feat: version upgrades for kubezero-metrics

charts/kubezero-metrics/README.md

@@ -1,6 +1,6 @@
 # kubezero-metrics
 
-![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.9.6](https://img.shields.io/badge/Version-0.9.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
 
@@ -19,9 +19,9 @@ Kubernetes: `>= 1.26.0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 54.2.2 |
+| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 57.2.0 |
-| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 4.9.0 |
+| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 4.9.1 |
-| https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.4.2 |
+| https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.8.0 |
 
 ## Values
 
@@ -177,29 +177,30 @@ Kubernetes: `>= 1.26.0`
 | kube-prometheus-stack.prometheusOperator.enabled | bool | `true` |  |
 | kube-prometheus-stack.prometheusOperator.logFormat | string | `"json"` |  |
 | kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
-| kube-prometheus-stack.prometheusOperator.resources.limits.memory | string | `"64Mi"` |  |
+| kube-prometheus-stack.prometheusOperator.resources.limits.memory | string | `"128Mi"` |  |
-| kube-prometheus-stack.prometheusOperator.resources.requests.cpu | string | `"20m"` |  |
+| kube-prometheus-stack.prometheusOperator.resources.requests.cpu | string | `"10m"` |  |
-| kube-prometheus-stack.prometheusOperator.resources.requests.memory | string | `"32Mi"` |  |
+| kube-prometheus-stack.prometheusOperator.resources.requests.memory | string | `"64Mi"` |  |
 | kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` |  |
 | kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
 | prometheus-adapter.enabled | bool | `true` |  |
 | prometheus-adapter.logLevel | int | `1` |  |
+| prometheus-adapter.metricsRelistInterval | string | `"3m"` |  |
 | prometheus-adapter.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | prometheus-adapter.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus"` |  |
 | prometheus-adapter.rules.default | bool | `false` |  |
 | prometheus-adapter.rules.resource.cpu.containerLabel | string | `"container"` |  |
-| prometheus-adapter.rules.resource.cpu.containerQuery | string | `"sum(irate(container_cpu_usage_seconds_total{<<.LabelMatchers>>,container!=\"POD\",container!=\"\",pod!=\"\"}[5m])) by (<<.GroupBy>>)"` |  |
+| prometheus-adapter.rules.resource.cpu.containerQuery | string | `"sum by (<<.GroupBy>>) (\n  irate (\n      container_cpu_usage_seconds_total{<<.LabelMatchers>>,container!=\"\",pod!=\"\"}[120s]\n  )\n)\n"` |  |
-| prometheus-adapter.rules.resource.cpu.nodeQuery | string | `"sum(1 - irate(node_cpu_seconds_total{mode=\"idle\"}[5m]) * on(namespace, pod) group_left(node) node_namespace_pod:kube_pod_info:{<<.LabelMatchers>>}) by (<<.GroupBy>>)"` |  |
+| prometheus-adapter.rules.resource.cpu.nodeQuery | string | `"sum(1 - irate(node_cpu_seconds_total{<<.LabelMatchers>>, mode=\"idle\"}[120s])) by (<<.GroupBy>>)\n"` |  |
+| prometheus-adapter.rules.resource.cpu.resources.overrides.instance.resource | string | `"node"` |  |
 | prometheus-adapter.rules.resource.cpu.resources.overrides.namespace.resource | string | `"namespace"` |  |
-| prometheus-adapter.rules.resource.cpu.resources.overrides.node.resource | string | `"node"` |  |
 | prometheus-adapter.rules.resource.cpu.resources.overrides.pod.resource | string | `"pod"` |  |
 | prometheus-adapter.rules.resource.memory.containerLabel | string | `"container"` |  |
-| prometheus-adapter.rules.resource.memory.containerQuery | string | `"sum(container_memory_working_set_bytes{<<.LabelMatchers>>,container!=\"POD\",container!=\"\",pod!=\"\"}) by (<<.GroupBy>>)"` |  |
+| prometheus-adapter.rules.resource.memory.containerQuery | string | `"sum by (<<.GroupBy>>) (\n  container_memory_working_set_bytes{<<.LabelMatchers>>,container!=\"\",pod!=\"\",container!=\"POD\"}\n)\n"` |  |
-| prometheus-adapter.rules.resource.memory.nodeQuery | string | `"sum(node_memory_MemTotal_bytes{job=\"node-exporter\",<<.LabelMatchers>>} - node_memory_MemAvailable_bytes{job=\"node-exporter\",<<.LabelMatchers>>}) by (<<.GroupBy>>)"` |  |
+| prometheus-adapter.rules.resource.memory.nodeQuery | string | `"sum(node_memory_MemTotal_bytes{<<.LabelMatchers>>} - node_memory_MemAvailable_bytes{<<.LabelMatchers>>}) by (<<.GroupBy>>)\n"` |  |
+| prometheus-adapter.rules.resource.memory.resources.overrides.instance.resource | string | `"node"` |  |
 | prometheus-adapter.rules.resource.memory.resources.overrides.namespace.resource | string | `"namespace"` |  |
-| prometheus-adapter.rules.resource.memory.resources.overrides.node.resource | string | `"node"` |  |
 | prometheus-adapter.rules.resource.memory.resources.overrides.pod.resource | string | `"pod"` |  |
-| prometheus-adapter.rules.resource.window | string | `"5m"` |  |
+| prometheus-adapter.rules.resource.window | string | `"2m"` |  |
 | prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` |  |
 | prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
 | prometheus-pushgateway.enabled | bool | `false` |  |

charts/kubezero-metrics/charts/kube-prometheus-stack/.editorconfig

@@ -0,0 +1,5 @@
+root = true
+
+[files/dashboards/*.json]
+indent_size = 2
+indent_style = space

charts/kubezero-metrics/charts/kube-prometheus-stack/.helmignore

@@ -26,3 +26,4 @@ ci/
 kube-prometheus-*.tgz
 
 unittests/
+files/dashboards/

charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml

@@ -7,7 +7,7 @@ annotations:
       url: https://github.com/prometheus-operator/kube-prometheus
   artifacthub.io/operator: "true"
 apiVersion: v2
-appVersion: v0.69.1
+appVersion: v0.72.0
 dependencies:
 - condition: crds.enabled
   name: crds
@@ -16,19 +16,19 @@ dependencies:
 - condition: kubeStateMetrics.enabled
   name: kube-state-metrics
   repository: https://prometheus-community.github.io/helm-charts
-  version: 5.15.*
+  version: 5.18.*
 - condition: nodeExporter.enabled
   name: prometheus-node-exporter
   repository: https://prometheus-community.github.io/helm-charts
-  version: 4.24.*
+  version: 4.32.*
 - condition: grafana.enabled
   name: grafana
   repository: https://grafana.github.io/helm-charts
-  version: 7.0.*
+  version: 7.3.*
 - condition: windowsMonitoring.enabled
   name: prometheus-windows-exporter
   repository: https://prometheus-community.github.io/helm-charts
-  version: 0.1.*
+  version: 0.3.*
 description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards,
   and Prometheus rules combined with documentation and scripts to provide easy to
   operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus
@@ -49,6 +49,8 @@ maintainers:
   name: gkarthiks
 - email: kube-prometheus-stack@sisti.pt
   name: GMartinez-Sisti
+- email: github@jkroepke.de
+  name: jkroepke
 - email: scott@r6by.com
   name: scottrigby
 - email: miroslav.hadzhiev@gmail.com
@@ -60,4 +62,4 @@ sources:
 - https://github.com/prometheus-community/helm-charts
 - https://github.com/prometheus-operator/kube-prometheus
 type: application
-version: 54.2.2
+version: 57.2.0

charts/kubezero-metrics/charts/kube-prometheus-stack/README.md

@@ -82,6 +82,63 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen
 
 A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions.
 
+### From 56.x to 57.x
+
+This version upgrades Prometheus-Operator to v0.72.0
+
+Run these commands to update the CRDs before applying the upgrade.
+
+```console
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml
+```
+
+### From 55.x to 56.x
+
+This version upgrades Prometheus-Operator to v0.71.0, Prometheus to 2.49.1
+
+Run these commands to update the CRDs before applying the upgrade.
+
+```console
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.71.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml
+```
+
+### From 54.x to 55.x
+
+This version upgrades Prometheus-Operator to v0.70.0
+
+Run these commands to update the CRDs before applying the upgrade.
+
+```console
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
+kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml
+```
+
 ### From 53.x to 54.x
 
 Grafana Helm Chart has bumped to version 7

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/crds/crds/crd-prometheusrules.yaml

@@ -1,133 +1,112 @@
-# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.69.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
+# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.72.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-    operator.prometheus.io/version: 0.69.1
+    operator.prometheus.io/version: 0.72.0
     argocd.argoproj.io/sync-options: ServerSideApply=true
-  creationTimestamp: null
   name: prometheusrules.monitoring.coreos.com
 spec:
   group: monitoring.coreos.com
   names:
     categories:
-    - prometheus-operator
+      - prometheus-operator
     kind: PrometheusRule
     listKind: PrometheusRuleList
     plural: prometheusrules
     shortNames:
-    - promrule
+      - promrule
     singular: prometheusrule
   scope: Namespaced
   versions:
-  - name: v1
+    - name: v1
-    schema:
+      schema:
-      openAPIV3Schema:
+        openAPIV3Schema:
-        description: PrometheusRule defines recording and alerting rules for a Prometheus
+          description: PrometheusRule defines recording and alerting rules for a Prometheus instance
-          instance
+          properties:
-        properties:
+            apiVersion:
-          apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            description: 'APIVersion defines the versioned schema of this representation
+              type: string
-              of an object. Servers should convert recognized schemas to the latest
+            kind:
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
+              type: string
-          kind:
+            metadata:
-            description: 'Kind is a string value representing the REST resource this
+              type: object
-              object represents. Servers may infer this from the endpoint the client
+            spec:
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              description: Specification of desired alerting rule definitions for Prometheus.
-            type: string
+              properties:
-          metadata:
+                groups:
-            type: object
+                  description: Content of Prometheus rule file
-          spec:
+                  items:
-            description: Specification of desired alerting rule definitions for Prometheus.
+                    description: RuleGroup is a list of sequentially evaluated recording and alerting rules.
-            properties:
+                    properties:
-              groups:
+                      interval:
-                description: Content of Prometheus rule file
+                        description: Interval determines how often rules in the group are evaluated.
-                items:
+                        pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
-                  description: RuleGroup is a list of sequentially evaluated recording
+                        type: string
-                    and alerting rules.
+                      limit:
-                  properties:
+                        description: Limit the number of alerts an alerting rule and series a recording rule can produce. Limit is supported starting with Prometheus >= 2.31 and Thanos Ruler >= 0.24.
-                    interval:
+                        type: integer
-                      description: Interval determines how often rules in the group
+                      name:
-                        are evaluated.
+                        description: Name of the rule group.
-                      pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
+                        minLength: 1
-                      type: string
+                        type: string
-                    limit:
+                      partial_response_strategy:
-                      description: Limit the number of alerts an alerting rule and
+                        description: 'PartialResponseStrategy is only used by ThanosRuler and will be ignored by Prometheus instances. More info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response'
-                        series a recording rule can produce. Limit is supported starting
+                        pattern: ^(?i)(abort|warn)?$
-                        with Prometheus >= 2.31 and Thanos Ruler >= 0.24.
+                        type: string
-                      type: integer
+                      rules:
-                    name:
+                        description: List of alerting and recording rules.
-                      description: Name of the rule group.
+                        items:
-                      minLength: 1
+                          description: 'Rule describes an alerting or recording rule See Prometheus documentation: [alerting](https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) or [recording](https://www.prometheus.io/docs/prometheus/latest/configuration/recording_rules/#recording-rules) rule'
-                      type: string
+                          properties:
-                    partial_response_strategy:
+                            alert:
-                      description: 'PartialResponseStrategy is only used by ThanosRuler
+                              description: Name of the alert. Must be a valid label value. Only one of `record` and `alert` must be set.
-                        and will be ignored by Prometheus instances. More info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response'
-                      pattern: ^(?i)(abort|warn)?$
-                      type: string
-                    rules:
-                      description: List of alerting and recording rules.
-                      items:
-                        description: 'Rule describes an alerting or recording rule
-                          See Prometheus documentation: [alerting](https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules/)
-                          or [recording](https://www.prometheus.io/docs/prometheus/latest/configuration/recording_rules/#recording-rules)
-                          rule'
-                        properties:
-                          alert:
-                            description: Name of the alert. Must be a valid label
-                              value. Only one of `record` and `alert` must be set.
-                            type: string
-                          annotations:
-                            additionalProperties:
                               type: string
-                            description: Annotations to add to each alert. Only valid
+                            annotations:
-                              for alerting rules.
+                              additionalProperties:
-                            type: object
+                                type: string
-                          expr:
+                              description: Annotations to add to each alert. Only valid for alerting rules.
-                            anyOf:
+                              type: object
-                            - type: integer
+                            expr:
-                            - type: string
+                              anyOf:
-                            description: PromQL expression to evaluate.
+                                - type: integer
-                            x-kubernetes-int-or-string: true
+                                - type: string
-                          for:
+                              description: PromQL expression to evaluate.
-                            description: Alerts are considered firing once they have
+                              x-kubernetes-int-or-string: true
-                              been returned for this long.
+                            for:
-                            pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
+                              description: Alerts are considered firing once they have been returned for this long.
-                            type: string
+                              pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
-                          keep_firing_for:
-                            description: KeepFiringFor defines how long an alert will
-                              continue firing after the condition that triggered it
-                              has cleared.
-                            minLength: 1
-                            pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
-                            type: string
-                          labels:
-                            additionalProperties:
                               type: string
-                            description: Labels to add or overwrite.
+                            keep_firing_for:
-                            type: object
+                              description: KeepFiringFor defines how long an alert will continue firing after the condition that triggered it has cleared.
-                          record:
+                              minLength: 1
-                            description: Name of the time series to output to. Must
+                              pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
-                              be a valid metric name. Only one of `record` and `alert`
+                              type: string
-                              must be set.
+                            labels:
-                            type: string
+                              additionalProperties:
-                        required:
+                                type: string
-                        - expr
+                              description: Labels to add or overwrite.
-                        type: object
+                              type: object
-                      type: array
+                            record:
-                  required:
+                              description: Name of the time series to output to. Must be a valid metric name. Only one of `record` and `alert` must be set.
-                  - name
+                              type: string
-                  type: object
+                          required:
-                type: array
+                            - expr
-                x-kubernetes-list-map-keys:
+                          type: object
-                - name
+                        type: array
-                x-kubernetes-list-type: map
+                    required:
-            type: object
+                      - name
-        required:
+                    type: object
-        - spec
+                  type: array
-        type: object
+                  x-kubernetes-list-map-keys:
-    served: true
+                    - name
-    storage: true
+                  x-kubernetes-list-type: map
+              type: object
+          required:
+            - spec
+          type: object
+      served: true
+      storage: true

