diff --git a/.github/workflows/policy-matrix.yml b/.github/workflows/policy-matrix.yml index 906ea911..6e8d02e7 100644 --- a/.github/workflows/policy-matrix.yml +++ b/.github/workflows/policy-matrix.yml @@ -96,6 +96,29 @@ jobs: run: | kubectl cluster-info kubectl version + - name: Install prometheus-operator ServiceMonitor CRD (issue #494) + # The production-preset values file flips `serviceMonitor.enabled=true`, + # which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource. + # Kind does not ship that CRD, so `helm install --dry-run=server` + # exits 1 with "no matches for kind ServiceMonitor in version + # monitoring.coreos.com/v1" on every chart-touching PR (regression + # since #475). We install ONLY the ServiceMonitor CRD — the chart's + # production preset references no other monitoring.coreos.com kinds, + # and the slim CRD install (~700 lines of YAML) is cheaper than the + # full prometheus-operator bundle (~3MB) which would also pull + # Prometheus, Alertmanager, ThanosRuler, PodMonitor, Probe, and + # PrometheusRule kinds we do not exercise. Applied unconditionally + # across every matrix row (not just production) so a future + # default-values flip cannot silently re-break this gate. + # + # CRD ref pinned to a tagged release (v0.91.0, published + # 2026-05-05) per repo convention `KYVERNO_POLICIES_REF` / + # `GATEKEEPER_VERSION` in scripts/policy-matrix-smoke.sh — never + # track `main`. Bumping this pin is a reviewed code change. + run: | + kubectl apply -f \ + "https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml" + kubectl wait --for=condition=established crd/servicemonitors.monitoring.coreos.com --timeout=60s - name: Smoke — install policy engine + helm dry-run tracecore chart env: POLICY_ENGINE: ${{ matrix.policy_engine }}