Which component:
Helm chart

Describe the bug
In #1369 a dedicated metrics service was added to the Helm chart, which had some flaws that were pointed out in #1402. In #1403 most of the issues were fixed, however the following issue was not addressed:

Using the Helm chart, the ServiceMonitor detects both of the sealed-secrets Service resources and attempts to scrape both.

This means that currently when using the ServiceMonitor, it attempts to scrape both the "regular" and the metrics service, while it should be only scraping the latter.

This is due to the fact that the matching is done using the {{- include "sealed-secrets.matchLabels" . | nindent 6 }} helper in servicemonitor.yaml, which uses labels that are identical and present on both services.

To Reproduce
Install current latest version (i.e. 2.14.1) of the Helm chart with serviceMonitor.enabled set to true.

Expected behavior
ServiceMonitor only scraping the dedicated new service.

Version of Kubernetes:
N/A

Possible solution
Add some distinguishing label (e.g. app.kubernetes.io/component: metrics) to both the metrics service and the ServiceMonitor selector.matchLabels field.

Additional context
Note that this is more of a semantical issue, given that both services cover the same set of pods by default, therefore the end result is the same before and after. However, if one would like to distinguish the services/pods in some ways, that currently would fail.

Hi @jnoordsij thanks for the report! It appears we can enhance the servicemonitor definition in the Sealed Secrets charts. Please feel free to send us a PR to address the issue with the proposed solution.
Regards