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml

@@ -1,15 +1,15 @@
 annotations:
-  artifacthub.io/license: AGPL-3.0-only
+  artifacthub.io/license: Apache-2.0
   artifacthub.io/links: |
     - name: Chart Source
       url: https://github.com/grafana/helm-charts
     - name: Upstream Project
       url: https://github.com/grafana/grafana
 apiVersion: v2
-appVersion: 10.1.5
+appVersion: 10.4.0
 description: The leading tool for querying and visualizing time series and metrics.
-home: https://grafana.net
+home: https://grafana.com
-icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png
+icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116
 keywords:
 - monitoring
 - metric
@@ -30,4 +30,4 @@ sources:
 - https://github.com/grafana/grafana
 - https://github.com/grafana/helm-charts
 type: application
-version: 7.0.8
+version: 7.3.7

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md

@@ -136,6 +136,8 @@ need to instead set `global.imageRegistry`.
 | `enableServiceLinks`                      | Inject Kubernetes services as environment variables. | `true`                                           |
 | `extraSecretMounts`                       | Additional grafana server secret mounts       | `[]`                                                    |
 | `extraVolumeMounts`                       | Additional grafana server volume mounts       | `[]`                                                    |
+| `extraVolumes`                            | Additional Grafana server volumes             | `[]`                                                    |
+| `automountServiceAccountToken`            | Mounted the service account token on the grafana pod. Mandatory, if sidecars are enabled  | `true`      |
 | `createConfigmap`                         | Enable creating the grafana configmap         | `true`                                                  |
 | `extraConfigmapMounts`                    | Additional grafana server configMap volume mounts (values are templated) | `[]`                         |
 | `extraEmptyDirMounts`                     | Additional grafana server emptyDir volume mounts | `[]`                                                 |
@@ -160,7 +162,7 @@ need to instead set `global.imageRegistry`.
 | `lifecycleHooks`                          | Lifecycle hooks for podStart and preStop [Example](https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/#define-poststart-and-prestop-handlers)     | `{}`                                                    |
 | `sidecar.image.registry`                  | Sidecar image registry                        | `quay.io`                          |
 | `sidecar.image.repository`                | Sidecar image repository                      | `kiwigrid/k8s-sidecar`                          |
-| `sidecar.image.tag`                       | Sidecar image tag                             | `1.24.6`                                                |
+| `sidecar.image.tag`                       | Sidecar image tag                             | `1.26.0`                                                |
 | `sidecar.image.sha`                       | Sidecar image sha (optional)                  | `""`                                                    |
 | `sidecar.imagePullPolicy`                 | Sidecar image pull policy                     | `IfNotPresent`                                          |
 | `sidecar.resources`                       | Sidecar resources                             | `{}`                                                    |
@@ -174,7 +176,7 @@ need to instead set `global.imageRegistry`.
 | `sidecar.alerts.resource`            | Should the sidecar looks into secrets, configmaps or both. | `both`                               |
 | `sidecar.alerts.reloadURL`           | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/alerting/reload"` |
 | `sidecar.alerts.skipReload`          | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` |
-| `sidecar.alerts.initDatasources`     | Set to true to deploy the datasource sidecar as an initContainer.  This is needed if skipReload is true, to load any alerts defined at startup time. | `false` |
+| `sidecar.alerts.initAlerts`          | Set to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` |
 | `sidecar.alerts.extraMounts`         | Additional alerts sidecar volume mounts. | `[]`                               |
 | `sidecar.dashboards.enabled`              | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false`       |
 | `sidecar.dashboards.SCProvider`           | Enables creation of sidecar provider          | `true`                                                  |
@@ -222,7 +224,7 @@ need to instead set `global.imageRegistry`.
 | `admin.existingSecret`                    | The name of an existing secret containing the admin credentials (can be templated). | `""`                                 |
 | `admin.userKey`                           | The key in the existing admin secret containing the username. | `"admin-user"`                          |
 | `admin.passwordKey`                       | The key in the existing admin secret containing the password. | `"admin-password"`                      |
-| `serviceAccount.autoMount`                | Automount the service account token in the pod| `true`                                                  |
+| `serviceAccount.automountServiceAccountToken` | Automount the service account token on all pods where is service account is used | `false` |
 | `serviceAccount.annotations`              | ServiceAccount annotations                    |                                                         |
 | `serviceAccount.create`                   | Create service account                        | `true`                                                  |
 | `serviceAccount.labels`                   | ServiceAccount labels                         | `{}`                                                    |
@@ -315,24 +317,35 @@ ingress:
   path: "/grafana"
 ```
 
-### Example of extraVolumeMounts
+### Example of extraVolumeMounts and extraVolumes
 
-Volume can be type persistentVolumeClaim or hostPath but not both at same time.
+Configure additional volumes with `extraVolumes` and volume mounts with `extraVolumeMounts`.
-If neither existingClaim or hostPath argument is given then type is emptyDir.
+
+Example for `extraVolumeMounts` and corresponding `extraVolumes`:
 
 ```yaml
-- extraVolumeMounts:
+extraVolumeMounts:
   - name: plugins
     mountPath: /var/lib/grafana/plugins
     subPath: configs/grafana/plugins
-    existingClaim: existing-grafana-claim
     readOnly: false
   - name: dashboards
     mountPath: /var/lib/grafana/dashboards
     hostPath: /usr/shared/grafana/dashboards
     readOnly: false
+
+extraVolumes:
+  - name: plugins
+    existingClaim: existing-grafana-claim
+  - name: dashboards
+    hostPath: /usr/shared/grafana/dashboards
 ```
 
+Volumes default to `emptyDir`. Set to `persistentVolumeClaim`,
+`hostPath`, `csi`, or `configMap` for other types. For a
+`persistentVolumeClaim`, specify an existing claim name with
+`existingClaim`.
+
 ## Import dashboards
 
 There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method:
@@ -544,9 +557,61 @@ delete_notifiers:
     # default org_id: 1
 ```
 
-## Provision alert rules, contact points, notification policies and notification templates
+## Sidecar for alerting resources
 
-There are two methods to provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method:
+If the parameter `sidecar.alerts.enabled` is set, a sidecar container is deployed in the grafana
+pod. This container watches all configmaps (or secrets) in the cluster (namespace defined by `sidecar.alerts.searchNamespace`) and filters out the ones with
+a label as defined in `sidecar.alerts.label` (default is `grafana_alert`). The files defined in those configmaps are written
+to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported alerting resources are updated, however, deletions are a little more complicated (see below).
+
+This sidecar can be used to provision alert rules, contact points, notification policies, notification templates and mute timings as shown in [Grafana Documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/).
+
+To fetch the alert config which will be provisioned, use the alert provisioning API ([Grafana Documentation](https://grafana.com/docs/grafana/next/developers/http_api/alerting_provisioning/)).
+You can use either JSON or YAML format.
+
+Example config for an alert rule:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sample-grafana-alert
+  labels:
+     grafana_alert: "1"
+data:
+  k8s-alert.yml: |-
+    apiVersion: 1
+    groups:
+        - orgId: 1
+          name: k8s-alert
+          [...]
+```
+
+To delete provisioned alert rules is a two step process, you need to delete the configmap which defined the alert rule
+and then create a configuration which deletes the alert rule.
+
+Example deletion configuration:
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: delete-sample-grafana-alert
+  namespace: monitoring
+  labels:
+    grafana_alert: "1"
+data:
+  delete-k8s-alert.yml: |-
+    apiVersion: 1
+    deleteRules:
+      - orgId: 1
+        uid: 16624780-6564-45dc-825c-8bded4ad92d3
+```
+
+## Statically provision alerting resources
+If you don't need to change alerting resources (alert rules, contact points, notification policies and notification templates) regularly you could use the `alerting` config option instead of the sidecar option above.
+This will grab the alerting config and apply it statically at build time for the helm file.
+
+There are two methods to statically provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method:
 
 ```yaml
 alerting:
@@ -576,13 +641,14 @@ alerting:
               title: '{{ `{{ template "default.title" . }}` }}'
 ```
 
-There are two possibilities:
+The two possibilities for static alerting resource provisioning are:
 
-* Inlining the file contents as described in the example `values.yaml` and the official [Grafana documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/).
+* Inlining the file contents as shown for contact points in the above example.
-* Importing a file using a relative path starting from the chart root directory.
+* Importing a file using a relative path starting from the chart root directory as shown for the alert rules in the above example.
 
 ### Important notes on file provisioning
 
+* The format of the files is defined in the [Grafana documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/) on file provisioning.
 * The chart supports importing YAML and JSON files.
 * The filename must be unique, otherwise one volume mount will overwrite the other.
 * In case of inlining, double curly braces that arise from the Grafana configuration format and are not intended as templates for the chart must be escaped.

