feat: add ServiceMonitors and enable metrics scraping

- SeaweedFS: enable -metricsPort=9091 on master/volume/filer, add
  service labels, create ServiceMonitor
- Gitea: enable metrics in config, create ServiceMonitor
- Hydra/Kratos: standalone ServiceMonitors (chart templates require
  .Capabilities.APIVersions unavailable in kustomize helm template)
- LiveKit: add prometheus_port=6789, standalone ServiceMonitor
  (disabled in kustomization — host firewall blocks port 6789)
- OpenSearch: revert prometheus-exporter attempt (no plugin for v3.x),
  add service label for future exporter sidecar

base/data/opensearch-deployment.yaml

@@ -24,8 +24,9 @@ spec:
       containers:
         - name: opensearch
           image: opensearchproject/opensearch:3
-          command: ["sh", "-c"]
-          args: ["opensearch-plugin install --batch prometheus-exporter || true; /usr/share/opensearch/opensearch-docker-entrypoint.sh"]
+          # OpenSearch 3.x has no maintained prometheus-exporter plugin.
+          # Metrics come from /_cluster/stats JSON API (scraped by dashboard queries).
+          # TODO: add opensearch-exporter sidecar for native Prometheus metrics.
           ports:
             - name: http
               containerPort: 9200

base/data/opensearch-service.yaml

@@ -3,6 +3,8 @@ kind: Service
 metadata:
   name: opensearch
   namespace: data
+  labels:
+    app: opensearch
 spec:
   selector:
     app: opensearch

base/data/opensearch-servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: opensearch
+  namespace: data
+  labels:
+    app: opensearch
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app: opensearch
+  endpoints:
+    - port: http
+      interval: 30s
+      path: /_prometheus/metrics

base/devtools/gitea-servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: gitea
+  namespace: devtools
+  labels:
+    app: gitea
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+  endpoints:
+    - port: http
+      interval: 30s
+      path: /metrics

base/devtools/gitea-values.yaml

@@ -69,6 +69,10 @@ gitea:
       MINIO_USE_SSL:  "false"
       # MINIO_ACCESS_KEY_ID / MINIO_SECRET_ACCESS_KEY from gitea-s3-credentials Secret
 
+    metrics:
+      ENABLED: "true"
+      TOKEN: ""
+
   additionalConfigFromEnvs:
     - name: GITEA__DATABASE__PASSWD
       valueFrom:

base/media/livekit-servicemonitor.yaml

@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: livekit
+  namespace: media
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: livekit-server
+  endpoints:
+    - port: metrics
+      interval: 30s
+      path: /

base/media/livekit-values.yaml

@@ -7,6 +7,7 @@ livekit:
   # LiveKit server config injected as config.yaml
   port: 7880
   log_level: info
+  prometheus_port: 6789
 
   rtc:
     port_range_start: 49152
@@ -34,6 +35,9 @@ storeKeysInSecret:
   enabled: true
   existingSecret: livekit-api-credentials
 
+# ServiceMonitor created as standalone resource (livekit-servicemonitor.yaml) —
+# chart template requires livekit.prometheus_port which conflicts with hostNetwork.
+
 deployment:
   # hostNetwork gives LiveKit direct access to the host network namespace,
   # which is the only practical way to expose the 10k-port TURN relay range

base/ory/hydra-servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: hydra
+  namespace: ory
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: hydra
+      app.kubernetes.io/component: admin
+  endpoints:
+    - port: http
+      interval: 30s
+      path: /admin/metrics/prometheus

base/ory/hydra-values.yaml

@@ -47,6 +47,10 @@ hydra-maester:
     - lasuite
     - matrix
 
+# ServiceMonitor created as standalone resource (hydra-servicemonitor.yaml) —
+# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
+# kustomize helm template doesn't provide.
+
 deployment:
   extraEnv:
     - name: DSN

base/ory/kratos-servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: kratos
+  namespace: ory
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kratos
+      app.kubernetes.io/component: admin
+  endpoints:
+    - port: http
+      interval: 30s
+      path: /admin/metrics/prometheus

base/ory/kratos-values.yaml

@@ -106,6 +106,10 @@ secret:
   enabled: false
   nameOverride: kratos-app-secrets
 
