From ea463ece68bce98356e352e5de44b95d57e287c1 Mon Sep 17 00:00:00 2001
From: Alexander Dovnar <29893487+DovnarAlexander@users.noreply.github.com>
Date: Tue, 25 Nov 2025 17:31:25 +0300
Subject: [PATCH] Add custom authorization support for ServiceMonitor (#407)

Add support for custom authorization configuration in ServiceMonitor
to allow users to configure authorization when API keys are configured
externally. The authorization field in metrics.serviceMonitor takes
precedence over automatic API key detection from apiKey and readOnlyApiKey.

This change adds:
- authorization field to metrics.serviceMonitor in values.yaml
- Support for custom authorization in servicemonitor.yaml template
- Documentation and example in values.yaml

Co-authored-by: DovnarAlexander <dovnaralexander@users.noreply.github.com>
---
 charts/qdrant/templates/servicemonitor.yaml | 5 ++++-
 charts/qdrant/values.yaml                   | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/charts/qdrant/templates/servicemonitor.yaml b/charts/qdrant/templates/servicemonitor.yaml
index e1631e7..5b74b44 100644
--- a/charts/qdrant/templates/servicemonitor.yaml
+++ b/charts/qdrant/templates/servicemonitor.yaml
@@ -28,7 +28,10 @@ spec:
       relabelings:
 {{ tpl (toYaml .Values.metrics.serviceMonitor.relabelings | indent 8) . }}
 {{- end }}
-{{- if .Values.readOnlyApiKey }}
+{{- if .Values.metrics.serviceMonitor.authorization }}
+      authorization:
+{{ tpl (toYaml .Values.metrics.serviceMonitor.authorization | indent 8) . }}
+{{- else if .Values.readOnlyApiKey }}
       authorization:
         type: Bearer
         credentials:
diff --git a/charts/qdrant/values.yaml b/charts/qdrant/values.yaml
index cffa7ff..29604d9 100644
--- a/charts/qdrant/values.yaml
+++ b/charts/qdrant/values.yaml
@@ -217,6 +217,15 @@ metrics:
     ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
     ##
     relabelings: []
+    ## Authorization to apply to the metrics endpoint for the cases when the API key(s) are configured externally
+    ## ref: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization
+    ##
+    authorization: {}
+    # authorization:
+    #   type: Bearer
+    #   credentials:
+    #     name: external-secret-with-api-key
+    #     key: api-key
 
 serviceAccount:
   annotations: {}