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_config.tpl

@@ -0,0 +1,171 @@
+{{/*
+ Generate config map data
+ */}}
+{{- define "grafana.configData" -}}
+{{ include "grafana.assertNoLeakedSecrets" . }}
+{{- $files := .Files }}
+{{- $root := . -}}
+{{- with .Values.plugins }}
+plugins: {{ join "," . }}
+{{- end }}
+grafana.ini: |
+{{- range $elem, $elemVal := index .Values "grafana.ini" }}
+  {{- if not (kindIs "map" $elemVal) }}
+  {{- if kindIs "invalid" $elemVal }}
+  {{ $elem }} =
+  {{- else if kindIs "string" $elemVal }}
+  {{ $elem }} = {{ tpl $elemVal $ }}
+  {{- else }}
+  {{ $elem }} = {{ $elemVal }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- range $key, $value := index .Values "grafana.ini" }}
+  {{- if kindIs "map" $value }}
+  [{{ $key }}]
+  {{- range $elem, $elemVal := $value }}
+  {{- if kindIs "invalid" $elemVal }}
+  {{ $elem }} =
+  {{- else if kindIs "string" $elemVal }}
+  {{ $elem }} = {{ tpl $elemVal $ }}
+  {{- else }}
+  {{ $elem }} = {{ $elemVal }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- range $key, $value := .Values.datasources }}
+{{- if not (hasKey $value "secret") }}
+{{ $key }}: |
+  {{- tpl (toYaml $value | nindent 2) $root }}
+{{- end }}
+{{- end }}
+
+{{- range $key, $value := .Values.notifiers }}
+{{- if not (hasKey $value "secret") }}
+{{ $key }}: |
+  {{- toYaml $value | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{- range $key, $value := .Values.alerting }}
+{{- if (hasKey $value "file") }}
+{{ $key }}:
+{{- toYaml ( $files.Get $value.file ) | nindent 2 }}
+{{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}}
+{{/*  will be stored inside secret generated by "configSecret.yaml"*/}}
+{{- else }}
+{{ $key }}: |
+  {{- tpl (toYaml $value | nindent 2) $root }}
+{{- end }}
+{{- end }}
+
+{{- range $key, $value := .Values.dashboardProviders }}
+{{ $key }}: |
+  {{- toYaml $value | nindent 2 }}
+{{- end }}
+
+{{- if .Values.dashboards  }}
+download_dashboards.sh: |
+  #!/usr/bin/env sh
+  set -euf
+  {{- if .Values.dashboardProviders }}
+    {{- range $key, $value := .Values.dashboardProviders }}
+      {{- range $value.providers }}
+  mkdir -p {{ .options.path }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{ $dashboardProviders := .Values.dashboardProviders }}
+{{- range $provider, $dashboards := .Values.dashboards }}
+  {{- range $key, $value := $dashboards }}
+    {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }}
+  curl -skf \
+  --connect-timeout 60 \
+  --max-time 60 \
+    {{- if not $value.b64content }}
+      {{- if not $value.acceptHeader }}
+  -H "Accept: application/json" \
+      {{- else }}
+  -H "Accept: {{ $value.acceptHeader }}" \
+      {{- end }}
+      {{- if $value.token }}
+  -H "Authorization: token {{ $value.token }}" \
+      {{- end }}
+      {{- if $value.bearerToken }}
+  -H "Authorization: Bearer {{ $value.bearerToken }}" \
+      {{- end }}
+      {{- if $value.basic }}
+  -H "Authorization: Basic {{ $value.basic }}" \
+      {{- end }}
+      {{- if $value.gitlabToken }}
+  -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \
+      {{- end }}
+  -H "Content-Type: application/json;charset=UTF-8" \
+    {{- end }}
+  {{- $dpPath := "" -}}
+  {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }}
+    {{- if eq $kd.name $provider }}
+    {{- $dpPath = $kd.options.path }}
+    {{- end }}
+  {{- end }}
+  {{- if $value.url }}
+    "{{ $value.url }}" \
+  {{- else }}
+    "https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \
+  {{- end }}
+  {{- if $value.datasource }}
+    {{- if kindIs "string" $value.datasource }}
+    | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \
+    {{- end }}
+    {{- if kindIs "slice" $value.datasource }}
+      {{- range $value.datasource }}
+        | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  {{- if $value.b64content }}
+    | base64 -d \
+  {{- end }}
+  > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json"
+    {{ end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+ Generate dashboard json config map data
+ */}}
+{{- define "grafana.configDashboardProviderData" -}}
+provider.yaml: |-
+  apiVersion: 1
+  providers:
+    - name: '{{ .Values.sidecar.dashboards.provider.name }}'
+      orgId: {{ .Values.sidecar.dashboards.provider.orgid }}
+      {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }}
+      folder: '{{ .Values.sidecar.dashboards.provider.folder }}'
+      {{- end }}
+      type: {{ .Values.sidecar.dashboards.provider.type }}
+      disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }}
+      allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }}
+      updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }}
+      options:
+        foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }}
+        path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}
+{{- end -}}
+
+{{- define "grafana.secretsData" -}}
+{{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }}
+admin-user: {{ .Values.adminUser | b64enc | quote }}
+{{- if .Values.adminPassword }}
+admin-password: {{ .Values.adminPassword | b64enc | quote }}
+{{- else }}
+admin-password: {{ include "grafana.password" . }}
+{{- end }}
+{{- end }}
+{{- if not .Values.ldap.existingSecret }}
+ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }}
+{{- end }}
+{{- end -}}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_helpers.tpl

@@ -225,3 +225,54 @@ Formats imagePullSecrets. Input is (dict "root" . "imagePullSecrets" .{specific
 {{- end }}
 {{- $secretFound}}
 {{- end -}}
+
+{{/*
+    Checks whether the user is attempting to store secrets in plaintext
+    in the grafana.ini configmap
+*/}}
+{{/* grafana.assertNoLeakedSecrets checks for sensitive keys in values */}}
+{{- define "grafana.assertNoLeakedSecrets" -}}
+      {{- $sensitiveKeysYaml := `
+sensitiveKeys:
+- path: ["database", "password"]
+- path: ["smtp", "password"]
+- path: ["security", "secret_key"]
+- path: ["security", "admin_password"]
+- path: ["auth.basic", "password"]
+- path: ["auth.ldap", "bind_password"]
+- path: ["auth.google", "client_secret"]
+- path: ["auth.github", "client_secret"]
+- path: ["auth.gitlab", "client_secret"]
+- path: ["auth.generic_oauth", "client_secret"]
+- path: ["auth.okta", "client_secret"]
+- path: ["auth.azuread", "client_secret"]
+- path: ["auth.grafana_com", "client_secret"]
+- path: ["auth.grafananet", "client_secret"]
+- path: ["azure", "user_identity_client_secret"]
+- path: ["unified_alerting", "ha_redis_password"]
+- path: ["metrics", "basic_auth_password"]
+- path: ["external_image_storage.s3", "secret_key"]
+- path: ["external_image_storage.webdav", "password"]
+- path: ["external_image_storage.azure_blob", "account_key"]
+` | fromYaml -}}
+  {{- if $.Values.assertNoLeakedSecrets -}}
+      {{- $grafanaIni := index .Values "grafana.ini" -}}
+      {{- range $_, $secret := $sensitiveKeysYaml.sensitiveKeys -}}
+        {{- $currentMap := $grafanaIni -}}
+        {{- $shouldContinue := true -}}
+        {{- range $index, $elem := $secret.path -}}
+          {{- if and $shouldContinue (hasKey $currentMap $elem) -}}
+            {{- if eq (len $secret.path) (add1 $index) -}}
+              {{- if not (regexMatch "\\$(?:__(?:env|file|vault))?{[^}]+}" (index $currentMap $elem)) -}}
+                {{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead. You can disable this client-side validation by changing the value of assertNoLeakedSecrets." (join "." $secret.path)) -}}
+              {{- end -}}
+            {{- else -}}
+              {{- $currentMap = index $currentMap $elem -}}
+            {{- end -}}
+          {{- else -}}
+              {{- $shouldContinue = false -}}
+          {{- end -}}
+        {{- end -}}
+      {{- end -}}
+  {{- end -}}
+{{- end -}}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl

@@ -5,7 +5,7 @@
 schedulerName: "{{ . }}"
 {{- end }}
 serviceAccountName: {{ include "grafana.serviceAccountName" . }}
-automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }}
+automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
 {{- with .Values.securityContext }}
 securityContext:
   {{- toYaml . | nindent 2 }}
@@ -14,6 +14,13 @@ securityContext:
 hostAliases:
   {{- toYaml . | nindent 2 }}
 {{- end }}
+{{- if .Values.dnsPolicy }}
+dnsPolicy: {{ .Values.dnsPolicy }}
+{{- end }}
+{{- with .Values.dnsConfig }}
+dnsConfig:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{- with .Values.priorityClassName }}
 priorityClassName: {{ . }}
 {{- end }}
@@ -427,6 +434,11 @@ containers:
       - name: "{{ $key }}"
         value: "{{ $value }}"
       {{- end }}
+      {{- range $key, $value := .Values.sidecar.datasources.envValueFrom }}
+      - name: {{ $key | quote }}
+        valueFrom:
+          {{- tpl (toYaml $value) $ | nindent 10 }}
+      {{- end }}
       {{- if .Values.sidecar.dashboards.ignoreAlreadyProcessed }}
       - name: IGNORE_ALREADY_PROCESSED
         value: "true"
@@ -898,26 +910,47 @@ containers:
       {{- end }}
       {{- end }}
       {{- with .Values.datasources }}
+      {{- $datasources := . }}
       {{- range (keys . | sortAlpha) }}
+      {{- if (or (hasKey (index $datasources .) "secret")) }} {{/*check if current datasource should be handeled as secret */}}
+      - name: config-secret
+        mountPath: "/etc/grafana/provisioning/datasources/{{ . }}"
+        subPath: {{ . | quote }}
+      {{- else }}
       - name: config
         mountPath: "/etc/grafana/provisioning/datasources/{{ . }}"
         subPath: {{ . | quote }}
       {{- end }}
       {{- end }}
+      {{- end }}
       {{- with .Values.notifiers }}
+      {{- $notifiers := . }}
       {{- range (keys . | sortAlpha) }}
+      {{- if (or (hasKey (index $notifiers .) "secret")) }} {{/*check if current notifier should be handeled as secret */}}
+      - name: config-secret
+        mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}"
+        subPath: {{ . | quote }}
+      {{- else }}
       - name: config
         mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}"
         subPath: {{ . | quote }}
       {{- end }}
       {{- end }}
+      {{- end }}
       {{- with .Values.alerting }}
+      {{- $alertingmap := .}}
       {{- range (keys . | sortAlpha) }}
+      {{- if (or (hasKey (index $.Values.alerting .) "secret") (hasKey (index $.Values.alerting .) "secretFile")) }} {{/*check if current alerting entry should be handeled as secret */}}
+      - name: config-secret
+        mountPath: "/etc/grafana/provisioning/alerting/{{ . }}"
+        subPath: {{ . | quote }}
+      {{- else }}
       - name: config
         mountPath: "/etc/grafana/provisioning/alerting/{{ . }}"
         subPath: {{ . | quote }}
       {{- end }}
       {{- end }}
+      {{- end }}
       {{- with .Values.dashboardProviders }}
       {{- range (keys . | sortAlpha) }}
       - name: config
@@ -1051,11 +1084,17 @@ containers:
       - secretRef:
           name: {{ tpl .name $ }}
           optional: {{ .optional | default false }}
+        {{- if .prefix }}
+        prefix: {{ tpl .prefix $ }}
+        {{- end }}
       {{- end }}
       {{- range .Values.envFromConfigMaps }}
       - configMapRef:
           name: {{ tpl .name $ }}
           optional: {{ .optional | default false }}
+        {{- if .prefix }}
+        prefix: {{ tpl .prefix $ }}
+        {{- end }}
       {{- end }}
     {{- end }}
     {{- with .Values.livenessProbe }}
@@ -1097,6 +1136,12 @@ volumes:
   - name: config
     configMap:
       name: {{ include "grafana.fullname" . }}
+  {{- $createConfigSecret := eq (include "grafana.shouldCreateConfigSecret" .) "true" -}}
+  {{- if and .Values.createConfigmap $createConfigSecret }}
+  - name: config-secret
+    secret:
+      secretName: {{ include "grafana.fullname" . }}-config-secret
+  {{- end }}
   {{- range .Values.extraConfigmapMounts }}
   - name: {{ tpl .name $root }}
     configMap:
@@ -1230,10 +1275,13 @@ volumes:
       {{ toYaml .hostPath | nindent 6 }}
     {{- else if .csi }}
     csi:
-      {{- toYaml .data | nindent 6 }}
+      {{- toYaml .csi | nindent 6 }}
     {{- else if .configMap }}
     configMap:
       {{- toYaml .configMap | nindent 6 }}
+    {{- else if .emptyDir }}
+    emptyDir:
+      {{- toYaml .emptyDir | nindent 6 }}
     {{- else }}
     emptyDir: {}
     {{- end }}
@@ -1246,4 +1294,3 @@ volumes:
   {{- tpl (toYaml .) $root | nindent 2 }}
   {{- end }}
 {{- end }}
-

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configSecret.yaml

@@ -25,13 +25,13 @@ stringData:
 {{- range $key, $value := .Values.datasources }}
 {{- if (hasKey $value "secret") }}
 {{- $key | nindent 2 }}: |
-  {{- tpl (toYaml $value | nindent 4) $root }}
+  {{- tpl (toYaml $value.secret | nindent 4) $root }}
 {{- end }}
 {{- end }}
 {{- range $key, $value := .Values.notifiers }}
 {{- if (hasKey $value "secret") }}
 {{- $key | nindent 2 }}: |
-  {{- tpl (toYaml $value | nindent 4) $root }}
+  {{- tpl (toYaml $value.secret | nindent 4) $root }}
 {{- end }}
 {{- end }}
 {{- range $key, $value := .Values.alerting }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap-dashboard-provider.yaml

@@ -11,19 +11,5 @@ metadata:
   name: {{ include "grafana.fullname" . }}-config-dashboards
   namespace: {{ include "grafana.namespace" . }}
 data:
-  provider.yaml: |-
+  {{- include "grafana.configDashboardProviderData" . | nindent 2 }}
-    apiVersion: 1
-    providers:
-      - name: '{{ .Values.sidecar.dashboards.provider.name }}'
-        orgId: {{ .Values.sidecar.dashboards.provider.orgid }}
-        {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }}
-        folder: '{{ .Values.sidecar.dashboards.provider.folder }}'
-        {{- end }}
-        type: {{ .Values.sidecar.dashboards.provider.type }}
-        disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }}
-        allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }}
-        updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }}
-        options:
-          foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }}
-          path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml

@@ -1,6 +1,4 @@
 {{- if .Values.createConfigmap }}
-{{- $files := .Files }}
-{{- $root := . -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -13,132 +11,5 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
-  {{- with .Values.plugins }}
+  {{- include "grafana.configData" . | nindent 2 }}
-  plugins: {{ join "," . }}
-  {{- end }}
-  grafana.ini: |
-  {{- range $elem, $elemVal := index .Values "grafana.ini" }}
-    {{- if not (kindIs "map" $elemVal) }}
-    {{- if kindIs "invalid" $elemVal }}
-    {{ $elem }} =
-    {{- else if kindIs "string" $elemVal }}
-    {{ $elem }} = {{ tpl $elemVal $ }}
-    {{- else }}
-    {{ $elem }} = {{ $elemVal }}
-    {{- end }}
-    {{- end }}
-  {{- end }}
-  {{- range $key, $value := index .Values "grafana.ini" }}
-    {{- if kindIs "map" $value }}
-    [{{ $key }}]
-    {{- range $elem, $elemVal := $value }}
-    {{- if kindIs "invalid" $elemVal }}
-    {{ $elem }} =
-    {{- else if kindIs "string" $elemVal }}
-    {{ $elem }} = {{ tpl $elemVal $ }}
-    {{- else }}
-    {{ $elem }} = {{ $elemVal }}
-    {{- end }}
-    {{- end }}
-    {{- end }}
-  {{- end }}
-
-  {{- range $key, $value := .Values.datasources }}
-  {{- if not (hasKey $value "secret") }}
-  {{- $key | nindent 2 }}: |
-    {{- tpl (toYaml $value | nindent 4) $root }}
-  {{- end }}
-  {{- end }}
-
-  {{- range $key, $value := .Values.notifiers }}
-  {{- if not (hasKey $value "secret") }}
-  {{- $key | nindent 2 }}: |
-    {{- toYaml $value | nindent 4 }}
-  {{- end }}
-  {{- end }}
-
-  {{- range $key, $value := .Values.alerting }}
-  {{- if (hasKey $value "file") }}
-  {{- $key | nindent 2 }}:
-  {{- toYaml ( $files.Get $value.file ) | nindent 4}}
-  {{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}}
-  {{/*  will be stored inside secret generated by "configSecret.yaml"*/}}
-  {{- else }}
-  {{- $key | nindent 2 }}: |
-    {{- tpl (toYaml $value | nindent 4) $root }}
-  {{- end }}
-  {{- end }}
-
-  {{- range $key, $value := .Values.dashboardProviders }}
-  {{- $key | nindent 2 }}: |
-    {{- toYaml $value | nindent 4 }}
-  {{- end }}
-
-{{- if .Values.dashboards  }}
-  download_dashboards.sh: |
-    #!/usr/bin/env sh
-    set -euf
-    {{- if .Values.dashboardProviders }}
-      {{- range $key, $value := .Values.dashboardProviders }}
-        {{- range $value.providers }}
-    mkdir -p {{ .options.path }}
-        {{- end }}
-      {{- end }}
-    {{- end }}
-  {{ $dashboardProviders := .Values.dashboardProviders }}
-  {{- range $provider, $dashboards := .Values.dashboards }}
-    {{- range $key, $value := $dashboards }}
-      {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }}
-    curl -skf \
-    --connect-timeout 60 \
-    --max-time 60 \
-      {{- if not $value.b64content }}
-        {{- if not $value.acceptHeader }}
-    -H "Accept: application/json" \
-        {{- else }}
-    -H "Accept: {{ $value.acceptHeader }}" \
-        {{- end }}
-        {{- if $value.token }}
-    -H "Authorization: token {{ $value.token }}" \
-        {{- end }}
-        {{- if $value.bearerToken }}
-    -H "Authorization: Bearer {{ $value.bearerToken }}" \
-        {{- end }}
-        {{- if $value.basic }}
-    -H "Authorization: Basic {{ $value.basic }}" \
-        {{- end }}
-        {{- if $value.gitlabToken }}
-    -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \
-        {{- end }}
-    -H "Content-Type: application/json;charset=UTF-8" \
-      {{- end }}
-    {{- $dpPath := "" -}}
-    {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }}
-      {{- if eq $kd.name $provider }}
-      {{- $dpPath = $kd.options.path }}
-      {{- end }}
-    {{- end }}
-    {{- if $value.url }}
-      "{{ $value.url }}" \
-    {{- else }}
-      "https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \
-    {{- end }}
-    {{- if $value.datasource }}
-      {{- if kindIs "string" $value.datasource }}
-      | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \
-      {{- end }}
-      {{- if kindIs "slice" $value.datasource }}
-        {{- range $value.datasource }}
-          | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \
-        {{- end }}
-      {{- end }}
-    {{- end }}
-    {{- if $value.b64content }}
-      | base64 -d \
-    {{- end }}
-    > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json"
-      {{ end }}
-    {{- end }}
-  {{- end }}
-{{- end }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml

@@ -33,14 +33,16 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/config: {{ include "grafana.configData" . | sha256sum }}
+        {{- if .Values.dashboards }}
         checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }}
-        checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }}
+        {{- end }}
+        checksum/sc-dashboard-provider-config: {{ include "grafana.configDashboardProviderData" . | sha256sum }}
         {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }}
-        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        checksum/secret: {{ include "grafana.secretsData" . | sha256sum }}
         {{- end }}
         {{- if .Values.envRenderSecret }}
-        checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }}
+        checksum/secret-env: {{ tpl (toYaml .Values.envRenderSecret) . | sha256sum }}
         {{- end }}
         kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
         {{- with .Values.podAnnotations }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/ingress.yaml

@@ -34,7 +34,7 @@ spec:
   rules:
   {{- if .Values.ingress.hosts  }}
   {{- range .Values.ingress.hosts }}
-    - host: {{ tpl . $ }}
+    - host: {{ tpl . $ | quote }}
       http:
         paths:
           {{- with $extraPaths }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret.yaml

@@ -12,15 +12,5 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  {{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }}
+  {{- include "grafana.secretsData" . | nindent 2 }}
-  admin-user: {{ .Values.adminUser | b64enc | quote }}
-  {{- if .Values.adminPassword }}
-  admin-password: {{ .Values.adminPassword | b64enc | quote }}
-  {{- else }}
-  admin-password: {{ include "grafana.password" . }}
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.ldap.existingSecret }}
-  ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }}
-  {{- end }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/service.yaml

@@ -21,10 +21,13 @@ spec:
   clusterIP: {{ . }}
   {{- end }}
   {{- else if eq .Values.service.type "LoadBalancer" }}
-  type: {{ .Values.service.type }}
+  type: LoadBalancer
   {{- with .Values.service.loadBalancerIP }}
   loadBalancerIP: {{ . }}
   {{- end }}
+  {{- with .Values.service.loadBalancerClass }}
+  loadBalancerClass: {{ . }}
+  {{- end }}
   {{- with .Values.service.loadBalancerSourceRanges }}
   loadBalancerSourceRanges:
     {{- toYaml . | nindent 4 }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/serviceaccount.yaml

@@ -1,7 +1,7 @@
 {{- if .Values.serviceAccount.create }}
-{{- $root := . -}}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.autoMount | default .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   labels:
     {{- include "grafana.labels" . | nindent 4 }}
@@ -10,7 +10,7 @@ metadata:
     {{- end }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
-    {{- tpl (toYaml . | nindent 4) $root }}
+    {{- tpl (toYaml . | nindent 4) $ }}
   {{- end }}
   name: {{ include "grafana.serviceAccountName" . }}
   namespace: {{ include "grafana.namespace" . }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/servicemonitor.yaml

@@ -12,7 +12,7 @@ metadata:
   labels:
     {{- include "grafana.labels" . | nindent 4 }}
     {{- with .Values.serviceMonitor.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- tpl (toYaml . | nindent 4) $ }}
     {{- end }}
 spec:
   endpoints:

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml

@@ -38,16 +38,22 @@ serviceAccount:
   nameTest:
   ## ServiceAccount labels.
   labels: {}
-## Service account annotations. Can be templated.
+  ## Service account annotations. Can be templated.
-#  annotations:
+  #  annotations:
-#    eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
+  #    eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
-  autoMount: true
+
+  ## autoMount is deprecated in favor of automountServiceAccountToken
+  # autoMount: false
+  automountServiceAccountToken: false
 
 replicas: 1
 
 ## Create a headless service for the deployment
 headlessService: false
 
+## Should the service account be auto mounted on the pod
+automountServiceAccountToken: true
+
 ## Create HorizontalPodAutoscaler object for deployment type
 #
 autoscaling:
@@ -116,6 +122,16 @@ testFramework:
   imagePullPolicy: IfNotPresent
   securityContext: {}
 
+# dns configuration for pod
+dnsPolicy: ~
+dnsConfig: {}
+  # nameservers:
+  #   - 8.8.8.8
+  #   options:
+  #   - name: ndots
+  #     value: "2"
+  #   - name: edns0
+
 securityContext:
   runAsNonRoot: true
   runAsUser: 472
@@ -197,6 +213,9 @@ gossipPortName: gossip
 service:
   enabled: true
   type: ClusterIP
+  loadBalancerIP: ""
+  loadBalancerClass: ""
+  loadBalancerSourceRanges: []
   port: 80
   targetPort: 3000
     # targetPort: 4181 To be used with a proxy extraContainer
@@ -477,6 +496,7 @@ envRenderSecret: {}
 ## Name is templated.
 envFromSecrets: []
 ## - name: secret-name
+##   prefix: prefix
 ##   optional: true
 
 ## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment
@@ -485,6 +505,7 @@ envFromSecrets: []
 ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
 envFromConfigMaps: []
 ## - name: configmap-name
+##   prefix: prefix
 ##   optional: true
 
 # Inject Kubernetes services as environment variables.
@@ -530,15 +551,22 @@ extraVolumeMounts: []
   # - name: extra-volume-0
   #   mountPath: /mnt/volume0
   #   readOnly: true
-  #   existingClaim: volume-claim
   # - name: extra-volume-1
   #   mountPath: /mnt/volume1
   #   readOnly: true
-  #   hostPath: /usr/shared/
   # - name: grafana-secrets
   #   mountPath: /mnt/volume2
-  #   csi: true
+
-  #   data:
+## Additional Grafana server volumes
+extraVolumes: []
+  # - name: extra-volume-0
+  #   existingClaim: volume-claim
+  # - name: extra-volume-1
+  #   hostPath:
+  #     path: /usr/shared/
+  #     type: ""
+  # - name: grafana-secrets
+  #   csi:
   #     driver: secrets-store.csi.k8s.io
   #     readOnly: true
   #     volumeAttributes:
@@ -811,7 +839,7 @@ sidecar:
     # -- The Docker registry
     registry: quay.io
     repository: kiwigrid/k8s-sidecar
-    tag: 1.25.2
+    tag: 1.26.1
     sha: ""
   imagePullPolicy: IfNotPresent
   resources: {}
@@ -944,6 +972,7 @@ sidecar:
     enabled: false
     # Additional environment variables for the datasourcessidecar
     env: {}
+    envValueFrom: {}
     # Do not reprocess already processed unchanged resources on k8s API reconnect.
     # ignoreAlreadyProcessed: true
     # label that the configmaps with datasources are marked with
@@ -975,8 +1004,8 @@ sidecar:
     # Absolute path to shell script to execute after a datasource got reloaded
     script: null
     skipReload: false
-    # Deploy the datasource sidecar as an initContainer in addition to a container.
     # This is needed if skipReload is true, to load any datasources defined at startup time.
+    # Deploy the datasources sidecar as an initContainer.
     initDatasources: false
     # Sets the size limit of the datasource sidecar emptyDir volume
     sizeLimit: {}
@@ -1280,3 +1309,13 @@ extraObjects: []
   #     data:
   #       - key: grafana-admin-password
   #         name: adminPassword
+
+# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
+# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
+#
+# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
+# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
+#
+# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
+# you can disable this check by setting assertNoLeakedSecrets to false.
+assertNoLeakedSecrets: true

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
     - name: Chart Source
       url: https://github.com/prometheus-community/helm-charts
 apiVersion: v2
-appVersion: 2.10.1
+appVersion: 2.11.0
 description: Install kube-state-metrics to generate and expose cluster-level metrics
 home: https://github.com/kubernetes/kube-state-metrics/
 keywords:
@@ -23,4 +23,4 @@ name: kube-state-metrics
 sources:
 - https://github.com/kubernetes/kube-state-metrics/
 type: application
-version: 5.15.2
+version: 5.18.0

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml

@@ -49,10 +49,10 @@ spec:
       {{- toYaml . | nindent 6 }}
       {{- end }}
       containers:
-      {{- $httpPort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}}
+      {{- $servicePort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}}
       {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}}
       - name: {{ template "kube-state-metrics.name" . }}
-        {{- if .Values.autosharding.enabled }}
+        {{- if  .Values.autosharding.enabled }}
         env:
         - name: POD_NAME
           valueFrom:
@@ -67,7 +67,7 @@ spec:
         {{-  if .Values.extraArgs  }}
         {{- .Values.extraArgs | toYaml | nindent 8 }}
         {{-  end  }}
-        - --port={{ $httpPort }}
+        - --port={{ $servicePort }}
         {{-  if .Values.collectors  }}
         - --resources={{ .Values.collectors | join "," }}
         {{-  end  }}
@@ -115,10 +115,10 @@ spec:
         {{- if .Values.selfMonitor.telemetryPort }}
         - --telemetry-port={{ $telemetryPort }}
         {{- end }}
+        {{- end }}
         {{- if .Values.customResourceState.enabled }}
         - --custom-resource-state-config-file=/etc/customresourcestate/config.yaml
         {{- end }}
-        {{- end }}
         {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumeMounts) }}
         volumeMounts:
         {{- if .Values.kubeconfig.enabled }}
@@ -147,17 +147,41 @@ spec:
         {{- end }}
         {{- end }}
         livenessProbe:
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
           httpGet:
+            {{- if .Values.hostNetwork }}
+            host: 127.0.0.1
+            {{- end }}
+            httpHeaders:
+            {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }}
+            - name: {{ $header.name }}
+              value: {{ $header.value }}
+            {{- end }}
             path: /healthz
-            port: {{ $httpPort }}
+            port: {{ $servicePort }}
-          initialDelaySeconds: 5
+            scheme: {{ upper .Values.livenessProbe.httpGet.scheme }}
-          timeoutSeconds: 5
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
         readinessProbe:
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
           httpGet:
+            {{- if .Values.hostNetwork }}
+            host: 127.0.0.1
+            {{- end }}
+            httpHeaders:
+            {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }}
+            - name: {{ $header.name }}
+              value: {{ $header.value }}
+            {{- end }}
             path: /
-            port: {{ $httpPort }}
+            port: {{ $servicePort }}
-          initialDelaySeconds: 5
+            scheme: {{ upper .Values.readinessProbe.httpGet.scheme }}
-          timeoutSeconds: 5
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
         {{- if .Values.resources }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
@@ -173,7 +197,7 @@ spec:
         {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }}
         {{-  end  }}
         - --secure-listen-address=:{{ .Values.service.port | default 8080}}
-        - --upstream=http://127.0.0.1:{{ $httpPort }}/
+        - --upstream=http://127.0.0.1:{{ $servicePort }}/
         - --proxy-endpoints-port=8888
         - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
         volumeMounts:

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/serviceaccount.yaml

@@ -10,6 +10,8 @@ metadata:
   annotations:
 {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
 {{- end }}
+{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }}
 imagePullSecrets:
   {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }}
+{{- end }}
 {{- end -}}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml

@@ -37,7 +37,10 @@ autosharding:
 
 replicas: 1
 
-# Change the deployment strategy when autosharding is disabled
+# Change the deployment strategy when autosharding is disabled.
+# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+# The default is "RollingUpdate" as per Kubernetes defaults.
+# During a release, 'RollingUpdate' can lead to two running instances for a short period of time while 'Recreate' can create a small gap in data.
 # updateStrategy: Recreate
 
 # Number of old history to retain to allow rollback
@@ -96,7 +99,7 @@ kubeRBACProxy:
   image:
     registry: quay.io
     repository: brancz/kube-rbac-proxy
-    tag: v0.14.0
+    tag: v0.16.0
     sha: ""
     pullPolicy: IfNotPresent
 
@@ -108,7 +111,12 @@ kubeRBACProxy:
   ## Specify security settings for a Container
   ## Allows overrides and additional options compared to (Pod) securityContext
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-  containerSecurityContext: {}
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
 
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
@@ -245,6 +253,7 @@ securityContext:
 ## Allows overrides and additional options compared to (Pod) securityContext
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 containerSecurityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
     drop:
@@ -454,3 +463,27 @@ containers: []
 initContainers: []
   # - name: crd-sidecar
   #   image: kiwigrid/k8s-sidecar:latest
+
+## Liveness probe
+##
+livenessProbe:
+  failureThreshold: 3
+  httpGet:
+    httpHeaders: []
+    scheme: http
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 5
+
+## Readiness probe
+##
+readinessProbe:
+  failureThreshold: 3
+  httpGet:
+    httpHeaders: []
+    scheme: http
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 5

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml

@@ -22,4 +22,4 @@ name: prometheus-node-exporter
 sources:
 - https://github.com/prometheus/node_exporter/
 type: application
-version: 4.24.0
+version: 4.32.0

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl

@@ -183,3 +183,20 @@ labelNameLengthLimit: {{ . }}
 labelValueLengthLimit: {{ . }}
 {{- end }}
 {{- end }}
+
+{{/* Sets sidecar volumeMounts */}}
+{{- define "prometheus-node-exporter.sidecarVolumeMounts" -}}
+{{- range $_, $mount := $.Values.sidecarVolumeMount }}
+- name: {{ $mount.name }}
+  mountPath: {{ $mount.mountPath }}
+  readOnly: {{ $mount.readOnly }}
+{{- end }}
+{{- range $_, $mount := $.Values.sidecarHostVolumeMounts }}
+- name: {{ $mount.name }}
+  mountPath: {{ $mount.mountPath }}
+  readOnly: {{ $mount.readOnly }}
+{{- if $mount.mountPropagation }}
+  mountPropagation: {{ $mount.mountPropagation }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/daemonset.yaml

@@ -40,8 +40,11 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }}
+      {{- with .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+      {{- end }}
       containers:
-        {{- $servicePort := ternary 8100 .Values.service.port .Values.kubeRBACProxy.enabled }}
+        {{- $servicePort := ternary .Values.kubeRBACProxy.port .Values.service.port .Values.kubeRBACProxy.enabled }}
         - name: node-exporter
           image: {{ include "prometheus-node-exporter.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -50,7 +53,7 @@ spec:
             - --path.sysfs=/host/sys
             {{- if .Values.hostRootFsMount.enabled }}
             - --path.rootfs=/host/root
-            {{- if semverCompare ">=1.4.0" (default .Chart.AppVersion .Values.image.tag) }}
+            {{- if semverCompare ">=1.4.0-0" (coalesce .Values.version .Values.image.tag .Chart.AppVersion) }}
             - --path.udev.data=/host/root/run/udev/data
             {{- end }}
             {{- end }}
@@ -124,12 +127,24 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.terminationMessageParams.enabled }}
+          {{- with .Values.terminationMessageParams }}
+          terminationMessagePath: {{ .terminationMessagePath }}
+          terminationMessagePolicy: {{ .terminationMessagePolicy }}
+          {{- end }}
+          {{- end }}
           volumeMounts:
             - name: proc
               mountPath: /host/proc
+              {{- with .Values.hostProcFsMount.mountPropagation }}
+              mountPropagation: {{ . }}
+              {{- end }}
               readOnly:  true
             - name: sys
               mountPath: /host/sys
+              {{- with .Values.hostSysFsMount.mountPropagation }}
+              mountPropagation: {{ . }}
+              {{- end }}
               readOnly: true
             {{- if .Values.hostRootFsMount.enabled }}
             - name: root
@@ -160,24 +175,10 @@ spec:
             - name: {{ .name }}
               mountPath: {{ .mountPath }}
             {{- end }}
-        {{- with .Values.sidecars }}
+        {{- range .Values.sidecars }}
-        {{- toYaml . | nindent 8 }}
+          {{- $overwrites := dict "volumeMounts" (concat (include "prometheus-node-exporter.sidecarVolumeMounts" $ | fromYamlArray) (.volumeMounts | default list) | default list) }}
-          {{- if or $.Values.sidecarVolumeMount $.Values.sidecarHostVolumeMounts }}
+          {{- $defaults := dict "image" (include "prometheus-node-exporter.image" $) "securityContext" $.Values.containerSecurityContext "imagePullPolicy" $.Values.image.pullPolicy }}
-          volumeMounts:
+        - {{- toYaml (merge $overwrites . $defaults) | nindent 10 }}
-            {{- range $_, $mount := $.Values.sidecarVolumeMount }}
-            - name: {{ $mount.name }}
-              mountPath: {{ $mount.mountPath }}
-              readOnly: {{ $mount.readOnly }}
-            {{- end }}
-            {{- range $_, $mount := $.Values.sidecarHostVolumeMounts }}
-            - name: {{ $mount.name }}
-              mountPath: {{ $mount.mountPath }}
-              readOnly: {{ $mount.readOnly }}
-            {{- if $mount.mountPropagation }}
-              mountPropagation: {{ $mount.mountPropagation }}
-            {{- end }}
-            {{- end }}
-          {{- end }}
         {{- end }}
         {{-  if .Values.kubeRBACProxy.enabled  }}
         - name: kube-rbac-proxy
@@ -187,7 +188,7 @@ spec:
             {{-  end  }}
             - --secure-listen-address=:{{ .Values.service.port}}
             - --upstream=http://127.0.0.1:{{ $servicePort }}/
-            - --proxy-endpoints-port=8888
+            - --proxy-endpoints-port={{ .Values.kubeRBACProxy.proxyEndpointsPort }}
             - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
           volumeMounts:
             - name: kube-rbac-proxy-config
@@ -200,19 +201,38 @@ spec:
           {{- end }}
           ports:
             - containerPort: {{ .Values.service.port}}
-              name: "http"
+              name: {{ .Values.kubeRBACProxy.portName }}
-            - containerPort: 8888
+              {{- if .Values.kubeRBACProxy.enableHostPort }}
+              hostPort: {{ .Values.service.port }}
+              {{- end }}
+            - containerPort: {{ .Values.kubeRBACProxy.proxyEndpointsPort }}
+              {{- if .Values.kubeRBACProxy.enableProxyEndpointsHostPort }}
+              hostPort: {{ .Values.kubeRBACProxy.proxyEndpointsPort }}
+              {{- end }}
               name: "http-healthz"
           readinessProbe:
             httpGet:
               scheme: HTTPS
-              port: 8888
+              port: {{ .Values.kubeRBACProxy.proxyEndpointsPort }}
               path: healthz
             initialDelaySeconds: 5
             timeoutSeconds: 5
           {{- if .Values.kubeRBACProxy.resources }}
           resources:
-          {{ toYaml .Values.kubeRBACProxy.resources | nindent 12 }}
+          {{- toYaml .Values.kubeRBACProxy.resources | nindent 12 }}
+          {{- end }}
+          {{- if .Values.terminationMessageParams.enabled }}
+          {{- with .Values.terminationMessageParams }}
+          terminationMessagePath: {{ .terminationMessagePath }}
+          terminationMessagePolicy: {{ .terminationMessagePolicy }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.kubeRBACProxy.env }}
+          env:
+            {{- range $key, $value := $.Values.kubeRBACProxy.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
           {{- end }}
           {{- if .Values.kubeRBACProxy.containerSecurityContext }}
           securityContext:
@@ -237,6 +257,9 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.restartPolicy }}
+      restartPolicy: {{ . }}
+      {{- end }}
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
@@ -257,6 +280,9 @@ spec:
         - name: {{ $mount.name }}
           hostPath:
             path: {{ $mount.hostPath }}
+            {{- with $mount.type }}
+            type: {{ . }}
+            {{- end }}
         {{- end }}
         {{- range $_, $mount := .Values.sidecarVolumeMount }}
         - name: {{ $mount.name }}

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml

@@ -39,14 +39,17 @@ global:
 # The requests are served through the same service but requests are HTTPS.
 kubeRBACProxy:
   enabled: false
+  ## Set environment variables as name/value pairs
+  env: {}
+    # VARIABLE: value
   image:
     registry: quay.io
     repository: brancz/kube-rbac-proxy
-    tag: v0.15.0
+    tag: v0.16.0
     sha: ""
     pullPolicy: IfNotPresent
 
-  # List of additional cli arguments to configure kube-rbac-prxy
+  # List of additional cli arguments to configure kube-rbac-proxy
   # for example: --tls-cipher-suites, --log-file, etc.
   # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage
   extraArgs: []
@@ -56,6 +59,19 @@ kubeRBACProxy:
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   containerSecurityContext: {}
 
+  # Specify the port used for the Node exporter container (upstream port)
+  port: 8100
+  # Specify the name of the container port
+  portName: http
+  # Configure a hostPort. If true, hostPort will be enabled in the container and set to service.port.
+  enableHostPort: false
+
+  # Configure Proxy Endpoints Port
+  # This is the port being probed for readiness
+  proxyEndpointsPort: 8888
+  # Configure a hostPort. If true, hostPort will be enabled in the container and set to proxyEndpointsPort.
+  enableProxyEndpointsHostPort: false
+
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little
@@ -259,6 +275,10 @@ resources: {}
   #   cpu: 100m
   #   memory: 30Mi
 
+# Specify the container restart policy passed to the Node Export container
+# Possible Values: Always (default)|OnFailure|Never
+restartPolicy: null
+
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
   create: true
@@ -310,6 +330,16 @@ hostRootFsMount:
   # https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
   mountPropagation: HostToContainer
 
+# Mount the node's proc file system (/proc) at /host/proc in the container
+hostProcFsMount:
+  # Possible values are None, HostToContainer, and Bidirectional
+  mountPropagation: ""
+
+# Mount the node's sys file system (/sys) at /host/sys in the container
+hostSysFsMount:
+  # Possible values are None, HostToContainer, and Bidirectional
+  mountPropagation: ""
+
 ## Assign a group of affinity scheduling rules
 ##
 affinity: {}
@@ -354,10 +384,23 @@ nodeSelector:
   kubernetes.io/os: linux
   #  kubernetes.io/arch: amd64
 
+# Specify grace period for graceful termination of pods. Defaults to 30 if null or not specified
+terminationGracePeriodSeconds: null
+
 tolerations:
   - effect: NoSchedule
     operator: Exists
 
+# Enable or disable container termination message settings
+# https://kubernetes.io/docs/tasks/debug/debug-application/determine-reason-pod-failure/
+terminationMessageParams:
+  enabled: false
+  # If enabled, specify the path for termination messages
+  terminationMessagePath: /dev/termination-log
+  # If enabled, specify the policy for termination messages
+  terminationMessagePolicy: File
+
+
 ## Assign a PriorityClassName to pods if set
 # priorityClassName: ""
 
@@ -372,6 +415,8 @@ extraArgs: []
 extraHostVolumeMounts: []
 #  - name: <mountName>
 #    hostPath: <hostPath>
+#    https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types
+#    type: "" (Default)|DirectoryOrCreate|Directory|FileOrCreate|File|Socket|CharDevice|BlockDevice
 #    mountPath: <mountPath>
 #    readOnly: true|false
 #    mountPropagation: None|HostToContainer|Bidirectional
@@ -388,18 +433,21 @@ secrets: []
 ##
 namespaceOverride: ""
 
-## Additional containers for export metrics to text file
+## Additional containers for export metrics to text file; fields image,imagePullPolicy,securityContext take default value from main container
 ##
 sidecars: []
-##  - name: nvidia-dcgm-exporter
+#  - name: nvidia-dcgm-exporter
-##    image: nvidia/dcgm-exporter:1.4.3
+#    image: nvidia/dcgm-exporter:1.4.3
+#    volumeMounts:
+#     - name: tmp
+#       mountPath: /tmp
 
 ## Volume for sidecar containers
 ##
 sidecarVolumeMount: []
-##  - name: collector-textfiles
+#  - name: collector-textfiles
-##    mountPath: /run/prometheus
+#    mountPath: /run/prometheus
-##    readOnly: false
+#    readOnly: false
 
 ## Additional mounts from the host to sidecar containers
 ##
@@ -478,3 +526,6 @@ extraManifests: []
   #     name: prometheus-extra
   #   data:
   #     extra-data: "value"
+
+# Override version of app, required if image.tag is defined and does not follow semver
+version: ""

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-windows-exporter/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.22.0
+appVersion: 0.25.1
 description: A Helm chart for prometheus windows-exporter
 home: https://github.com/prometheus-community/windows_exporter/
 keywords:
@@ -14,4 +14,4 @@ name: prometheus-windows-exporter
 sources:
 - https://github.com/prometheus-community/windows_exporter/
 type: application
-version: 0.1.2
+version: 0.3.1

charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-windows-exporter/templates/daemonset.yaml

@@ -49,7 +49,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - --config.file=%CONTAINER_SANDBOX_MOUNT_POINT%/config.yml
-            - --collector.textfile.directory=%CONTAINER_SANDBOX_MOUNT_POINT%
+            - --collector.textfile.directories=%CONTAINER_SANDBOX_MOUNT_POINT%
             - --web.listen-address=:{{ .Values.service.port }}
             {{- with .Values.extraArgs }}
             {{- toYaml . | nindent 12 }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/_helpers.tpl

@@ -24,10 +24,15 @@ The longest name that gets created adds and extra 37 characters, so truncation s
 {{- end -}}
 {{- end -}}
 
-{{/* Fullname suffixed with operator */}}
+{{/* Fullname suffixed with -operator */}}
+{{/* Adding 9 to 26 truncation of kube-prometheus-stack.fullname */}}
 {{- define "kube-prometheus-stack.operator.fullname" -}}
+{{- if .Values.prometheusOperator.fullnameOverride -}}
+{{- .Values.prometheusOperator.fullnameOverride | trunc 35 | trimSuffix "-" -}}
+{{- else -}}
 {{- printf "%s-operator" (include "kube-prometheus-stack.fullname" .) -}}
 {{- end }}
+{{- end }}
 
 {{/* Prometheus custom resource instance name */}}
 {{- define "kube-prometheus-stack.prometheus.crname" -}}
@@ -91,6 +96,15 @@ heritage: {{ $.Release.Service | quote }}
 {{- end -}}
 {{- end -}}
 
+{{/* Create the name of kube-prometheus-stack service account to use */}}
+{{- define "kube-prometheus-stack.operator.admissionWebhooks.serviceAccountName" -}}
+{{- if .Values.prometheusOperator.serviceAccount.create -}}
+    {{ default (printf "%s-webhook" (include "kube-prometheus-stack.operator.fullname" .)) .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/* Create the name of prometheus service account to use */}}
 {{- define "kube-prometheus-stack.prometheus.serviceAccountName" -}}
 {{- if .Values.prometheus.serviceAccount.create -}}
@@ -140,6 +154,17 @@ Use the grafana namespace override for multi-namespace deployments in combined c
   {{- end -}}
 {{- end -}}
 
+{{/*
+Allow kube-state-metrics job name to be overridden
+*/}}
+{{- define "kube-prometheus-stack-kube-state-metrics.name" -}}
+  {{- if index .Values "kube-state-metrics" "nameOverride" -}}
+    {{- index .Values "kube-state-metrics" "nameOverride" -}}
+  {{- else -}}
+    {{- print "kube-state-metrics" -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Use the kube-state-metrics namespace override for multi-namespace deployments in combined charts
 */}}
@@ -277,3 +302,14 @@ global:
   {{- end }}
 {{- end }}
 {{- end -}}
+
+{{- define "kube-prometheus-stack.operator.admission-webhook.dnsNames" }}
+{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }}
+{{- $namespace := include "kube-prometheus-stack.namespace" . }}
+{{- $fullname }}
+{{ $fullname }}.{{ $namespace }}.svc
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+{{ $fullname }}-webhook
+{{ $fullname }}-webhook.{{ $namespace }}.svc
+{{- end }}
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml

@@ -31,6 +31,7 @@ spec:
   replicas: {{ .Values.alertmanager.alertmanagerSpec.replicas }}
   listenLocal: {{ .Values.alertmanager.alertmanagerSpec.listenLocal }}
   serviceAccountName: {{ template "kube-prometheus-stack.alertmanager.serviceAccountName" . }}
+  automountServiceAccountToken: {{ .Values.alertmanager.alertmanagerSpec.automountServiceAccountToken }}
 {{- if .Values.alertmanager.alertmanagerSpec.externalUrl }}
   externalUrl: "{{ tpl .Values.alertmanager.alertmanagerSpec.externalUrl . }}"
 {{- else if and .Values.alertmanager.ingress.enabled .Values.alertmanager.ingress.hosts }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/ingress.yaml

@@ -14,7 +14,7 @@ metadata:
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
 {{- if .Values.alertmanager.ingress.annotations }}
   annotations:
-{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }}
+    {{- tpl (toYaml .Values.alertmanager.ingress.annotations) . | nindent 4 }}
 {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
@@ -31,7 +31,7 @@ spec:
   rules:
   {{- if .Values.alertmanager.ingress.hosts }}
   {{- range $host := .Values.alertmanager.ingress.hosts }}
-    - host: {{ tpl $host $ }}
+    - host: {{ tpl $host $ | quote }}
       http:
         paths:
   {{- range $p := $paths }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/ingressperreplica.yaml

@@ -25,7 +25,7 @@ items:
       {{- end }}
       {{- if $ingressValues.annotations }}
       annotations:
-{{ toYaml $ingressValues.annotations | indent 8 }}
+        {{- tpl (toYaml $ingressValues.annotations) $ | nindent 8 }}
       {{- end }}
     spec:
       {{- if $apiIsStable }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/service.yaml

@@ -58,6 +58,11 @@ spec:
     alertmanager: {{ template "kube-prometheus-stack.alertmanager.crname" . }}
 {{- if .Values.alertmanager.service.sessionAffinity }}
   sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }}
+{{- end }}
+{{- if eq .Values.alertmanager.service.sessionAffinity "ClientIP" }}
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: {{ .Values.alertmanager.service.sessionAffinityConfig.clientIP.timeoutSeconds }}
 {{- end }}
   type: "{{ .Values.alertmanager.service.type }}"
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/servicemonitor.yaml

@@ -52,7 +52,12 @@ spec:
     {{- if .Values.alertmanager.serviceMonitor.proxyUrl }}
     proxyUrl: {{ .Values.alertmanager.serviceMonitor.proxyUrl}}
     {{- end }}
-    scheme: http
+    {{- if .Values.alertmanager.serviceMonitor.scheme }}
+    scheme: {{ .Values.alertmanager.serviceMonitor.scheme }}
+    {{- end }}
+    {{- if .Values.alertmanager.serviceMonitor.tlsConfig }}
+    tlsConfig: {{- toYaml .Values.alertmanager.serviceMonitor.tlsConfig | nindent 6 }}
+    {{- end }}
     path: "/metrics"
     {{- if .Values.alertmanager.serviceMonitor.metricRelabelings }}
     metricRelabelings: {{- tpl (toYaml .Values.alertmanager.serviceMonitor.metricRelabelings | nindent 6) . }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }}
+{{- if and .Values.coreDns.enabled .Values.coreDns.service.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -11,7 +11,7 @@ metadata:
 spec:
   clusterIP: None
   ports:
-    - name: http-metrics
+    - name: {{ .Values.coreDns.serviceMonitor.port }}
       port: {{ .Values.coreDns.service.port }}
       protocol: TCP
       targetPort: {{ .Values.coreDns.service.targetPort }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml

@@ -1,9 +1,13 @@
-{{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }}
+{{- if and .Values.coreDns.enabled .Values.coreDns.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-coredns
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: kube-system
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-coredns
   {{- with .Values.coreDns.serviceMonitor.additionalLabels }}
@@ -11,17 +15,21 @@ metadata:
   {{- end }}
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
-  jobLabel: jobLabel
+  jobLabel: {{ .Values.coreDns.serviceMonitor.jobLabel }}
   {{- include "servicemonitor.scrapeLimits" .Values.coreDns.serviceMonitor | nindent 2 }}
   selector:
+    {{- if .Values.coreDns.serviceMonitor.selector }}
+    {{ tpl (toYaml .Values.coreDns.serviceMonitor.selector | nindent 4) . }}
+    {{- else }}
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-coredns
       release: {{ $.Release.Name | quote }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - "kube-system"
   endpoints:
-  - port: http-metrics
+  - port: {{ .Values.coreDns.serviceMonitor.port }}
     {{- if .Values.coreDns.serviceMonitor.interval}}
     interval: {{ .Values.coreDns.serviceMonitor.interval }}
     {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-apiserver
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: default
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-apiserver
   {{- with .Values.kubeApiServer.serviceMonitor.additionalLabels }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml

@@ -14,7 +14,7 @@ subsets:
       - ip: {{ . }}
       {{- end }}
     ports:
-      - name: http-metrics
+      - name: {{ .Values.kubeControllerManager.serviceMonitor.port }}
         {{- $kubeControllerManagerDefaultInsecurePort := 10252 }}
         {{- $kubeControllerManagerDefaultSecurePort := 10257 }}
         port: {{ include "kube-prometheus-stack.kubeControllerManager.insecureScrape" (list . $kubeControllerManagerDefaultInsecurePort $kubeControllerManagerDefaultSecurePort .Values.kubeControllerManager.service.port) }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   clusterIP: None
   ports:
-    - name: http-metrics
+    - name: {{ .Values.kubeControllerManager.serviceMonitor.port }}
       {{- $kubeControllerManagerDefaultInsecurePort := 10252 }}
       {{- $kubeControllerManagerDefaultSecurePort := 10257 }}
       port: {{ include "kube-prometheus-stack.kubeControllerManager.insecureScrape" (list . $kubeControllerManagerDefaultInsecurePort $kubeControllerManagerDefaultSecurePort .Values.kubeControllerManager.service.port) }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-kube-controller-manager
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: kube-system
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-kube-controller-manager
   {{- with .Values.kubeControllerManager.serviceMonitor.additionalLabels }}
@@ -11,17 +15,21 @@ metadata:
   {{- end }}
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
-  jobLabel: jobLabel
+  jobLabel: {{ .Values.kubeControllerManager.serviceMonitor.jobLabel }}
   {{- include "servicemonitor.scrapeLimits" .Values.kubeControllerManager.serviceMonitor | nindent 2 }}
   selector:
+    {{- if .Values.kubeControllerManager.serviceMonitor.selector }}
+    {{ tpl (toYaml .Values.kubeControllerManager.serviceMonitor.selector | nindent 4) . }}
+    {{- else }}
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-kube-controller-manager
       release: {{ $.Release.Name | quote }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - "kube-system"
   endpoints:
-  - port: http-metrics
+  - port: {{ .Values.kubeControllerManager.serviceMonitor.port }}
     {{- if .Values.kubeControllerManager.serviceMonitor.interval }}
     interval: {{ .Values.kubeControllerManager.serviceMonitor.interval }}
     {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-kube-dns
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: kube-system
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-kube-dns
   {{- with .Values.kubeDns.serviceMonitor.additionalLabels }}
@@ -11,12 +15,16 @@ metadata:
   {{- end }}
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
-  jobLabel: jobLabel
+  jobLabel: {{ .Values.kubeDns.serviceMonitor.jobLabel }}
   {{- include "servicemonitor.scrapeLimits" .Values.kubeDns.serviceMonitor | nindent 2 }}
   selector:
+    {{- if .Values.kubeDns.serviceMonitor.selector }}
+    {{ tpl (toYaml .Values.kubeDns.serviceMonitor.selector | nindent 4) . }}
+    {{- else }}
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-kube-dns
       release: {{ $.Release.Name | quote }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - "kube-system"

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml

@@ -14,7 +14,7 @@ subsets:
       - ip: {{ . }}
       {{- end }}
     ports:
-      - name: http-metrics
+      - name: {{ .Values.kubeEtcd.serviceMonitor.port }}
         port: {{ .Values.kubeEtcd.service.port }}
         protocol: TCP
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   clusterIP: None
   ports:
-    - name: http-metrics
+    - name: {{ .Values.kubeEtcd.serviceMonitor.port }}
       port: {{ .Values.kubeEtcd.service.port }}
       protocol: TCP
       targetPort: {{ .Values.kubeEtcd.service.targetPort }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-kube-etcd
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: kube-system
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-kube-etcd
   {{- with .Values.kubeEtcd.serviceMonitor.additionalLabels }}
@@ -11,17 +15,21 @@ metadata:
   {{- end }}
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
-  jobLabel: jobLabel
+  jobLabel: {{ .Values.kubeEtcd.serviceMonitor.jobLabel }}
   {{- include "servicemonitor.scrapeLimits" .Values.kubeEtcd.serviceMonitor | nindent 4 }}
   selector:
+    {{- if .Values.kubeEtcd.serviceMonitor.selector }}
+    {{ tpl (toYaml .Values.kubeEtcd.serviceMonitor.selector | nindent 4) . }}
+    {{- else }}
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-kube-etcd
       release: {{ $.Release.Name | quote }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - "kube-system"
   endpoints:
-  - port: http-metrics
+  - port: {{ .Values.kubeEtcd.serviceMonitor.port }}
     {{- if .Values.kubeEtcd.serviceMonitor.interval }}
     interval: {{ .Values.kubeEtcd.serviceMonitor.interval }}
     {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml

@@ -14,7 +14,7 @@ subsets:
       - ip: {{ . }}
       {{- end }}
     ports:
-      - name: http-metrics
+      - name: {{ .Values.kubeProxy.serviceMonitor.port }}
         port: {{ .Values.kubeProxy.service.port }}
         protocol: TCP
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   clusterIP: None
   ports:
-    - name: http-metrics
+    - name: {{ .Values.kubeProxy.serviceMonitor.port }}
       port: {{ .Values.kubeProxy.service.port }}
       protocol: TCP
       targetPort: {{ .Values.kubeProxy.service.targetPort }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-kube-proxy
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: kube-system
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-kube-proxy
   {{- with .Values.kubeProxy.serviceMonitor.additionalLabels }}
@@ -11,17 +15,21 @@ metadata:
   {{- end }}
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
-  jobLabel: jobLabel
+  jobLabel: {{ .Values.kubeProxy.serviceMonitor.jobLabel }}
   {{- include "servicemonitor.scrapeLimits" .Values.kubeProxy.serviceMonitor | nindent 2 }}
   selector:
+    {{- if .Values.kubeProxy.serviceMonitor.selector }}
+    {{ tpl (toYaml .Values.kubeProxy.serviceMonitor.selector | nindent 4) . }}
+    {{- else }}
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-kube-proxy
       release: {{ $.Release.Name | quote }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - "kube-system"
   endpoints:
-  - port: http-metrics
+  - port: {{ .Values.kubeProxy.serviceMonitor.port }}
     {{- if .Values.kubeProxy.serviceMonitor.interval }}
     interval: {{ .Values.kubeProxy.serviceMonitor.interval }}
     {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml

@@ -14,7 +14,7 @@ subsets:
       - ip: {{ . }}
       {{- end }}
     ports:
-      - name: http-metrics
+      - name: {{ .Values.kubeScheduler.serviceMonitor.port }}
         {{- $kubeSchedulerDefaultInsecurePort := 10251 }}
         {{- $kubeSchedulerDefaultSecurePort := 10259 }}
         port: {{ include "kube-prometheus-stack.kubeScheduler.insecureScrape" (list . $kubeSchedulerDefaultInsecurePort $kubeSchedulerDefaultSecurePort .Values.kubeScheduler.service.port)  }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   clusterIP: None
   ports:
-    - name: http-metrics
+    - name: {{ .Values.kubeScheduler.serviceMonitor.port }}
       {{- $kubeSchedulerDefaultInsecurePort := 10251 }}
       {{- $kubeSchedulerDefaultSecurePort := 10259 }}
       port: {{ include "kube-prometheus-stack.kubeScheduler.insecureScrape" (list . $kubeSchedulerDefaultInsecurePort $kubeSchedulerDefaultSecurePort .Values.kubeScheduler.service.port)  }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-kube-scheduler
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: kube-system
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-kube-scheduler
   {{- with .Values.kubeScheduler.serviceMonitor.additionalLabels }}
@@ -11,17 +15,21 @@ metadata:
   {{- end }}
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
-  jobLabel: jobLabel
+  jobLabel: {{ .Values.kubeScheduler.serviceMonitor.jobLabel }}
   {{- include "servicemonitor.scrapeLimits" .Values.kubeScheduler.serviceMonitor | nindent 2 }}
   selector:
+    {{- if .Values.kubeScheduler.serviceMonitor.selector }}
+    {{ tpl (toYaml .Values.kubeScheduler.serviceMonitor.selector | nindent 4) . }}
+    {{- else }}
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-kube-scheduler
       release: {{ $.Release.Name | quote }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - "kube-system"
   endpoints:
-  - port: http-metrics
+  - port: {{ .Values.kubeScheduler.serviceMonitor.port }}
     {{- if .Values.kubeScheduler.serviceMonitor.interval }}
     interval: {{ .Values.kubeScheduler.serviceMonitor.interval }}
     {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml

@@ -3,7 +3,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-kubelet
+  {{- if .Values.prometheus.prometheusSpec.ignoreNamespaceSelectors }}
+  namespace: {{ .Values.kubelet.namespace }}
+  {{- else }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-kubelet
   {{- with .Values.kubelet.serviceMonitor.additionalLabels }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/_prometheus-operator.tpl

@@ -0,0 +1,7 @@
+{{/* Generate basic labels for prometheus-operator */}}
+{{- define "kube-prometheus-stack.prometheus-operator.labels" }}
+{{- include "kube-prometheus-stack.labels" . }}
+app: {{ template "kube-prometheus-stack.name" . }}-operator
+app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator
+app.kubernetes.io/component: prometheus-operator
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/_prometheus-operator-webhook.tpl

@@ -0,0 +1,6 @@
+{{/* Generate basic labels for prometheus-operator-webhook */}}
+{{- define "kube-prometheus-stack.prometheus-operator-webhook.labels" }}
+{{- include "kube-prometheus-stack.labels" . }}
+app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator
+app.kubernetes.io/component: prometheus-operator-webhook
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml

@@ -0,0 +1,143 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.labels }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.labels | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.annotations }}
+  annotations:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.annotations | indent 4 }}
+{{- end }}
+spec:
+  replicas: {{ .Values.prometheusOperator.admissionWebhooks.deployment.replicas }}
+  revisionHistoryLimit: {{ .Values.prometheusOperator.admissionWebhooks.deployment.revisionHistoryLimit }}
+  {{- with .Values.prometheusOperator.admissionWebhooks.deployment.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+      release: {{ $.Release.Name | quote }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+        {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 8 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podLabels }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podLabels | indent 8 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podAnnotations }}
+      annotations:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+    {{- if .Values.prometheusOperator.admissionWebhooks.deployment.priorityClassName }}
+      priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.deployment.priorityClassName }}
+    {{- end }}
+    {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+      {{- include "kube-prometheus-stack.imagePullSecrets" . | indent 8 }}
+    {{- end }}
+      containers:
+        - name: prometheus-operator-admission-webhook
+          {{- $operatorRegistry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.deployment.image.registry -}}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.image.sha }}
+          image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.sha }}"
+          {{- else }}
+          image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.tag | default .Chart.AppVersion }}"
+          {{- end }}
+          imagePullPolicy: "{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.pullPolicy }}"
+          args:
+            {{- if .Values.prometheusOperator.admissionWebhooks.deployment.logFormat }}
+            - --log-format={{ .Values.prometheusOperator.admissionWebhooks.deployment.logFormat }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.admissionWebhooks.deployment.logLevel }}
+            - --log-level={{ .Values.prometheusOperator.admissionWebhooks.deployment.logLevel }}
+            {{- end }}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+            - "--web.enable-tls=true"
+            - "--web.cert-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.crt{{ else }}cert{{ end }}"
+            - "--web.key-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.key{{ else }}key{{ end }}"
+            - "--web.listen-address=:{{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.internalPort }}"
+            - "--web.tls-min-version={{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.tlsMinVersion }}"
+          ports:
+            - containerPort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.internalPort }}
+              name: https
+          {{- else }}
+          ports:
+            - containerPort: 8080
+              name: http
+          {{- end }}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "https" "http" }}
+              scheme: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "HTTPS" "HTTP" }}
+            initialDelaySeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "https" "http" }}
+              scheme: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "HTTPS" "HTTP" }}
+            initialDelaySeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.failureThreshold }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.resources | indent 12 }}
+          securityContext:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.containerSecurityContext | indent 12 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+          volumeMounts:
+            - name: tls-secret
+              mountPath: /cert
+              readOnly: true
+      volumes:
+        - name: tls-secret
+          secret:
+            defaultMode: 420
+            secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
+{{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.dnsConfig }}
+      dnsConfig:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.securityContext }}
+      securityContext:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.securityContext | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}-webhook
+      automountServiceAccountToken: {{ .Values.prometheusOperator.admissionWebhooks.deployment.automountServiceAccountToken }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget -}}
+apiVersion: policy/v1{{ ternary "" "beta1" ($.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+      release: {{ $.Release.Name | quote }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget | indent 2 }}
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/service.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.labels }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.annotations }}
+  annotations:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.annotations | indent 4 }}
+{{- end }}
+spec:
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.clusterIP }}
+  clusterIP: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.clusterIP }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.externalIPs }}
+  externalIPs:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.externalIPs | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerIP }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range $cidr := .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerSourceRanges }}
+    - {{ $cidr }}
+  {{- end }}
+{{- end }}
+{{- if ne .Values.prometheusOperator.admissionWebhooks.deployment.service.type "ClusterIP" }}
+  externalTrafficPolicy: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.externalTrafficPolicy }}
+{{- end }}
+  ports:
+  {{- if not .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+  - name: http
+    {{- if eq .Values.prometheusOperator.admissionWebhooks.deployment.service.type "NodePort" }}
+    nodePort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.nodePort }}
+    {{- end }}
+    port: 8080
+    targetPort: http
+  {{- end }}
+  {{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+  - name: https
+    {{- if eq .Values.prometheusOperator.admissionWebhooks.deployment.service.type "NodePort"}}
+    nodePort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.nodePortTls }}
+    {{- end }}
+    port: 443
+    targetPort: https
+  {{- end }}
+  selector:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+    release: {{ $.Release.Name | quote }}
+  type: "{{ .Values.prometheusOperator.admissionWebhooks.deployment.service.type }}"
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.admissionWebhooks.serviceAccountName" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | indent 4 }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }}
+{{- end }}
+{{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-createSecret.yaml

@@ -15,7 +15,7 @@ metadata:
     {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
-    {{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 spec:
   endpointSelector:
     matchLabels:
@@ -23,7 +23,7 @@ spec:
       {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
       {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
       {{- else }}
-      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
       {{- end }}
   egress:
     {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-patchWebhook.yaml

@@ -15,7 +15,7 @@ metadata:
     {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
-    {{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 spec:
   endpointSelector:
     matchLabels:
@@ -23,7 +23,7 @@ spec:
       {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
       {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
       {{- else }}
-      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
       {{- end }}
   egress:
     {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
@@ -34,4 +34,3 @@ spec:
     {{- end }}
 {{- end }}
 {{- end }}
-

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml

@@ -8,7 +8,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 rules:
   - apiGroups:
       - admissionregistration.k8s.io

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrolebinding.yaml

@@ -8,7 +8,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml

@@ -12,7 +12,7 @@ metadata:
 {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 spec:
   {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
   # Alpha feature since k8s 1.12
@@ -27,7 +27,7 @@ spec:
 {{- end }}
       labels:
         app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
-{{- include "kube-prometheus-stack.labels" $ | indent 8 }}
+        {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 8 }}
     spec:
       {{- if .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
       priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
@@ -43,7 +43,7 @@ spec:
           imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }}
           args:
             - create
-            - --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc
+            - --host={{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | replace "\n" "," }}
             - --namespace={{ template "kube-prometheus-stack.namespace" . }}
             - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission
           {{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -12,7 +12,7 @@ metadata:
 {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 spec:
   {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
   # Alpha feature since k8s 1.12
@@ -27,7 +27,7 @@ spec:
 {{- end }}
       labels:
         app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
-{{- include "kube-prometheus-stack.labels" $ | indent 8 }}
+        {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 8 }}
     spec:
       {{- if .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
       priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml

@@ -15,7 +15,7 @@ metadata:
     {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
-    {{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 spec:
   podSelector:
     matchLabels:
@@ -23,7 +23,7 @@ spec:
       {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
       {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
       {{- else }}
-      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
       {{- end }}
   egress:
   - {}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml

@@ -15,7 +15,7 @@ metadata:
     {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
-    {{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 spec:
   podSelector:
     matchLabels:
@@ -23,7 +23,7 @@ spec:
       {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
       {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
       {{- else }}
-      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
       {{- end }}
   egress:
   - {}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml

@@ -11,7 +11,7 @@ metadata:
 {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-admission
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
 spec:
   privileged: false
   # Allow core volume types.

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/role.yaml

@@ -9,7 +9,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 rules:
   - apiGroups:
       - ""

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/rolebinding.yaml

@@ -9,7 +9,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/serviceaccount.yaml

@@ -9,7 +9,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
 {{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -10,7 +10,7 @@ metadata:
 {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 webhooks:
   - name: prometheusrulemutate.monitoring.coreos.com
     {{- if eq .Values.prometheusOperator.admissionWebhooks.failurePolicy "IgnoreOnInstallOnly" }}
@@ -35,7 +35,7 @@ webhooks:
     clientConfig:
       service:
         namespace: {{ template "kube-prometheus-stack.namespace" . }}
-        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}
+        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}{{ if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}-webhook{{ end }}
         path: /admission-prometheusrules/mutate
       {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
       caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }}
@@ -43,17 +43,24 @@ webhooks:
     timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector }}
     namespaceSelector:
+      {{- with (omit .Values.prometheusOperator.admissionWebhooks.namespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions }}
       matchExpressions:
-      {{- if .Values.prometheusOperator.denyNamespaces }}
+        {{- with (.Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions) }}
+        {{- toYaml . | nindent 6 }}
+        {{- end }}
+        {{- if .Values.prometheusOperator.denyNamespaces }}
       - key: kubernetes.io/metadata.name
         operator: NotIn
         values:
         {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
         - {{ $namespace }}
         {{- end }}
-      {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+        {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
       - key: kubernetes.io/metadata.name
         operator: In
         values:
@@ -64,6 +71,7 @@ webhooks:
         {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
         - {{ $namespace }}
         {{- end }}
+        {{- end }}
       {{- end }}
     {{- end }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml

@@ -10,7 +10,7 @@ metadata:
 {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" $ }}-admission
-{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
 webhooks:
   - name: prometheusrulemutate.monitoring.coreos.com
     {{- if eq .Values.prometheusOperator.admissionWebhooks.failurePolicy "IgnoreOnInstallOnly" }}
@@ -35,7 +35,7 @@ webhooks:
     clientConfig:
       service:
         namespace: {{ template "kube-prometheus-stack.namespace" . }}
-        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}
+        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}{{ if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}-webhook{{ end }}
         path: /admission-prometheusrules/validate
       {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
       caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }}
@@ -43,26 +43,34 @@ webhooks:
     timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector }}
     namespaceSelector:
+      {{- with (omit .Values.prometheusOperator.admissionWebhooks.namespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions }}
       matchExpressions:
-      {{- if .Values.prometheusOperator.denyNamespaces }}
+        {{- with (.Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions) }}
-      - key: kubernetes.io/metadata.name
+        {{- toYaml . | nindent 8 }}
-        operator: NotIn
-        values:
-        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} 
-        - {{ $namespace }}
         {{- end }}
-      {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+        {{- if .Values.prometheusOperator.denyNamespaces }}
-      - key: kubernetes.io/metadata.name
+        - key: kubernetes.io/metadata.name
-        operator: In
+          operator: NotIn
-        values:
+          values:
+        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
+            - {{ $namespace }}
+        {{- end }}
+        {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
         {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
         {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
-        - {{ $namespace }}
+            - {{ $namespace }}
         {{- end }}
         {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
-        - {{ $namespace }}
+            - {{ $namespace }}
+        {{- end }}
         {{- end }}
       {{- end }}
     {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/aggregate-clusterroles.yaml

@@ -8,8 +8,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
 rules:
 - apiGroups: ["monitoring.coreos.com"]
   resources: ["alertmanagers", "alertmanagerconfigs", "podmonitors",  "probes", "prometheuses", "prometheusagents", "prometheusrules", "scrapeconfigs", "servicemonitors"]
@@ -22,8 +21,7 @@ metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
 rules:
 - apiGroups: ["monitoring.coreos.com"]
   resources: ["alertmanagers", "alertmanagerconfigs", "podmonitors",  "probes", "prometheuses", "prometheusagents", "prometheusrules", "scrapeconfigs", "servicemonitors"]

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml

@@ -51,7 +51,5 @@ spec:
     name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
     {{- end }}
   dnsNames:
-  - {{ template "kube-prometheus-stack.operator.fullname" . }}
+    {{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }}
-  - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}
-  - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc
 {{- end -}}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/ciliumnetworkpolicy.yaml

@@ -2,19 +2,18 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
 spec:
   endpointSelector:
     matchLabels:
-      app: {{ template "kube-prometheus-stack.name" . }}-operator
       {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      app: {{ template "kube-prometheus-stack.name" . }}-operator
       {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
       {{- else }}
-      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+      {{- include "kube-prometheus-stack.prometheus-operator.labels" $ | nindent 6 }}
       {{- end }}
   egress:
     {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml

@@ -2,10 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - monitoring.coreos.com
@@ -76,6 +75,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - patch
+  - create
 - apiGroups:
   - networking.k8s.io
   resources:

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml

@@ -2,14 +2,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
 subjects:
 - kind: ServiceAccount
   name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml

@@ -4,11 +4,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 {{- if .Values.prometheusOperator.labels }}
 {{ toYaml .Values.prometheusOperator.labels | indent 4 }}
 {{- end }}
@@ -23,11 +22,14 @@ spec:
     matchLabels:
       app: {{ template "kube-prometheus-stack.name" . }}-operator
       release: {{ $.Release.Name | quote }}
+  {{- with .Values.prometheusOperator.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   template:
     metadata:
       labels:
-        app: {{ template "kube-prometheus-stack.name" . }}-operator
+        {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 8 }}
-{{ include "kube-prometheus-stack.labels" . | indent 8 }}
 {{- if .Values.prometheusOperator.podLabels }}
 {{ toYaml .Values.prometheusOperator.podLabels | indent 8 }}
 {{- end }}
@@ -144,21 +146,34 @@ spec:
             - containerPort: 8080
               name: http
           {{- end }}
+          env:
+          {{- range $key, $value := .Values.prometheusOperator.env }}
+          - name: {{ $key }}
+            value: {{ $value | quote }}
+          {{- end }}
           resources:
 {{ toYaml .Values.prometheusOperator.resources | indent 12 }}
           securityContext:
 {{ toYaml .Values.prometheusOperator.containerSecurityContext | indent 12 }}
-{{- if .Values.prometheusOperator.tls.enabled }}
           volumeMounts:
+          {{- if .Values.prometheusOperator.tls.enabled }}
             - name: tls-secret
               mountPath: /cert
               readOnly: true
+          {{- end }}
+          {{- with .Values.prometheusOperator.extraVolumeMounts }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
       volumes:
+        {{- if .Values.prometheusOperator.tls.enabled }}
         - name: tls-secret
           secret:
             defaultMode: 420
             secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
-{{- end }}
+        {{- end }}
+        {{- with .Values.prometheusOperator.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     {{- with .Values.prometheusOperator.dnsConfig }}
       dnsConfig:
 {{ toYaml . | indent 8 }}
@@ -168,6 +183,7 @@ spec:
 {{ toYaml .Values.prometheusOperator.securityContext | indent 8 }}
 {{- end }}
       serviceAccountName: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.prometheusOperator.automountServiceAccountToken }}
 {{- if .Values.prometheusOperator.hostNetwork }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml

@@ -2,11 +2,10 @@
 apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
 kind: NetworkPolicy
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
 spec:
   egress:
     - {}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrole.yaml

@@ -3,10 +3,9 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator-psp
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-psp
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 rules:
 {{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
 {{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }}
@@ -17,6 +16,6 @@ rules:
   resources: ['podsecuritypolicies']
   verbs:     ['use']
   resourceNames:
-  - {{ template "kube-prometheus-stack.fullname" . }}-operator
+  - {{ template "kube-prometheus-stack.operator.fullname" . }}
 {{- end }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrolebinding.yaml

@@ -3,14 +3,13 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator-psp
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-psp
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator-psp
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-psp
 subjects:
   - kind: ServiceAccount
     name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp.yaml

@@ -3,14 +3,13 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
 {{- if .Values.global.rbac.pspAnnotations }}
   annotations:
 {{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
 {{- end }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
   privileged: false
   # Allow core volume types.

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/service.yaml

@@ -2,11 +2,10 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 {{- if .Values.prometheusOperator.service.labels }}
 {{ toYaml .Values.prometheusOperator.service.labels | indent 4 }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/serviceaccount.yaml

@@ -5,10 +5,8 @@ metadata:
   name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator
+automountServiceAccountToken: {{ .Values.prometheusOperator.serviceAccount.automountServiceAccountToken }}
-    app.kubernetes.io/component: prometheus-operator
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
 {{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml

@@ -2,11 +2,10 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 {{- with .Values.prometheusOperator.serviceMonitor.additionalLabels }}
 {{ toYaml . | indent 4 }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/verticalpodautoscaler.yaml

@@ -2,11 +2,10 @@
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
-  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
-    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
-{{ include "kube-prometheus-stack.labels" . | indent 4 }}
 spec:
   {{- with .Values.prometheusOperator.verticalPodAutoscaler.recommenders }}
   recommenders:
@@ -33,7 +32,7 @@ spec:
   targetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+    name: {{ template "kube-prometheus-stack.operator.fullname" . }}
   {{- with .Values.prometheusOperator.verticalPodAutoscaler.updatePolicy }}
   updatePolicy:
     {{- toYaml . | nindent 4 }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/_rules.tpl

@@ -8,13 +8,13 @@ rules:
   - "config-reloaders"
   - "etcd"
   - "general.rules"
-  - "k8s.rules.container_cpu_usage_seconds_total"
+  - "k8s.rules.container-cpu-usage-seconds-total"
-  - "k8s.rules.container_memory_cache"
+  - "k8s.rules.container-memory-cache"
-  - "k8s.rules.container_memory_rss"
+  - "k8s.rules.container-memory-rss"
-  - "k8s.rules.container_memory_swap"
+  - "k8s.rules.container-memory-swap"
-  - "k8s.rules.container_memory_working_set_bytes"
+  - "k8s.rules.container-memory-working-set-bytes"
-  - "k8s.rules.container_resource"
+  - "k8s.rules.container-resource"
-  - "k8s.rules.pod_owner"
+  - "k8s.rules.pod-owner"
   - "kube-apiserver-availability.rules"
   - "kube-apiserver-burnrate.rules"
   - "kube-apiserver-histogram.rules"

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml

@@ -24,6 +24,13 @@ rules:
   verbs: ["get", "list", "watch"]
 - nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
   verbs: ["get"]
+{{/* fix(#3338): add required rules to use node-exporter with the RBAC proxy */}}
+{{- if and .Values.nodeExporter.enabled (index .Values "prometheus-node-exporter").kubeRBACProxy.enabled }}
+- apiGroups: [ "" ]
+  resources:
+  - services/{{ include "prometheus-node-exporter.fullname" (index .Subcharts "prometheus-node-exporter") }}
+  verbs: [ "get", "list", "watch" ]
+{{- end }}
 {{- if .Values.prometheus.additionalRulesForClusterRole }}
 {{ toYaml .Values.prometheus.additionalRulesForClusterRole | indent 0 }}
 {{- end }}

charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingress.yaml

@@ -11,7 +11,7 @@ kind: Ingress
 metadata:
 {{- if .Values.prometheus.ingress.annotations }}
   annotations:
-{{ toYaml .Values.prometheus.ingress.annotations | indent 4 }}
+    {{- tpl (toYaml .Values.prometheus.ingress.annotations) . | nindent 4 }}
 {{- end }}
   name: {{ $serviceName }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}