Before — label missing, only annotation set:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
(empty)

After — label correctly set:

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels}'
{
    "kubernetes.io/metadata.name": "cert-manager",
    "openshift.io/cluster-monitoring": "true",
    "pod-security.kubernetes.io/audit": "restricted",
    "pod-security.kubernetes.io/audit-version": "latest",
    "pod-security.kubernetes.io/warn": "restricted",
    "pod-security.kubernetes.io/warn-version": "latest"
}

The old annotation remains on existing clusters (additive merge), which is harmless:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

Fixes #336

Test plan

• Unit tests pass (make test)
• Verified on live OCP 4.19 cluster: label present after applying fix
• CI e2e tests pass

Summary by CodeRabbit

• Chores
  • Updated cert-manager namespace cluster monitoring configuration to use labels instead of annotations.

[openshift-ci-robot]

@sebrandon1: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from scraping cert-manager metrics.

Note on existing clusters: The operator static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless -- monitoring only checks for the label.

Fixes #336

Test plan

• Unit tests pass (make test)
• Verify oc get ns cert-manager -o jsonpath='{.metadata.labels}' includes openshift.io/cluster-monitoring: "true" after operator reconciles
• Verify cert-manager metrics appear in cluster monitoring after the fix

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ae294952-9bd1-40c3-be55-8d2d721df7ee

📥 Commits

Reviewing files that changed from the base of the PR and between ac82e42 and f7307e6.

📒 Files selected for processing (2)

• bindata/cert-manager-deployment/cert-manager-namespace.yaml
• pkg/operator/assets/bindata.go

✅ Files skipped from review due to trivial changes (1)

• pkg/operator/assets/bindata.go

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/cert-manager-deployment/cert-manager-namespace.yaml

---

Walkthrough

The cert-manager Namespace manifest and its embedded bindata asset apply openshift.io/cluster-monitoring: "true" as a metadata label instead of an annotation; both source YAML and generated asset were updated accordingly.

Changes

Cluster-monitoring label correction

Layer / File(s)	Summary
Namespace metadata relocation bindata/cert-manager-deployment/cert-manager-namespace.yaml, pkg/operator/assets/bindata.go	openshift.io/cluster-monitoring: "true" is moved from metadata.annotations to metadata.labels in the Namespace manifest and the generated bindata bytes are updated to match.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and specifically identifies the main change: moving cluster-monitoring from annotation to label, matching the changeset.
Linked Issues check	✅ Passed	The PR successfully addresses issue #336 by moving openshift.io/cluster-monitoring from metadata.annotations to metadata.labels and regenerating bindata.go.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing the cluster-monitoring label issue; no unrelated modifications were introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are stable and deterministic with no dynamic content (no fmt.Sprintf, string concatenation, or variable values in test titles).
Test Structure And Quality	✅ Passed	Ginkgo e2e tests follow quality practices: single responsibility, BeforeEach/DeferCleanup, explicit timeouts, meaningful messages, consistent patterns.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to a Kubernetes manifest file and its generated asset file, which are outside the scope of the MicroShift compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only a namespace manifest and regenerates bindata.go; it adds no new Ginkgo e2e tests, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies Namespace labels for monitoring. No scheduling constraints, affinity rules, topology spread constraints, or control-plane node targeting introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML manifest and bindata.go. main() uses k8s.io/component-base/cli.Run for proper logging. No stdout violations detected in process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds no new Ginkgo e2e tests; changes are limited to cert-manager namespace manifest and auto-generated bindata. Check not applicable.
No-Weak-Crypto	✅ Passed	PR changes only Kubernetes manifest labels and auto-generated bindata; no weak cryptographic algorithms, custom crypto, or unsafe comparisons present.
Container-Privileges	✅ Passed	PR changes only namespace metadata labels (moving cluster-monitoring to labels). No container privilege settings, SecurityContext configs, or privileged mode configurations were added or modified.
No-Sensitive-Data-In-Logs	✅ Passed	PR only modifies Kubernetes manifest YAML and auto-generated bindata; no logging code added or sensitive data exposed in logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1112 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Moves openshift.io/cluster-monitoring: "true" from annotations to labels on the cert-manager namespace manifest
• Regenerates bindata.go to match

Per the OCP docs, cluster monitoring requires the openshift.io/cluster-monitoring: "true" key to be set as a label on the namespace. The operator was incorrectly setting it as an annotation, which prevented Prometheus from discovering the namespace for metrics scraping.

Note on existing clusters: The operator's static resource controller (library-go EnsureObjectMeta) merges labels additively. On upgrade, the label will be added but the old annotation will remain. This is harmless — monitoring only checks for the label.

Cluster verification (OCP 4.19)

Before — label missing, only annotation set:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
(empty)

After — label correctly set:

$ oc get ns cert-manager -o jsonpath='{.metadata.labels.openshift\.io/cluster-monitoring}'
true

$ oc get ns cert-manager -o jsonpath='{.metadata.labels}'
{
   "kubernetes.io/metadata.name": "cert-manager",
   "openshift.io/cluster-monitoring": "true",
   "pod-security.kubernetes.io/audit": "restricted",
   "pod-security.kubernetes.io/audit-version": "latest",
   "pod-security.kubernetes.io/warn": "restricted",
   "pod-security.kubernetes.io/warn-version": "latest"
}

The old annotation remains on existing clusters (additive merge), which is harmless:

$ oc get ns cert-manager -o jsonpath='{.metadata.annotations.openshift\.io/cluster-monitoring}'
true

Fixes #336

Test plan

• Unit tests pass (make test)
• Verified on live OCP 4.19 cluster: label present after applying fix
• CI e2e tests pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	f7307e6	link	true	/test e2e-operator
ci/prow/e2e-operator-tech-preview	f7307e6	link	false	/test e2e-operator-tech-preview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.