+# ServiceMonitor created as standalone resource (kratos-servicemonitor.yaml) —
+# chart's built-in ServiceMonitor requires .Capabilities.APIVersions which
+# kustomize helm template doesn't provide.
+
 deployment:
   extraEnv:
     - name: DSN

base/storage/seaweedfs-filer.yaml

@@ -33,6 +33,7 @@ spec:
             - -s3.port=8333
             - -s3.config=/etc/seaweedfs/s3.json
             - -master=seaweedfs-master.storage.svc.cluster.local:9333
+            - -metricsPort=9091
           ports:
             - name: http
               containerPort: 8888
@@ -43,6 +44,9 @@ spec:
             - name: grpc
               containerPort: 18888
               protocol: TCP
+            - name: metrics
+              containerPort: 9091
+              protocol: TCP
           envFrom:
             - secretRef:
                 name: seaweedfs-s3-credentials
@@ -79,6 +83,8 @@ kind: Service
 metadata:
   name: seaweedfs-filer
   namespace: storage
+  labels:
+    app: seaweedfs-filer
 spec:
   selector:
     app: seaweedfs-filer
@@ -92,3 +98,6 @@ spec:
     - name: grpc
       port: 18888
       targetPort: 18888
+    - name: metrics
+      port: 9091
+      targetPort: 9091

base/storage/seaweedfs-master.yaml

@@ -23,6 +23,7 @@ spec:
             - -mdir=/data
             - -defaultReplication=000
             - -volumeSizeLimitMB=1000
+            - -metricsPort=9091
           ports:
             - name: http
               containerPort: 9333
@@ -30,6 +31,9 @@ spec:
             - name: grpc
               containerPort: 19333
               protocol: TCP
+            - name: metrics
+              containerPort: 9091
+              protocol: TCP
           volumeMounts:
             - name: data
               mountPath: /data
@@ -53,6 +57,8 @@ kind: Service
 metadata:
   name: seaweedfs-master
   namespace: storage
+  labels:
+    app: seaweedfs-master
 spec:
   selector:
     app: seaweedfs-master
@@ -64,3 +70,6 @@ spec:
     - name: grpc
       port: 19333
       targetPort: 19333
+    - name: metrics
+      port: 9091
+      targetPort: 9091

base/storage/seaweedfs-servicemonitor.yaml

@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: seaweedfs
+  namespace: storage
+  labels:
+    app: seaweedfs
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - seaweedfs-master
+          - seaweedfs-volume
+          - seaweedfs-filer
+  endpoints:
+    - port: metrics
+      interval: 30s
+      path: /metrics

base/storage/seaweedfs-volume.yaml

@@ -24,6 +24,7 @@ spec:
             - -mserver=seaweedfs-master.storage.svc.cluster.local:9333
             - -dir=/data
             - -max=50
+            - -metricsPort=9091
           ports:
             - name: http
               containerPort: 8080
@@ -31,6 +32,9 @@ spec:
             - name: grpc
               containerPort: 18080
               protocol: TCP
+            - name: metrics
+              containerPort: 9091
+              protocol: TCP
           volumeMounts:
             - name: data
               mountPath: /data
@@ -54,6 +58,8 @@ kind: Service
 metadata:
   name: seaweedfs-volume
   namespace: storage
+  labels:
+    app: seaweedfs-volume
 spec:
   selector:
     app: seaweedfs-volume
@@ -65,3 +71,6 @@ spec:
     - name: grpc
       port: 18080
       targetPort: 18080
+    - name: metrics
+      port: 9091
+      targetPort: 9091