GoogleCloudPlatform · yama6a · May 16, 2026 · May 16, 2026 · May 19, 2026 · May 19, 2026
diff --git a/.golangci.yml b/.golangci.yml
@@ -89,6 +89,7 @@ linters:
         - io/ioutil.ReadFile
         - io.Copy(*bytes.Buffer)
         - io.Copy(os.Stdout)
+        - (github.com/go-kit/log.Logger).Log
       # Display function signature instead of selector.
       # Default: false
       verbose: true

diff --git a/Makefile b/Makefile
@@ -82,7 +82,7 @@ clean:       ## Clean build time resources, primarily, unused docker images.
 
 .PHONY: conform
 conform:
-	docker run --rm -v ${PWD}:/src -w /src ghcr.io/siderolabs/conform:v0.1.0-alpha.27 enforce
+	docker run --rm -v ${PWD}:/src -w /src ghcr.io/siderolabs/conform:v0.1.0-alpha.31 enforce
 
 .PHONY: lint
 lint:

diff --git a/charts/operator/templates/role.yaml b/charts/operator/templates/role.yaml
@@ -68,7 +68,7 @@ rules:
 - resources:
   - configmaps
   apiGroups: [""]
-  verbs: ["list", "watch", "create"]
+  verbs: ["list", "watch", "create", "get", "patch", "update", "delete"]
 - resources:
   - configmaps
   apiGroups: [""]
@@ -185,3 +185,22 @@ rules:
   - gmp-operator
   verbs: ["delete"]
 {{- end -}}
+{{- if .Values.collector.rbac.create -}}
+  {{- if .Values.operator.rbac.create }}
+---
+  {{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: collector
+  namespace: {{.Values.namespace.system}}
+  {{- if .Values.commonLabels }}
+  labels:
+    {{- include "prometheus-engine.labels" . | nindent 4 }}
+  {{- end }}
+rules:
+- resources:
+  - configmaps
+  apiGroups: [""]
+  verbs: ["get", "list", "watch"]
+{{- end -}}
diff --git a/charts/operator/templates/rolebinding.yaml b/charts/operator/templates/rolebinding.yaml
@@ -103,4 +103,21 @@ subjects:
 - name: collector
   namespace: {{.Values.namespace.system}}
   kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: collector
+  namespace: {{.Values.namespace.system}}
+  {{- if .Values.commonLabels }}
+  labels:
+    {{- include "prometheus-engine.labels" . | nindent 4 }}
+  {{- end }}
+roleRef:
+  name: collector
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- name: collector
+  kind: ServiceAccount
 {{- end -}}
diff --git a/charts/operator/templates/rule-evaluator.yaml b/charts/operator/templates/rule-evaluator.yaml
@@ -44,10 +44,13 @@ spec:
       initContainers:
       - name: config-init
         image: {{.Values.images.bash.image}}:{{.Values.images.bash.tag}}
-        command: ['/bin/bash', '-c', 'touch /prometheus/config_out/config.yaml']
+        # placeholder.yaml keeps rule_files glob non-empty until the syncer populates rules-out.
+        command: ['/bin/bash', '-c', 'touch /prometheus/config_out/config.yaml /prometheus/rules_out/placeholder.yaml']
         volumeMounts:
         - name: config-out
           mountPath: /prometheus/config_out
+        - name: rules-out
+          mountPath: /prometheus/rules_out
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -99,6 +102,8 @@ spec:
         - --config-file=/prometheus/config/config.yaml
         - --config-file-output=/prometheus/config_out/config.yaml
         - --config-dir=/etc/rules
+        - --config-dir-from-configmap-selector=monitoring.googleapis.com/rules-shard=true
+        - --config-dir-from-configmap-namespace={{.Values.namespace.system}}
         - --config-dir-output=/prometheus/rules_out
         - --watched-dir=/etc/secrets
         - --reload-url=http://127.0.0.1:19092/-/reload
@@ -115,7 +120,6 @@ spec:
         - name: config-out
           mountPath: /prometheus/config_out
         - name: rules
-          readOnly: true
           mountPath: /etc/rules
         - name: rules-out
           mountPath: /prometheus/rules_out
@@ -137,9 +141,7 @@ spec:
       - name: config-out
         emptyDir: {}
       - name: rules
-        configMap:
-          name: rules-generated
-          defaultMode: 420
+        emptyDir: {}
       - name: rules-out
         emptyDir: {}
       - name: rules-secret

diff --git a/cmd/config-reloader/README.md b/cmd/config-reloader/README.md
@@ -9,6 +9,10 @@ Meant to be run as a sidecar.
 Usage of config-reloader:
   -config-dir string
     	config directory to watch for changes
+  -config-dir-from-configmap-namespace string
+    	namespace to list ConfigMaps from (required when --config-dir-from-configmap-selector is set)
+  -config-dir-from-configmap-selector string
+    	label selector to discover ConfigMaps via K8s API (e.g. monitoring.googleapis.com/rules-shard=true). When set, materialized ConfigMap entries are written into --config-dir-output alongside any files from --config-dir.
   -config-dir-output string
     	config directory to write with interpolated environment variables
   -config-file string

