openshift-hyperfleet · cristianoveiga · Jun 14, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026
diff --git a/Makefile b/Makefile
@@ -329,6 +329,29 @@ test-helm: $(KUBECONFORM) verify-helm-docs ## Test Helm charts (lint, template,
 		--set serviceMonitor.interval=15s | $(KUBECONFORM) $(KUBECONFORM_FLAGS)
 	@echo "ServiceMonitor config template OK"
 	@echo ""
+	@echo "Testing template with PodMonitoring enabled..."
+	helm template test-release charts/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-api \
+		--set image.tag=test \
+		--set 'adapters.cluster=["validation"]' \
+		--set 'adapters.nodepool=["validation"]' \
+		--set monitoring.podMonitoring.enabled=true \
+		--set monitoring.podMonitoring.interval=15s | $(KUBECONFORM) $(KUBECONFORM_FLAGS) -ignore-missing-schemas
+	@echo "PodMonitoring config template OK"
+	@echo ""
+	@echo "Testing template with PodMonitoring and TLS enabled..."
+	helm template test-release charts/ \
+		--set image.registry=quay.io \
+		--set image.repository=openshift-hyperfleet/hyperfleet-api \
+		--set image.tag=test \
+		--set 'adapters.cluster=["validation"]' \
+		--set 'adapters.nodepool=["validation"]' \
+		--set monitoring.podMonitoring.enabled=true \
+		--set config.metrics.tls.enabled=true \
+		--set monitoring.podMonitoring.tlsConfig.insecureSkipVerify=true | $(KUBECONFORM) $(KUBECONFORM_FLAGS) -ignore-missing-schemas
+	@echo "PodMonitoring with TLS config template OK"
+	@echo ""
 	@echo "Testing template with auth disabled..."
 	helm template test-release charts/ \
 		--set image.registry=quay.io \

diff --git a/charts/README.md b/charts/README.md
@@ -155,7 +155,14 @@ helm install hyperfleet-api oci://REGISTRY/hyperfleet-api \
 | database.postgresql.persistence.enabled | bool | `false` | Enable persistent storage (uses emptyDir when disabled) |
 | database.postgresql.persistence.size | string | `"1Gi"` | Volume size |
 | database.postgresql.persistence.storageClass | string | `""` | StorageClass name (empty for cluster default) |
-| monitoring | object | `{"prometheusRule":{"additionalLabels":{},"enabled":false,"namespace":"","rules":{"deletionStuck":{"for":"5m","runbookUrl":""},"deletionTimeout":{"for":"30m","runbookUrl":""}}}}` | Monitoring and alerting configuration |
+| monitoring | object | `{"podMonitoring":{"additionalLabels":{},"enabled":false,"interval":"30s","metricRelabeling":[],"tlsConfig":{"insecureSkipVerify":false}},"prometheusRule":{"additionalLabels":{},"enabled":false,"namespace":"","rules":{"deletionStuck":{"for":"5m","runbookUrl":""},"deletionTimeout":{"for":"30m","runbookUrl":""}}}}` | Monitoring and alerting configuration |
+| monitoring.podMonitoring | object | `{"additionalLabels":{},"enabled":false,"interval":"30s","metricRelabeling":[],"tlsConfig":{"insecureSkipVerify":false}}` | PodMonitoring for Google Managed Prometheus (GMP) scraping |
+| monitoring.podMonitoring.enabled | bool | `false` | Create a PodMonitoring resource |
+| monitoring.podMonitoring.interval | string | `"30s"` | Scrape interval |
+| monitoring.podMonitoring.additionalLabels | object | `{}` | Additional labels for the PodMonitoring resource |
+| monitoring.podMonitoring.metricRelabeling | list | `[]` | Metric relabel configs to apply to samples before ingestion |
+| monitoring.podMonitoring.tlsConfig | object | `{"insecureSkipVerify":false}` | TLS configuration when config.metrics.tls.enabled=true |
+| monitoring.podMonitoring.tlsConfig.insecureSkipVerify | bool | `false` | Disable target certificate validation (e.g. for self-signed certs) |
 | monitoring.prometheusRule | object | `{"additionalLabels":{},"enabled":false,"namespace":"","rules":{"deletionStuck":{"for":"5m","runbookUrl":""},"deletionTimeout":{"for":"30m","runbookUrl":""}}}` | PrometheusRule for alerting |
 | monitoring.prometheusRule.enabled | bool | `false` | Create PrometheusRule resources |
 | monitoring.prometheusRule.additionalLabels | object | `{}` | Additional labels for PrometheusRule discovery |

diff --git a/charts/templates/podmonitoring.yaml b/charts/templates/podmonitoring.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.monitoring.podMonitoring.enabled }}
+apiVersion: monitoring.googleapis.com/v1
+kind: PodMonitoring
+metadata:
+  name: {{ include "hyperfleet-api.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "hyperfleet-api.labels" . | nindent 4 }}
+    {{- with .Values.monitoring.podMonitoring.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "hyperfleet-api.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: metrics
+      interval: {{ .Values.monitoring.podMonitoring.interval | default "30s" }}
+      path: /metrics
+      {{- if .Values.config.metrics.tls.enabled }}
+      scheme: https
+      tls:
+        insecureSkipVerify: {{ .Values.monitoring.podMonitoring.tlsConfig.insecureSkipVerify }}
+      {{- end }}
+      {{- with .Values.monitoring.podMonitoring.metricRelabeling }}
+      metricRelabeling:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -333,6 +333,20 @@ database:
 
 # -- Monitoring and alerting configuration
 monitoring:
+  # -- PodMonitoring for Google Managed Prometheus (GMP) scraping
+  podMonitoring:
+    # -- Create a PodMonitoring resource
+    enabled: false
+    # -- Scrape interval
+    interval: 30s
+    # -- Additional labels for the PodMonitoring resource
+    additionalLabels: {}
+    # -- Metric relabel configs to apply to samples before ingestion
+    metricRelabeling: []
+    # -- TLS configuration when config.metrics.tls.enabled=true
+    tlsConfig:
+      # -- Disable target certificate validation (e.g. for self-signed certs)
+      insecureSkipVerify: false
   # -- PrometheusRule for alerting
   prometheusRule:
     # -- Create PrometheusRule resources

diff --git a/docs/metrics.md b/docs/metrics.md
@@ -376,6 +376,19 @@ serviceMonitor:
 
 See [Deployment Guide](deployment.md#prometheus-operator-integration) for details.
 
+## Google Managed Prometheus (GMP) Integration
+
+If running on GKE with Google Managed Prometheus, enable the PodMonitoring resource in Helm values:
+
+```yaml
+monitoring:
+  podMonitoring:
+    enabled: true
+    interval: 30s
+```
+
+This creates a `monitoring.googleapis.com/v1/PodMonitoring` resource that configures the GMP collector agent to scrape the `/metrics` endpoint directly from pods. The `serviceMonitor` and `podMonitoring` options are independent and can be enabled simultaneously.
+
 ## Grafana Dashboard
 
 Example dashboard JSON for HyperFleet API monitoring is available in the architecture repository. Key panels to include: