We need to add clarification to the OCP docs that ServiceMonitor and PodMonitor objects can only use bearer tokens referenced by Kubernetes Secrets to authenticate to service endpoints in user workload monitoring. In particular, a service monitor defining the ".spec.endpoints[].bearerTokenFile" field (and others to be defined by engineering) will be rejected.

Probably the best place to add info about auth methods would be here: https://docs.openshift.com/container-platform/4.11/monitoring/managing-metrics.html#specifying-how-a-service-is-monitored_managing-metrics