Proposed title of this feature request:

1. Allow custom ServiceAccounts or configurable authentication for Cluster Version Operator (CVO) metrics endpoint
2. What is the nature and description of the request?

The customer requests a product enhancement to modify the Cluster Version Operator (CVO) metrics endpoint (:9099/metrics) behavior regarding authentication. Currently, this endpoint appears to enforce a strict, hardcoded allow-list that only trusts the specific system identity system:serviceaccount:openshift-monitoring:prometheus-k8s
The customer requests two specific options to address this:
1. Disable Authentication: The ability to disable the authentication requirement for the CVO metrics endpoint entirely.
2. Support Custom ServiceAccounts: The ability for the endpoint to accept custom ServiceAccounts via standard RBAC, removing the limitation of hard-coded identities
3. Why does the customer need this? (List the business requirements here)
• Third-Party Observability Support: The customer uses Grafana Alloy agents rather than the default in-cluster Prometheus stack to scrape metrics. The current security hardening prevents these custom agents from authenticating, even when assigned the correct ClusterRoles.
• Security and Governance Audit Compliance: The current workaround requires generating and sharing a token for the privileged prometheus-k8s system account with other teams/tools. This creates "audit smell" and security concerns regarding the handling of long-lived system tokens.
• Architectural Flexibility: The customer notes that centralized Prometheus solutions that do not deploy the standard openshift-monitoring stack on every cluster would be unable to scrape these metrics under the current restrictions
4. List any affected packages or components.
cluster-version-operator