TraceCoreAI · trilamsr · Jun 2, 2026 · Jun 2, 2026
diff --git a/.github/workflows/policy-matrix.yml b/.github/workflows/policy-matrix.yml
@@ -96,6 +96,29 @@ jobs:
         run: |
           kubectl cluster-info
           kubectl version
+      - name: Install prometheus-operator ServiceMonitor CRD (issue #494)
+        # The production-preset values file flips `serviceMonitor.enabled=true`,
+        # which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource.
+        # Kind does not ship that CRD, so `helm install --dry-run=server`
+        # exits 1 with "no matches for kind ServiceMonitor in version
+        # monitoring.coreos.com/v1" on every chart-touching PR (regression
+        # since #475). We install ONLY the ServiceMonitor CRD — the chart's
+        # production preset references no other monitoring.coreos.com kinds,
+        # and the slim CRD install (~700 lines of YAML) is cheaper than the
+        # full prometheus-operator bundle (~3MB) which would also pull
+        # Prometheus, Alertmanager, ThanosRuler, PodMonitor, Probe, and
+        # PrometheusRule kinds we do not exercise. Applied unconditionally
+        # across every matrix row (not just production) so a future
+        # default-values flip cannot silently re-break this gate.
+        #
+        # CRD ref pinned to a tagged release (v0.91.0, published
+        # 2026-05-05) per repo convention `KYVERNO_POLICIES_REF` /
+        # `GATEKEEPER_VERSION` in scripts/policy-matrix-smoke.sh — never
+        # track `main`. Bumping this pin is a reviewed code change.
+        run: |
+          kubectl apply -f \
+            "https://github.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml"
+          kubectl wait --for=condition=established crd/servicemonitors.monitoring.coreos.com --timeout=60s
       - name: Smoke — install policy engine + helm dry-run tracecore chart
         env:
           POLICY_ENGINE: ${{ matrix.policy_engine }}