diff --git a/cmd/config-reloader/internal/syncer.go b/cmd/config-reloader/internal/syncer.go
@@ -0,0 +1,180 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internal
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+// ConfigMapSyncer materializes ConfigMaps matched by selector into files
+// under outputDir. ConfigMaps whose name does not start with namePrefix are
+// skipped.
+type ConfigMapSyncer struct {
+	client     kubernetes.Interface
+	namespace  string
+	selector   string
+	namePrefix string
+	outputDir  string
+	logger     log.Logger
+	interval   time.Duration
+
+	lastHash string
+}
+
+// NewConfigMapSyncer constructs a syncer using in-cluster credentials.
+// Empty namePrefix disables the name check.
+func NewConfigMapSyncer(namespace, selector, namePrefix, outputDir string, interval time.Duration, logger log.Logger) (*ConfigMapSyncer, error) {
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+	client, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
+	return newConfigMapSyncerWithClient(client, namespace, selector, namePrefix, outputDir, interval, logger), nil
+}
+
+func newConfigMapSyncerWithClient(client kubernetes.Interface, namespace, selector, namePrefix, outputDir string, interval time.Duration, logger log.Logger) *ConfigMapSyncer {
+	return &ConfigMapSyncer{
+		client:     client,
+		namespace:  namespace,
+		selector:   selector,
+		namePrefix: namePrefix,
+		outputDir:  outputDir,
+		interval:   interval,
+		logger:     logger,
+	}
+}
+
+// Sync runs one list-and-write cycle. It returns whether any file changed.
+func (s *ConfigMapSyncer) Sync(ctx context.Context) (bool, error) {
+	cmList, err := s.client.CoreV1().ConfigMaps(s.namespace).List(ctx, metav1.ListOptions{
+		LabelSelector: s.selector,
+	})
+	if err != nil {
+		return false, fmt.Errorf("list configmaps: %w", err)
+	}
+
+	files := make(map[string][]byte)
+	for i := range cmList.Items {
+		cm := &cmList.Items[i]
+		if s.namePrefix != "" && !strings.HasPrefix(cm.Name, s.namePrefix) {
+			level.Warn(s.logger).Log("msg", "ignoring configmap with unexpected name", "name", cm.Name, "want_prefix", s.namePrefix)
+			continue
+		}
+		for k, v := range cm.Data {
+			files[cm.Name+"__"+k] = []byte(v)
+		}
+		for k, v := range cm.BinaryData {
+			files[cm.Name+"__"+k] = v
+		}
+	}
+
+	hash := hashFiles(files)
+	if hash == s.lastHash {
+		return false, nil
+	}
+
+	if err := s.writeFiles(files); err != nil {
+		return false, err
+	}
+
+	s.lastHash = hash
+	level.Info(s.logger).Log("msg", "synced configmap rules", "configmaps", len(cmList.Items), "files", len(files))
+	return true, nil
+}
+
+// Run does an initial Sync and then re-syncs on every interval until ctx is cancelled.
+func (s *ConfigMapSyncer) Run(ctx context.Context) error {
+	// Best-effort initial sync; the reloader will pick up files on its next poll cycle.
+	if _, err := s.Sync(ctx); err != nil {
+		level.Warn(s.logger).Log("msg", "initial configmap sync failed", "err", err)
+	}
+	ticker := time.NewTicker(s.interval)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-ticker.C:
+			if _, err := s.Sync(ctx); err != nil {
+				level.Warn(s.logger).Log("msg", "configmap sync failed", "err", err)
+			}
+		}
+	}
+}
+
+func (s *ConfigMapSyncer) writeFiles(files map[string][]byte) error {
+	if err := os.MkdirAll(s.outputDir, 0o755); err != nil {
+		return err
+	}
+
+	for name, data := range files {
+		if filepath.Base(name) != name {
+			continue
+		}
+		if err := os.WriteFile(filepath.Join(s.outputDir, name), data, 0o644); err != nil {
+			return err
+		}
+	}
+
+	entries, err := os.ReadDir(s.outputDir)
+	if err != nil {
+		return err
+	}
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		if _, ok := files[e.Name()]; !ok {
+			if err := os.Remove(filepath.Join(s.outputDir, e.Name())); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func hashFiles(files map[string][]byte) string {
+	h := sha256.New()
+
+	keys := make([]string, 0, len(files))
+	for k := range files {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	for _, k := range keys {
+		fmt.Fprintf(h, "%s\x00", k)
+		_, _ = h.Write(files[k])
+		_, _ = h.Write([]byte{0})
+	}
+	return fmt.Sprintf("%x", h.Sum(nil))
+}