From 835967152fe071bd3c2ccc45eaf5437176b4aee3 Mon Sep 17 00:00:00 2001
From: Tri Lam <tree@lumalabs.ai>
Date: Mon, 1 Jun 2026 23:30:14 -0700
Subject: [PATCH] ci(policy-matrix): install ServiceMonitor CRD before helm
 dry-run
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The chart's production preset enables `serviceMonitor.enabled=true`,
which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource.
Kind clusters do not ship that CRD, so `helm install --dry-run=server`
exits 1 on every chart-touching PR (#476, #481, #493 all blocked).

Install ONLY the ServiceMonitor CRD (slim, ~700 lines) rather than the
full prometheus-operator bundle — the chart's production preset
references no other monitoring.coreos.com kinds. Applied to every
matrix row, not just production, so a future default-values flip
cannot silently re-break the gate.

CRD pinned to v0.91.0 (latest stable, 2026-05-05) per repo
convention (KYVERNO_POLICIES_REF / GATEKEEPER_VERSION in
scripts/policy-matrix-smoke.sh — never track main).

Closes #494.

Signed-off-by: Tri Lam <tree@lumalabs.ai>
---
 .github/workflows/policy-matrix.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/policy-matrix.yml b/.github/workflows/policy-matrix.yml
index 906ea911..6e8d02e7 100644
--- a/.github/workflows/policy-matrix.yml
+++ b/.github/workflows/policy-matrix.yml
@@ -96,6 +96,29 @@ jobs:
         run: |
           kubectl cluster-info
           kubectl version
+      - name: Install prometheus-operator ServiceMonitor CRD (issue #494)
+        # The production-preset values file flips `serviceMonitor.enabled=true`,
+        # which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource.
+        # Kind does not ship that CRD, so `helm install --dry-run=server`
+        # exits 1 with "no matches for kind ServiceMonitor in version
+        # monitoring.coreos.com/v1" on every chart-touching PR (regression
+        # since #475). We install ONLY the ServiceMonitor CRD — the chart's
+        # production preset references no other monitoring.coreos.com kinds,
+        # and the slim CRD install (~700 lines of YAML) is cheaper than the
+        # full prometheus-operator bundle (~3MB) which would also pull
+        # Prometheus, Alertmanager, ThanosRuler, PodMonitor, Probe, and
+        # PrometheusRule kinds we do not exercise. Applied unconditionally
+        # across every matrix row (not just production) so a future
+        # default-values flip cannot silently re-break this gate.
+        #
+        # CRD ref pinned to a tagged release (v0.91.0, published
+        # 2026-05-05) per repo convention `KYVERNO_POLICIES_REF` /
+        # `GATEKEEPER_VERSION` in scripts/policy-matrix-smoke.sh — never
+        # track `main`. Bumping this pin is a reviewed code change.
+        run: |
+          kubectl apply -f \
+            "https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml"
+          kubectl wait --for=condition=established crd/servicemonitors.monitoring.coreos.com --timeout=60s
       - name: Smoke — install policy engine + helm dry-run tracecore chart
         env:
           POLICY_ENGINE: ${{ matrix.policy_engine }}