MON-4484: chore: add permissions on endpointslice to Prometheus Role and use serviceDiscoveryRole: EndpointSlice in ServiceMonitors

[machine424]

This PR migrates Prometheus service discovery from the deprecated Endpoints API to the EndpointSlices API, by:

• Setting serviceDiscoveryRole: EndpointSlice on ServiceMonitors.
• Granting Prometheus endpointslices permissions.

We're taking a conservative approach by keeping the existing endpoints permissions alongside the new endpointslices ones. This provides a safety net in case any ServiceMonitors, whether deployed from this repo or from another source, still rely on the same Role and were missed during the migration.

That said, since both resources provide essentially the same data, keeping both isn't meaningfully more permissive from a security standpoint.

These changes target OpenShift 4.22+ and should not be backported to earlier releases.

[openshift-ci-robot]

@machine424: This pull request references MON-4484 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The pull request enables EndpointSlice-based service discovery for etcd monitoring by adding a serviceDiscoveryRole: EndpointSlice field to ServiceMonitor configurations and granting necessary RBAC permissions to access endpointslices resources.

Changes

Cohort / File(s)	Summary
ServiceMonitor configurations bindata/etcd/minimal-sm.yaml, bindata/etcd/sm.yaml, manifests/0000_90_etcd-operator_03_servicemonitor.yaml	Added serviceDiscoveryRole: EndpointSlice field to ServiceMonitor spec to enable EndpointSlice-based service discovery.
RBAC role permissions bindata/etcd/prometheus-role.yaml, manifests/0000_90_etcd-operator_01_prometheusrole.yaml	Added new RBAC rule granting get, list, and watch permissions for endpointslices in the discovery.k8s.io API group.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: machine424
Once this PR has been reviewed and has the lgtm label, please assign hasbro17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@machine424: This pull request references MON-4484 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR migrates Prometheus service discovery from the deprecated Endpoints API to the EndpointSlices API, by:

• Setting serviceDiscoveryRole: EndpointSlice on ServiceMonitors.
• Granting Prometheus endpointslices permissions.

We're taking a conservative approach by keeping the existing endpoints permissions alongside the new endpointslices ones. This provides a safety net in case any ServiceMonitors, whether deployed from this repo or from another source, still rely on the same Role and were missed during the migration.

That said, since both resources provide essentially the same data, keeping both isn't meaningfully more permissive from a security standpoint.

These changes target OpenShift 4.22+ and should not be backported to earlier releases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[machine424]

/retest-required

[machine424]

/retest-required

[openshift-ci]

@machine424: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.