diff --git a/magefiles/operator.go b/magefiles/operator.go
index ea31658b86..caba8af821 100644
--- a/magefiles/operator.go
+++ b/magefiles/operator.go
@@ -796,9 +796,41 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
 				},
 			},
 		},
-
-		// Deployment
 		operatorDeployment(namespace, m),
+		operatorServingCertConfigMap(namespace),
+	}
+}
+
+func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "thanos-operator-serving-cert",
+			Namespace: namespace,
+			Labels: map[string]string{
+				"app.kubernetes.io/component":  "manager",
+				"app.kubernetes.io/created-by": "thanos-operator",
+				"app.kubernetes.io/instance":   "controller-manager",
+				"app.kubernetes.io/managed-by": "rhobs",
+				"app.kubernetes.io/name":       "configmap",
+				"app.kubernetes.io/part-of":    "thanos-operator",
+			},
+			Annotations: map[string]string{
+				"service.beta.openshift.io/inject-cabundle": "true",
+			},
+		},
+		Data: map[string]string{
+			"config.yaml": `"authorization":
+  "static":
+  - "path": "/metrics"
+    "resourceRequest": false
+    "user":
+      "name": "system:serviceaccount:openshift-customer-monitoring:prometheus-k8s"
+    "verb": "get"`,
+		},
 	}
 }
 
@@ -860,6 +892,8 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 								"--v=4",
 								"--tls-cert-file=/etc/tls/private/tls.crt",
 								"--tls-private-key-file=/etc/tls/private/tls.key",
+								"--client-ca-file=/etc/service-ca/service-ca.crt",
+								"--config-file=/etc/service-ca/config.yaml",
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
@@ -867,6 +901,11 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 									MountPath: "/etc/tls/private",
 									ReadOnly:  true,
 								},
+								{
+									Name:      "service-ca",
+									MountPath: "/etc/service-ca",
+									ReadOnly:  true,
+								},
 							},
 							Ports: []corev1.ContainerPort{
 								{
@@ -943,6 +982,18 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 								},
 							},
 						},
+						{
+							Name: "service-ca",
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "openshift-service-ca.crt",
+									},
+									DefaultMode: ptr.To(int32(420)),
+									Optional:    ptr.To(false),
+								},
+							},
+						},
 					},
 					ServiceAccountName:            "thanos-operator-controller-manager",
 					TerminationGracePeriodSeconds: ptr.To(int64(10)),
diff --git a/resources/services/bundle/staging/operator.yaml b/resources/services/bundle/staging/operator.yaml
index 9f39ce5958..c111d9653d 100755
--- a/resources/services/bundle/staging/operator.yaml
+++ b/resources/services/bundle/staging/operator.yaml
@@ -70,6 +70,8 @@ objects:
           - --v=4
           - --tls-cert-file=/etc/tls/private/tls.crt
           - --tls-private-key-file=/etc/tls/private/tls.key
+          - --client-ca-file=/etc/service-ca/service-ca.crt
+          - --config-file=/etc/service-ca/config.yaml
           image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:98455d503b797b6b02edcfd37045c8fab0796b95ee5cf4cfe73b221a07e805f0
           imagePullPolicy: IfNotPresent
           name: kube-rbac-proxy
@@ -93,6 +95,9 @@ objects:
           - mountPath: /etc/tls/private
             name: tls
             readOnly: true
+          - mountPath: /etc/service-ca
+            name: service-ca
+            readOnly: true
         - args:
           - --health-probe-bind-address=:8081
           - --metrics-bind-address=127.0.0.1:8080
@@ -146,6 +151,11 @@ objects:
             defaultMode: 420
             optional: false
             secretName: kube-rbac-proxy-tls
+        - configMap:
+            defaultMode: 420
+            name: openshift-service-ca.crt
+            optional: false
+          name: service-ca
   status: {}
 - apiVersion: v1
   kind: ServiceAccount
@@ -429,6 +439,30 @@ objects:
   - kind: ServiceAccount
     name: thanos-operator-controller-manager
     namespace: rhobs-stage
+- apiVersion: v1
+  data:
+    config.yaml: |-
+      "authorization":
+        "static":
+        - "path": "/metrics"
+          "resourceRequest": false
+          "user":
+            "name": "system:serviceaccount:openshift-customer-monitoring:prometheus-k8s"
+          "verb": "get"
+  kind: ConfigMap
+  metadata:
+    annotations:
+      service.beta.openshift.io/inject-cabundle: "true"
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: manager
+      app.kubernetes.io/created-by: thanos-operator
+      app.kubernetes.io/instance: controller-manager
+      app.kubernetes.io/managed-by: rhobs
+      app.kubernetes.io/name: configmap
+      app.kubernetes.io/part-of: thanos-operator
+    name: thanos-operator-serving-cert
+    namespace: rhobs-stage
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata: