diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index e7f6611b..829c80c1 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -34,8 +34,10 @@ Kubernetes: `>= 1.24.0` # Gitea -## OpenSSH 8.8 RSA disabled -- https://github.com/go-gitea/gitea/issues/17798 +# Verdaccio + +## Authentication sealed-secret +```htpasswd -n -b -B -C 4 | kubeseal --raw --namespace verdaccio --name verdaccio-htpasswd``` ## Resources diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml index f9f7eb55..c6e3f7d3 100644 --- a/charts/kubezero-metrics/Chart.yaml +++ b/charts/kubezero-metrics/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-metrics description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. type: application -version: 0.9.0 +version: 0.9.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -19,7 +19,7 @@ dependencies: repository: https://cdn.zero-downtime.net/charts/ # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack - name: kube-prometheus-stack - version: 45.9.1 + version: 45.27.2 # Switch back to upstream once all alerts are fixed eg. etcd gpcr # repository: https://prometheus-community.github.io/helm-charts - name: prometheus-adapter diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index 0f880cd3..3efe1e28 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. @@ -18,7 +18,7 @@ Kubernetes: `>= 1.25.0` | Repository | Name | Version | |------------|------|---------| -| | kube-prometheus-stack | 45.9.1 | +| | kube-prometheus-stack | 45.27.2 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://prometheus-community.github.io/helm-charts | prometheus-adapter | 4.1.1 | | https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.1.3 | @@ -155,7 +155,7 @@ Kubernetes: `>= 1.25.0` | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].replacement | string | `"$1"` | | | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].separator | string | `";"` | | | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"node"` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"instance"` | | | kube-prometheus-stack.prometheus-node-exporter.resources.requests.cpu | string | `"20m"` | | | kube-prometheus-stack.prometheus-node-exporter.resources.requests.memory | string | `"16Mi"` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | | diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml index ecec7b99..5f4805bd 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml @@ -7,20 +7,20 @@ annotations: url: https://github.com/prometheus-operator/kube-prometheus artifacthub.io/operator: "true" apiVersion: v2 -appVersion: v0.63.0 +appVersion: v0.65.1 dependencies: - condition: kubeStateMetrics.enabled name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts - version: 5.0.* + version: 5.5.* - condition: nodeExporter.enabled name: prometheus-node-exporter repository: https://prometheus-community.github.io/helm-charts - version: 4.14.* + version: 4.16.* - condition: grafana.enabled name: grafana repository: https://grafana.github.io/helm-charts - version: 6.51.* + version: 6.56.* description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus @@ -52,4 +52,4 @@ sources: - https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-operator/kube-prometheus type: application -version: 45.9.1 +version: 45.27.2 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml index be7ac448..c67e3965 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 9.3.8 +appVersion: 9.5.1 description: The leading tool for querying and visualizing time series and metrics. home: https://grafana.net icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png @@ -19,4 +19,4 @@ name: grafana sources: - https://github.com/grafana/grafana type: application -version: 6.51.5 +version: 6.56.2 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md index cd8d3168..c0d93cbd 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md @@ -87,6 +87,7 @@ This version requires Helm >= 3.1.0. | `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` | | `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` | | `ingress.tls` | Ingress TLS configuration | `[]` | +| `ingress.ingressClassName` | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | `""` | | `resources` | CPU/Memory resource requests/limits | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | | `tolerations` | Toleration labels for pod assignment | `[]` | @@ -216,8 +217,8 @@ This version requires Helm >= 3.1.0. | `rbac.create` | Create and use RBAC resources | `true` | | `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` | | `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | -| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true` | -| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `true` | +| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `false` | +| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `false` | | `rbac.extraRoleRules` | Additional rules to add to the Role | [] | | `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] | | `command` | Define command to be executed by grafana container at startup | `nil` | @@ -251,6 +252,7 @@ This version requires Helm >= 3.1.0. | `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` | | `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` | | `imageRenderer.env` | extra env-vars for image-renderer | `{}` | +| `imageRenderer.envValueFrom` | Environment variables for image-renderer from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` | | `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` | | `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` | | `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` | @@ -397,9 +399,41 @@ filters out the ones with a label as defined in `sidecar.datasources.label`. The those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, the data sources in grafana can be imported. +Should you aim for reloading datasources in Grafana each time the config is changed, set `sidecar.datasources.skipReload: false` and adjust `sidecar.datasources.reloadURL` to `http://..svc.cluster.local/api/admin/provisioning/datasources/reload`. + Secrets are recommended over configmaps for this usecase because datasources usually contain private data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those. +Example values to add a postgres datasource as a kubernetes secret: +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: grafana-datasources + labels: + grafana_datasource: 'true' # default value for: sidecar.datasources.label +stringData: + pg-db.yaml: |- + apiVersion: 1 + datasources: + - name: My pg db datasource + type: postgres + url: my-postgresql-db:5432 + user: db-readonly-user + secureJsonData: + password: 'SUperSEcretPa$$word' + jsonData: + database: my_datase + sslmode: 'disable' # disable/require/verify-ca/verify-full + maxOpenConns: 0 # Grafana v5.4+ + maxIdleConns: 2 # Grafana v5.4+ + connMaxLifetime: 14400 # Grafana v5.4+ + postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10 + timescaledb: false + # allow users to edit datasources from the UI. + editable: false +``` + Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): ```yaml diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl index 68a9b4b9..762603d8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl @@ -786,7 +786,7 @@ containers: {{- range .Values.extraConfigmapMounts }} - name: {{ tpl .name $root }} mountPath: {{ tpl .mountPath $root }} - subPath: {{ (tpl .subPath $root) | default "" }} + subPath: {{ tpl (.subPath | default "") $root }} readOnly: {{ .readOnly }} {{- end }} - name: storage diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml index c4ca270a..2c9a1801 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml @@ -9,9 +9,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "grafana.fullname" . }}-clusterrole -{{- if or .Values.sidecar.dashboards.enabled (or .Values.rbac.extraClusterRoleRules (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled)) }} +{{- if or .Values.sidecar.dashboards.enabled .Values.rbac.extraClusterRoleRules .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }} rules: - {{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }} + {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }} - apiGroups: [""] # "" indicates the core API group resources: ["configmaps", "secrets"] verbs: ["get", "watch", "list"] diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml index 00ab74e1..b5f21e88 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml @@ -87,7 +87,11 @@ data: --connect-timeout 60 \ --max-time 60 \ {{- if not $value.b64content }} + {{- if not $value.acceptHeader }} -H "Accept: application/json" \ + {{- else }} + -H "Accept: {{ $value.acceptHeader }}" \ + {{- end }} {{- if $value.token }} -H "Authorization: token {{ $value.token }}" \ {{- end }} @@ -95,7 +99,7 @@ data: -H "Authorization: Bearer {{ $value.bearerToken }}" \ {{- end }} {{- if $value.basic }} - -H "Basic: {{ $value.basic }}" \ + -H "Authorization: Basic {{ $value.basic }}" \ {{- end }} {{- if $value.gitlabToken }} -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml index 96eac4d2..bfa26bb4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml @@ -42,6 +42,7 @@ spec: {{- if .Values.envRenderSecret }} checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} {{- end }} + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml index 0c3d30c5..93d20e8e 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml @@ -92,6 +92,11 @@ spec: - name: ENABLE_METRICS value: "true" {{- end }} + {{- range $key, $value := .Values.imageRenderer.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 16 }} + {{- end }} {{- range $key, $value := .Values.imageRenderer.env }} - name: {{ $key | quote }} value: {{ $value | quote }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml index acfab4dc..e6c944a4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml @@ -31,6 +31,7 @@ spec: {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- end }} + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml index b38d2204..edf7a019 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml @@ -84,7 +84,7 @@ livenessProbe: # schedulerName: "default-scheduler" image: - repository: grafana/grafana + repository: docker.io/grafana/grafana # Overrides the Grafana image tag whose default is the chart appVersion tag: "" sha: "" @@ -100,17 +100,23 @@ image: testFramework: enabled: true - image: "bats/bats" + image: docker.io/bats/bats tag: "v1.4.1" imagePullPolicy: IfNotPresent securityContext: {} securityContext: + runAsNonRoot: true runAsUser: 472 runAsGroup: 472 fsGroup: 472 -containerSecurityContext: {} +containerSecurityContext: + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault # Enable creating the grafana configmap createConfigmap: true @@ -137,7 +143,7 @@ extraLabels: {} # priorityClassName: downloadDashboardsImage: - repository: curlimages/curl + repository: docker.io/curlimages/curl tag: 7.85.0 sha: "" pullPolicy: IfNotPresent @@ -146,7 +152,13 @@ downloadDashboards: env: {} envFromSecret: "" resources: {} - securityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault envValueFrom: {} # ENV_NAME: # configMapKeyRef: @@ -346,7 +358,7 @@ initChownData: ## initChownData container image ## image: - repository: busybox + repository: docker.io/library/busybox tag: "1.31.1" sha: "" pullPolicy: IfNotPresent @@ -364,7 +376,11 @@ initChownData: securityContext: runAsNonRoot: false runAsUser: 0 - + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - CHOWN # Administrator credentials when not using an existing secret (see below) adminUser: admin @@ -520,6 +536,9 @@ lifecycleHooks: {} plugins: [] # - digrich-bubblechart-panel # - grafana-clock-panel + ## You can also use other plugin download URL, as long as they are valid zip files, + ## and specify the name of the plugin after the semicolon. Like this: + # - https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource ## Configure grafana datasources ## ref: http://docs.grafana.org/administration/provisioning/#datasources @@ -676,6 +695,7 @@ dashboards: {} # local-dashboard-azure: # url: https://example.com/repository/test-azure.json # basic: '' + # acceptHeader: '*/*' ## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. @@ -777,7 +797,13 @@ sidecar: # requests: # cpu: 50m # memory: 50Mi - securityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault # skipTlsVerify Set to true to skip tls verification for kube api calls # skipTlsVerify: true enableUniqueFilenames: false @@ -1030,7 +1056,7 @@ imageRenderer: behavior: {} image: # image-renderer Image repository - repository: grafana/grafana-image-renderer + repository: docker.io/grafana/grafana-image-renderer # image-renderer Image tag tag: latest # image-renderer Image sha (optional) @@ -1043,12 +1069,29 @@ imageRenderer: # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758 # RENDERING_MODE: clustered # IGNORE_HTTPS_ERRORS: true + + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # image-renderer deployment serviceAccount serviceAccountName: "" # image-renderer deployment securityContext securityContext: {} # image-renderer deployment container securityContext containerSecurityContext: + seccompProfile: + type: RuntimeDefault capabilities: drop: ['ALL'] allowPrivilegeEscalation: false diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml index 0691f093..722d5237 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml @@ -18,4 +18,4 @@ name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 5.0.1 +version: 5.5.0 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml index cb519a0c..cd1dc465 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml @@ -162,6 +162,9 @@ spec: volumeMounts: - name: kube-rbac-proxy-config mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} image: {{ include "kubeRBACProxy.image" . }} ports: @@ -197,6 +200,9 @@ spec: volumeMounts: - name: kube-rbac-proxy-config mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} image: {{ include "kubeRBACProxy.image" . }} ports: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml index adfa1058..e2173d8e 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -9,6 +9,10 @@ metadata: {{- with .Values.prometheus.monitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.prometheus.monitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} {{- with .Values.prometheus.monitor.targetLabels }} @@ -56,6 +60,13 @@ spec: tlsConfig: {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} {{- end }} + {{- if .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with .Values.prometheus.monitor.bearerTokenSecret }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.selfMonitor.enabled }} - port: metrics {{- if .Values.prometheus.monitor.interval }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml index 14f66f62..3a293d87 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml @@ -115,6 +115,13 @@ kubeRBACProxy: # cpu: 10m # memory: 32Mi + ## volumeMounts enables mounting custom volumes in rbac-proxy containers + ## Useful for TLS certificates and keys + volumeMounts: [] + # - mountPath: /etc/tls + # name: kube-rbac-proxy-tls + # readOnly: true + serviceAccount: # Specifies whether a ServiceAccount should be created, require rbac true create: true @@ -132,6 +139,7 @@ serviceAccount: prometheus: monitor: enabled: false + annotations: {} additionalLabels: {} namespace: "" jobLabel: "" @@ -164,6 +172,14 @@ prometheus: metricRelabelings: [] relabelings: [] scheme: "" + ## File to read bearer token for scraping targets + bearerTokenFile: "" + ## Secret to mount to read bearer token for scraping targets. The secret needs + ## to be in the same namespace as the service monitor and accessible by the + ## Prometheus Operator + bearerTokenSecret: {} + # name: secret-name + # key: key-name tlsConfig: {} ## Specify if a Pod Security Policy for kube-state-metrics must be created @@ -199,11 +215,18 @@ securityContext: runAsGroup: 65534 runAsUser: 65534 fsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ## Specify security settings for a Container ## Allows overrides and additional options compared to (Pod) securityContext ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -containerSecurityContext: {} +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml index 39101f6f..2c8a6d82 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml @@ -15,4 +15,4 @@ name: prometheus-node-exporter sources: - https://github.com/prometheus/node_exporter/ type: application -version: 4.14.0 +version: 4.16.0 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl index f7b0db2d..84552fe4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl @@ -76,10 +76,12 @@ The image to use */}} {{- define "prometheus-node-exporter.image" -}} {{- if .Values.image.sha }} +{{- fail "image.sha forbidden. Use image.digest instead" }} +{{- else if .Values.image.digest }} {{- if .Values.global.imageRegistry }} -{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }} {{- else }} -{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }} {{- end }} {{- else }} {{- if .Values.global.imageRegistry }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/networkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/networkpolicy.yaml new file mode 100644 index 00000000..82572272 --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" $ | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingress: + - ports: + - port: {{ .Values.service.port }} + policyTypes: + - Egress + - Ingress + podSelector: + matchLabels: + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml index bd8a9a6a..0d7a42ea 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml @@ -23,6 +23,10 @@ spec: {{- else }} {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} {{- end }} + {{- with .Values.prometheus.monitor.attachMetadata }} + attachMetadata: + {{- toYaml . | nindent 4 }} + {{- end }} endpoints: - port: {{ .Values.service.portName }} scheme: {{ .Values.prometheus.monitor.scheme }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml index eb7dc6b1..ff1e53f8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml @@ -7,7 +7,7 @@ image: # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }} tag: "" pullPolicy: IfNotPresent - sha: "" + digest: "" imagePullSecrets: [] # - name: "image-pull-secret" @@ -72,6 +72,12 @@ service: annotations: prometheus.io/scrape: "true" +# Set a NetworkPolicy with: +# ingress only on service.port +# no egress permitted +networkPolicy: + enabled: false + # Additional environment variables that will be passed to the daemonset env: {} ## env: @@ -102,6 +108,11 @@ prometheus: ## selectorOverride: {} + ## Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above. + ## + attachMetadata: + node: false + relabelings: [] metricRelabelings: [] interval: "" diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml index ae433d55..745ced8b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml @@ -13,6 +13,7 @@ metadata: annotations: {{ toYaml .Values.alertmanager.serviceAccount.annotations | indent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.alertmanager.serviceAccount.automountServiceAccountToken }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2}} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml index f77db419..49fbc673 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.coreDns.enabled }} +{{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml index 3eb0023d..5447fde4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.coreDns.enabled }} +{{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml index 543ea752..9ae03e5b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.kubeApiServer.enabled }} +{{- if and .Values.kubeApiServer.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml index eca337da..43094d6a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.endpoints }} +{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.endpoints .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Endpoints metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml index 197f0f4f..894c983e 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled }} +{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml index 6bf6287c..4c30636a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled }} +{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/service.yaml index c7bf142d..81b2c993 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.kubeDns.enabled }} +{{- if and .Values.kubeDns.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml index 81dc32cd..ffb5d04c 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.kubeDns.enabled }} +{{- if and .Values.kubeDns.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml index 8f07a5cc..babbd3ef 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.endpoints }} +{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.endpoints .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Endpoints metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml index b2677e28..eb519e62 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled }} +{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml index b4274dec..2336753e 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled }} +{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml index 2cb756d1..8e7c0618 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.endpoints }} +{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.endpoints .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Endpoints metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml index 6a93319e..03aa62b1 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled }} +{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml index 218a0676..33a30ee7 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled }} +{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml index 84a14ae6..3b93dc29 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.endpoints }} +{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.endpoints .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Endpoints metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml index eef9df01..d9fb4575 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled }} +{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml index 1a8e5d21..a8a8d0bc 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled }} +{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml index dcb94feb..10de3395 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.kubelet.enabled }} +{{- if and .Values.kubelet.enabled .Values.kubernetesServiceMonitors.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml index f7e613bd..22428ec8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml @@ -33,7 +33,11 @@ data: access: proxy isDefault: {{ .Values.grafana.sidecar.datasources.isDefaultDatasource }} jsonData: + httpMethod: {{ .Values.grafana.sidecar.datasources.httpMethod }} timeInterval: {{ $scrapeInterval }} + {{- if .Values.grafana.sidecar.datasources.timeout }} + timeout: {{ .Values.grafana.sidecar.datasources.timeout }} + {{- end }} {{- if .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations }} exemplarTraceIdDestinations: - datasourceUid: {{ .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations.datasourceUid }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-createSecret.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-createSecret.yaml new file mode 100644 index 00000000..f3a2f710 --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-createSecret.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }} +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-admission-create + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + ## Ensure this is run before the job + helm.sh/hook-weight: "-5" + {{- with .Values.prometheusOperator.admissionWebhooks.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-create + {{- include "kube-prometheus-stack.labels" $ | nindent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-create + {{- include "kube-prometheus-stack.labels" $ | nindent 6 }} + egress: + {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }} + {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }} + {{- else }} + - toEntities: + - kube-apiserver + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-patchWebhook.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-patchWebhook.yaml new file mode 100644 index 00000000..f16857f2 --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-patchWebhook.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }} +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-admission-patch + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + ## Ensure this is run before the job + helm.sh/hook-weight: "-5" + {{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch + {{- include "kube-prometheus-stack.labels" $ | nindent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch + {{- include "kube-prometheus-stack.labels" $ | nindent 6 }} + egress: + {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }} + {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }} + {{- else }} + - toEntities: + - kube-apiserver + {{- end }} +{{- end }} +{{- end }} + diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml index 270bf854..c739d656 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.prometheusOperator.networkPolicy.enabled }} +{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }} {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml index 170c651b..f9cd6fbe 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml @@ -1,4 +1,4 @@ -{{- if .Values.prometheusOperator.networkPolicy.enabled }} +{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }} {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml index 2dfbc2bb..4abc2bd2 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml @@ -5,8 +5,8 @@ metadata: name: {{ template "kube-prometheus-stack.fullname" . }}-admission {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }} annotations: - certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} - cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} + certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }} {{- end }} labels: app: {{ template "kube-prometheus-stack.name" $ }}-admission @@ -41,4 +41,27 @@ webhooks: timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None + {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }} + namespaceSelector: + matchExpressions: + {{- if .Values.prometheusOperator.denyNamespaces }} + - key: kubernetes.io/metadata.name + operator: NotIn + values: + {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} + - {{ $namespace }} + {{- end }} + {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }} + - key: kubernetes.io/metadata.name + operator: In + values: + {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }} + {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }} + - {{ $namespace }} + {{- end }} + {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }} + - {{ $namespace }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml index 525823c3..f93ccc6b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml @@ -5,8 +5,8 @@ metadata: name: {{ template "kube-prometheus-stack.fullname" . }}-admission {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }} annotations: - certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} - cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} + certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }} {{- end }} labels: app: {{ template "kube-prometheus-stack.name" $ }}-admission @@ -41,4 +41,27 @@ webhooks: timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None + {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }} + namespaceSelector: + matchExpressions: + {{- if .Values.prometheusOperator.denyNamespaces }} + - key: kubernetes.io/metadata.name + operator: NotIn + values: + {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} + - {{ $namespace }} + {{- end }} + {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }} + - key: kubernetes.io/metadata.name + operator: In + values: + {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }} + {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }} + - {{ $namespace }} + {{- end }} + {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }} + - {{ $namespace }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/ciliumnetworkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/ciliumnetworkpolicy.yaml new file mode 100644 index 00000000..a598f7bf --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/ciliumnetworkpolicy.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-operator + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator + {{- include "kube-prometheus-stack.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" . }}-operator + {{- include "kube-prometheus-stack.labels" $ | nindent 6 }} + egress: + {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }} + {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }} + {{- else }} + - toEntities: + - kube-apiserver + {{- end }} + ingress: + - toPorts: + - ports: + {{- if .Values.prometheusOperator.tls.enabled }} + - port: {{ .Values.prometheusOperator.tls.internalPort | quote }} + {{- else }} + - port: "8080" + {{- end }} + protocol: "TCP" + rules: + http: + - method: "GET" + path: "/metrics" +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml index 360d6ec1..0747233c 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml @@ -90,15 +90,24 @@ spec: - --config-reloader-cpu-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.cpu }} - --config-reloader-memory-request={{ .Values.prometheusOperator.prometheusConfigReloader.resources.requests.memory }} - --config-reloader-memory-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.memory }} + {{- if .Values.prometheusOperator.prometheusConfigReloader.enableProbe }} + - --enable-config-reloader-probes=true + {{- end }} {{- if .Values.prometheusOperator.alertmanagerInstanceNamespaces }} - --alertmanager-instance-namespaces={{ .Values.prometheusOperator.alertmanagerInstanceNamespaces | join "," }} {{- end }} + {{- if .Values.prometheusOperator.alertmanagerInstanceSelector }} + - --alertmanager-instance-selector={{ .Values.prometheusOperator.alertmanagerInstanceSelector }} + {{- end }} {{- if .Values.prometheusOperator.alertmanagerConfigNamespaces }} - --alertmanager-config-namespaces={{ .Values.prometheusOperator.alertmanagerConfigNamespaces | join "," }} {{- end }} {{- if .Values.prometheusOperator.prometheusInstanceNamespaces }} - --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }} {{- end }} + {{- if .Values.prometheusOperator.prometheusInstanceSelector }} + - --prometheus-instance-selector={{ .Values.prometheusOperator.prometheusInstanceSelector }} + {{- end }} {{- if .Values.prometheusOperator.thanosImage.sha }} - --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }} {{- else }} @@ -107,8 +116,11 @@ spec: {{- if .Values.prometheusOperator.thanosRulerInstanceNamespaces }} - --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }} {{- end }} + {{- if .Values.prometheusOperator.thanosRulerInstanceSelector }} + - --thanos-ruler-instance-selector={{ .Values.prometheusOperator.thanosRulerInstanceSelector }} + {{- end }} {{- if .Values.prometheusOperator.secretFieldSelector }} - - --secret-field-selector={{ .Values.prometheusOperator.secretFieldSelector }} + - --secret-field-selector={{ tpl (.Values.prometheusOperator.secretFieldSelector) $ }} {{- end }} {{- if .Values.prometheusOperator.clusterDomain }} - --cluster-domain={{ .Values.prometheusOperator.clusterDomain }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml index aeb99895..95492a6e 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.prometheusOperator.networkPolicy.enabled }} +{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }} apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }} kind: NetworkPolicy metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ciliumnetworkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ciliumnetworkpolicy.yaml new file mode 100644 index 00000000..74d61d7c --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ciliumnetworkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.prometheus.networkPolicy.enabled (eq .Values.prometheus.networkPolicy.flavor "cilium") }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-prometheus + {{- include "kube-prometheus-stack.labels" . | nindent 4 }} +spec: + endpointSelector: + {{- if .Values.prometheus.networkPolicy.cilium.endpointSelector }} + {{- toYaml .Values.prometheus.networkPolicy.cilium.endpointSelector | nindent 4 }} + {{- else }} + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [prometheus]} + - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.prometheus.crname" . }}]} + {{- end }} + {{- if and .Values.prometheus.networkPolicy.cilium .Values.prometheus.networkPolicy.cilium.egress }} + egress: + {{ toYaml .Values.prometheus.networkPolicy.cilium.egress | nindent 4 }} + {{- end }} + {{- if and .Values.prometheus.networkPolicy.cilium .Values.prometheus.networkPolicy.cilium.ingress }} + ingress: + {{ toYaml .Values.prometheus.networkPolicy.cilium.ingress | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingressThanosSidecar.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingressThanosSidecar.yaml index 7a338597..10623cb4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingressThanosSidecar.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingressThanosSidecar.yaml @@ -14,6 +14,7 @@ metadata: {{ toYaml .Values.prometheus.thanosIngress.annotations | indent 4 }} {{- end }} name: {{ template "kube-prometheus-stack.fullname" . }}-thanos-gateway + namespace: {{ template "kube-prometheus-stack.namespace" . }} labels: app: {{ template "kube-prometheus-stack.name" . }}-prometheus {{ include "kube-prometheus-stack.labels" . | indent 4 }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml index 7090440b..5cb2feb5 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.prometheus.networkPolicy.enabled }} +{{- if and .Values.prometheus.networkPolicy.enabled (eq .Values.prometheus.networkPolicy.flavor "kubernetes") }} apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }} kind: NetworkPolicy metadata: @@ -9,12 +9,10 @@ metadata: namespace: {{ template "kube-prometheus-stack.namespace" . }} spec: {{- if .Values.prometheus.networkPolicy.egress }} - ## Deny all egress by default egress: {{- toYaml .Values.prometheus.networkPolicy.egress | nindent 4 }} {{- end }} {{- if .Values.prometheus.networkPolicy.ingress }} - # Deny all ingress by default (prometheus scrapes itself using localhost) ingress: {{- toYaml .Values.prometheus.networkPolicy.ingress | nindent 4 }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml index 0d12a1aa..bd4aaeef 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml @@ -42,10 +42,7 @@ spec: {{- else }} image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}" {{- end }} - version: {{ .Values.prometheus.prometheusSpec.image.tag }} - {{- if .Values.prometheus.prometheusSpec.image.sha }} - sha: {{ .Values.prometheus.prometheusSpec.image.sha }} - {{- end }} + version: {{ default .Values.prometheus.prometheusSpec.image.tag .Values.prometheus.prometheusSpec.version }} {{- end }} {{- if .Values.prometheus.prometheusSpec.additionalArgs }} additionalArgs: @@ -364,7 +361,8 @@ spec: {{- end }} excludedFromEnforcement: {{- range $prometheusDefaultRulesExcludedFromEnforce.rules }} - - resource: prometheusrules + - group: monitoring.coreos.com + resource: prometheusrules namespace: "{{ template "kube-prometheus-stack.namespace" $ }}" name: "{{ printf "%s-%s" (include "kube-prometheus-stack.fullname" $) . | trunc 63 | trimSuffix "-" }}" {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml index 8a47b477..0893c19a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml @@ -158,6 +158,7 @@ alertmanager: create: true name: "" annotations: {} + automountServiceAccountToken: true ## Configure pod disruption budgets for Alertmanager ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget @@ -822,6 +823,8 @@ grafana: enabled: true label: grafana_dashboard labelValue: "1" + # Allow discovery in all namespaces for dashboards + searchNamespace: ALL ## Annotations for Grafana dashboard configmaps ## @@ -844,6 +847,9 @@ grafana: ## # url: http://prometheus-stack-prometheus:9090/ + ## Prometheus request timeout in seconds + # timeout: 30 + # If not defined, will use prometheus.prometheusSpec.scrapeInterval or its default # defaultDatasourceScrapeInterval: 15s @@ -851,6 +857,9 @@ grafana: ## annotations: {} + ## Set method for HTTP to send query to datasource + httpMethod: POST + ## Create datasource for each Pod of Prometheus StatefulSet; ## this uses headless service `prometheus-operated` which is ## created by Prometheus Operator @@ -929,6 +938,11 @@ grafana: # replacement: $1 # action: replace +## Flag to disable all the kubernetes component scrapers +## +kubernetesServiceMonitors: + enabled: true + ## Component scraping the kube api server ## kubeApiServer: @@ -1949,6 +1963,15 @@ prometheusOperator: ## enabled: false + ## Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + # cilium: + # egress: + ## Service account for Alertmanager to use. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @@ -2202,6 +2225,9 @@ prometheusOperator: tag: "" sha: "" + # add prometheus config reloader liveness and readiness probe. Default: false + enableProbe: false + # resource config for prometheusConfigReloader resources: requests: @@ -2219,6 +2245,17 @@ prometheusOperator: tag: v0.30.2 sha: "" + ## Set a Label Selector to filter watched prometheus and prometheusAgent + ## + prometheusInstanceSelector: "" + + ## Set a Label Selector to filter watched alertmanager + ## + alertmanagerInstanceSelector: "" + + ## Set a Label Selector to filter watched thanosRuler + thanosRulerInstanceSelector: "" + ## Set a Field Selector to filter watched secrets ## secretFieldSelector: "" @@ -2235,6 +2272,18 @@ prometheus: ## Configure network policy for the prometheus networkPolicy: enabled: false + + ## Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + # cilium: + # endpointSelector: + # egress: + # ingress: + # egress: # - {} # ingress: @@ -2670,6 +2719,10 @@ prometheus: ## enableAdminAPI: false + ## Sets version of Prometheus overriding the Prometheus version as derived + ## from the image tag. Useful in cases where the tag does not follow semver v2. + version: "" + ## WebTLSConfig defines the TLS parameters for HTTPS ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#webtlsconfig web: {} @@ -2780,11 +2833,12 @@ prometheus: ## query: {} - ## Namespaces to be selected for PrometheusRules discovery. - ## If nil, select own namespace. Namespaces to be selected for ServiceMonitor discovery. - ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage - ## + ## If nil, select own namespace. Namespaces to be selected for PrometheusRules discovery. ruleNamespaceSelector: {} + ## Example which selects PrometheusRules in namespaces with label "prometheus" set to "somelabel" + # ruleNamespaceSelector: + # matchLabels: + # prometheus: somelabel ## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the ## prometheus resource to be created with selectors based on values in the helm deployment, @@ -2849,10 +2903,12 @@ prometheus: # matchLabels: # prometheus: somelabel - ## Namespaces to be selected for PodMonitor discovery. - ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage - ## + ## If nil, select own namespace. Namespaces to be selected for PodMonitor discovery. podMonitorNamespaceSelector: {} + ## Example which selects PodMonitor in namespaces with label "prometheus" set to "somelabel" + # podMonitorNamespaceSelector: + # matchLabels: + # prometheus: somelabel ## If true, a nil or {} value for prometheus.prometheusSpec.probeSelector will cause the ## prometheus resource to be created with selectors based on values in the helm deployment, @@ -2869,10 +2925,12 @@ prometheus: # matchLabels: # prometheus: somelabel - ## Namespaces to be selected for Probe discovery. - ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage - ## + ## If nil, select own namespace. Namespaces to be selected for Probe discovery. probeNamespaceSelector: {} + ## Example which selects Probe in namespaces with label "prometheus" set to "somelabel" + # probeNamespaceSelector: + # matchLabels: + # prometheus: somelabel ## How long to retain metrics ## diff --git a/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json b/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json index 65324b4d..49aadf8f 100644 --- a/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json +++ b/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json @@ -18,7 +18,7 @@ "subdir": "contrib/mixin" } }, - "version": "49b59cc8e5c838bdc5e661de6388a0e348b3985c", + "version": "2a0c9896623cc64543b01bd0bdf1140f6d622a67", "sum": "QTzBqwjnM6cGGVBhOiVJyA+ZVTkmCTuH6C6YW7XKRFw=" }, { @@ -58,7 +58,7 @@ "subdir": "grafana-builder" } }, - "version": "d680faafc0727c4c5086f1624333363e57d2ce81", + "version": "d303b2031264728728dd1e1c05f74f67027139f6", "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" }, { @@ -68,8 +68,8 @@ "subdir": "" } }, - "version": "eed459199703c969afc318ea55b9361ae48180a7", - "sum": "iKDOR7+jXw3Rctog6Z1ofweIK5BLjuGeguIZjXLP8ls=" + "version": "d87b757edc73a5f5b78e9f6a9bbae9023131c946", + "sum": "fsAZNroGj9QOUt63dI78jcahPnCXlBhpfxuPJC3dTac=" }, { "source": { @@ -78,7 +78,7 @@ "subdir": "jsonnet/kube-state-metrics" } }, - "version": "32f8c5e80500855dcdec0c0b7398b580b12f3470", + "version": "5f31736e444a674a969d65aaa9afd9d0864c8639", "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g=" }, { @@ -88,7 +88,7 @@ "subdir": "jsonnet/kube-state-metrics-mixin" } }, - "version": "32f8c5e80500855dcdec0c0b7398b580b12f3470", + "version": "5f31736e444a674a969d65aaa9afd9d0864c8639", "sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk=" }, { @@ -98,8 +98,8 @@ "subdir": "jsonnet/kube-prometheus" } }, - "version": "2a955da550e33f75e3a7ecf30d45e8fd19dc6c31", - "sum": "8SUhAtqVsKsqUmDYgmrdZWrvS6bQ1dHnVSi2LFJeCZU=" + "version": "c9e1145027df233fa3d1d7aed86cacbf6001d1f5", + "sum": "Skpy4SojW1KNz8dJpg8J6mx/z596xf9nW8VEGvXnGJg=" }, { "source": { @@ -108,8 +108,8 @@ "subdir": "jsonnet/mixin" } }, - "version": "06b5c4189f3f72737766d86103d049115c3aff48", - "sum": "GQmaVFJwKMiD/P4n3N2LrAZVcwutriWrP8joclDtBYQ=", + "version": "e8841ea9546b08693aefbb945bfebc11c8b33186", + "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=", "name": "prometheus-operator-mixin" }, { @@ -119,8 +119,8 @@ "subdir": "jsonnet/prometheus-operator" } }, - "version": "06b5c4189f3f72737766d86103d049115c3aff48", - "sum": "8XqdRl/MXzaSKjhHkrMFWbrP8Tw0k5tsI5hNfX++1Pw=" + "version": "e8841ea9546b08693aefbb945bfebc11c8b33186", + "sum": "cNcVEO+LVAJK7fGxfL8RAIo/G/9ZU/ZUhCzUpdcgytc=" }, { "source": { @@ -129,7 +129,7 @@ "subdir": "doc/alertmanager-mixin" } }, - "version": "0f14383b61c1e301a70130ecfc22df52bd85df6e", + "version": "f67d03fe2854191bb36dbcb305ec507237583aa2", "sum": "PsK+V7oETCPKu2gLoPfqY0wwPKH9TzhNj6o2xezjjXc=", "name": "alertmanager" }, @@ -140,8 +140,8 @@ "subdir": "docs/node-mixin" } }, - "version": "c8129fadd660ae90598b84791d8915a995a27815", - "sum": "TwdaTm0Z++diiLyaKAAimmC6hBL7XbrJc0RHhBCpAdU=" + "version": "184a4e0893dd5c28e540ca3070f2e3a07f939f11", + "sum": "aFUI56y6Y8EpniS4cfYqrSaHFnxeomIw4S4+Sz8yPtQ=" }, { "source": { @@ -150,7 +150,7 @@ "subdir": "documentation/prometheus-mixin" } }, - "version": "0ab95536115adfe50af249d36d73674be694ca3f", + "version": "5c5fa5c319fca713506fa144ec6768fddf00d466", "sum": "LRx0tbMnoE1p8KEn+i81j2YsA5Sgt3itE5Y6jBf5eOQ=", "name": "prometheus" }, @@ -161,8 +161,8 @@ "subdir": "config/crd/bases" } }, - "version": "cd05347647955a378f32a888d194cb0f7c0134a6", - "sum": "bY/Pcrrbynguq8/HaI88cQ3B2hLv/xc+76QILY7IL+g=" + "version": "05405777468aca15ee63824512f8f13af9f08039", + "sum": "MK8+uumteRncS0hkyjocvU2vdtlGbfBRPcU0/mJnU2M=" }, { "source": { @@ -171,7 +171,7 @@ "subdir": "mixin" } }, - "version": "a1ec4d5365e88967e4bb4b0f127d174617ed2bbc", + "version": "cdb395a7100be554e804d61c735b8d4a4b678f11", "sum": "zSLNV/0bN4DcVKojzCqjmhfjtzTY4pDKZXqbAUzw5R0=", "name": "thanos-mixin" } diff --git a/charts/kubezero-metrics/jsonnet/rules/node-exporter-prometheusRule b/charts/kubezero-metrics/jsonnet/rules/node-exporter-prometheusRule index ed36dcd2..bd789b5f 100644 --- a/charts/kubezero-metrics/jsonnet/rules/node-exporter-prometheusRule +++ b/charts/kubezero-metrics/jsonnet/rules/node-exporter-prometheusRule @@ -175,7 +175,7 @@ { "alert": "NodeClockSkewDetected", "annotations": { - "description": "Clock on {{ $labels.instance }} is out of sync by more than 300s. Ensure NTP is configured correctly on this host.", + "description": "Clock on {{ $labels.instance }} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host.", "runbook_url": "https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected", "summary": "Clock skew detected." }, diff --git a/charts/kubezero-metrics/jsonnet/rules/prometheus-operator-prometheusRule b/charts/kubezero-metrics/jsonnet/rules/prometheus-operator-prometheusRule index 844a84cb..310343e0 100644 --- a/charts/kubezero-metrics/jsonnet/rules/prometheus-operator-prometheusRule +++ b/charts/kubezero-metrics/jsonnet/rules/prometheus-operator-prometheusRule @@ -6,7 +6,7 @@ "app.kubernetes.io/component": "controller", "app.kubernetes.io/name": "prometheus-operator", "app.kubernetes.io/part-of": "kube-prometheus", - "app.kubernetes.io/version": "0.64.1", + "app.kubernetes.io/version": "0.65.1", "prometheus": "k8s", "role": "alert-rules" }, diff --git a/charts/kubezero-metrics/jsonnet/rules/prometheus-prometheusRule b/charts/kubezero-metrics/jsonnet/rules/prometheus-prometheusRule index 0ef1d141..1e5cb5a7 100644 --- a/charts/kubezero-metrics/jsonnet/rules/prometheus-prometheusRule +++ b/charts/kubezero-metrics/jsonnet/rules/prometheus-prometheusRule @@ -7,7 +7,7 @@ "app.kubernetes.io/instance": "k8s", "app.kubernetes.io/name": "prometheus", "app.kubernetes.io/part-of": "kube-prometheus", - "app.kubernetes.io/version": "2.43.0", + "app.kubernetes.io/version": "2.43.1", "prometheus": "k8s", "role": "alert-rules" }, diff --git a/charts/kubezero-metrics/templates/rules/node-exporter.yaml b/charts/kubezero-metrics/templates/rules/node-exporter.yaml index 8df72a48..aea973cd 100644 --- a/charts/kubezero-metrics/templates/rules/node-exporter.yaml +++ b/charts/kubezero-metrics/templates/rules/node-exporter.yaml @@ -125,7 +125,7 @@ spec: severity: warning - alert: NodeClockSkewDetected annotations: - description: Clock on {{`{{`}} $labels.instance {{`}}`}} is out of sync by more than 300s. Ensure NTP is configured correctly on this host. + description: Clock on {{`{{`}} $labels.instance {{`}}`}} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected summary: Clock skew detected. expr: "(\n node_timex_offset_seconds{job=\"node-exporter\"} > 0.05\nand\n deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) >= 0\n)\nor\n(\n node_timex_offset_seconds{job=\"node-exporter\"} < -0.05\nand\n deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) <= 0\n)\n" diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index d8e6dac1..04653a97 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -85,7 +85,7 @@ kube-prometheus-stack: - sourceLabels: [__meta_kubernetes_pod_node_name] separator: ; regex: ^(.*)$ - targetLabel: node + targetLabel: instance replacement: $1 action: replace resources: diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md index 3acc3559..85decaa0 100644 --- a/charts/kubezero-redis/README.md +++ b/charts/kubezero-redis/README.md @@ -1,6 +1,6 @@ # kubezero-redis -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Redis HA @@ -14,7 +14,7 @@ KubeZero Umbrella Chart for Redis HA ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.25.0` | Repository | Name | Version | |------------|------|---------| diff --git a/charts/kubezero/Chart.yaml b/charts/kubezero/Chart.yaml index 90bc9753..7bc8592d 100644 --- a/charts/kubezero/Chart.yaml +++ b/charts/kubezero/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero description: KubeZero - Root App of Apps chart type: application -version: 1.25.8 +version: 1.25.8-1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index ae0d52ab..fe0f8b80 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -1,6 +1,6 @@ # kubezero -![Version: 1.25.8](https://img.shields.io/badge/Version-1.25.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 1.25.8-1](https://img.shields.io/badge/Version-1.25.8--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero - Root App of Apps chart @@ -67,7 +67,7 @@ Kubernetes: `>= 1.25.0` | metrics.istio.grafana | object | `{}` | | | metrics.istio.prometheus | object | `{}` | | | metrics.namespace | string | `"monitoring"` | | -| metrics.targetRevision | string | `"0.9.0"` | | +| metrics.targetRevision | string | `"0.9.1"` | | | network.cilium.cluster | object | `{}` | | | network.enabled | bool | `true` | | | network.retain | bool | `true` | | diff --git a/charts/kubezero/templates/metrics.yaml b/charts/kubezero/templates/metrics.yaml index c8ef51ba..69280c07 100644 --- a/charts/kubezero/templates/metrics.yaml +++ b/charts/kubezero/templates/metrics.yaml @@ -1,3 +1,60 @@ +{{- define "_kube-prometheus-stack" }} + +{{- if .global.aws }} +alertmanager: + config: + receivers: + - name: 'null' + - name: alerthub-notifications + webhook_configs: + - send_resolved: true + url: http://localhost:9087/alert/AlertHub + route: + receiver: alerthub-notifications +prometheus: + prometheusSpec: + externalLabels: + awsAccount: '{{ .global.aws.accountId }}' + awsRegion: {{ .global.aws.region }} + clusterName: {{ .global.clusterName }} + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true + additionalScrapeConfigs: + - job_name: 'nodes' + ec2_sd_configs: + - port: 9100 + region: {{ .global.aws.region }} + filters: + - name: 'tag-key' + values: ['zdt:prometheus.node-exporter'] + relabel_configs: + - source_labels: + - '__meta_ec2_instance_id' + target_label: 'instance_id' + - source_labels: + - '__meta_ec2_availability_zone' + target_label: 'availability_zone' + - source_labels: + - '__meta_ec2_private_dns_name' + target_label: 'instance' + - source_labels: + - '__meta_ec2_tag_Name' + target_label: 'instance' +{{- end }} + +{{- end }} + + {{- define "metrics-values" }} {{- with .Values.metrics.istio }} @@ -6,7 +63,7 @@ istio: {{- end }} {{- with index .Values "metrics" "kube-prometheus-stack" }} kube-prometheus-stack: - {{- toYaml . | nindent 2 }} + {{- toYaml ( merge ( include "_kube-prometheus-stack" $.Values | fromYaml ) . ) | nindent 2 }} {{- end }} {{- with index .Values "metrics" "prometheus-adapter" }} prometheus-adapter: diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 187dd6bc..029ee0e2 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -76,7 +76,7 @@ istio-private-ingress: metrics: enabled: false namespace: monitoring - targetRevision: 0.9.0 + targetRevision: 0.9.1 istio: grafana: {} prometheus: {}