Latest metrics incl. support for cluster external node-exporter

This commit is contained in:
Stefan Reimer 2023-05-13 08:38:33 +00:00
parent ad99454f8f
commit ed04b43192
67 changed files with 582 additions and 110 deletions

View File

@ -34,8 +34,10 @@ Kubernetes: `>= 1.24.0`
# Gitea # Gitea
## OpenSSH 8.8 RSA disabled # Verdaccio
- https://github.com/go-gitea/gitea/issues/17798
## Authentication sealed-secret
```htpasswd -n -b -B -C 4 <username> <password> | kubeseal --raw --namespace verdaccio --name verdaccio-htpasswd```
## Resources ## Resources

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-metrics name: kubezero-metrics
description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
type: application type: application
version: 0.9.0 version: 0.9.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -19,7 +19,7 @@ dependencies:
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
- name: kube-prometheus-stack - name: kube-prometheus-stack
version: 45.9.1 version: 45.27.2
# Switch back to upstream once all alerts are fixed eg. etcd gpcr # Switch back to upstream once all alerts are fixed eg. etcd gpcr
# repository: https://prometheus-community.github.io/helm-charts # repository: https://prometheus-community.github.io/helm-charts
- name: prometheus-adapter - name: prometheus-adapter

View File

@ -1,6 +1,6 @@
# kubezero-metrics # kubezero-metrics
![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
@ -18,7 +18,7 @@ Kubernetes: `>= 1.25.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | kube-prometheus-stack | 45.9.1 | | | kube-prometheus-stack | 45.27.2 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 4.1.1 | | https://prometheus-community.github.io/helm-charts | prometheus-adapter | 4.1.1 |
| https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.1.3 | | https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.1.3 |
@ -155,7 +155,7 @@ Kubernetes: `>= 1.25.0`
| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].replacement | string | `"$1"` | | | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].replacement | string | `"$1"` | |
| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].separator | string | `";"` | | | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].separator | string | `";"` | |
| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | | | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | |
| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"node"` | | | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"instance"` | |
| kube-prometheus-stack.prometheus-node-exporter.resources.requests.cpu | string | `"20m"` | | | kube-prometheus-stack.prometheus-node-exporter.resources.requests.cpu | string | `"20m"` | |
| kube-prometheus-stack.prometheus-node-exporter.resources.requests.memory | string | `"16Mi"` | | | kube-prometheus-stack.prometheus-node-exporter.resources.requests.memory | string | `"16Mi"` | |
| kube-prometheus-stack.prometheus.enabled | bool | `true` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | |

View File

@ -7,20 +7,20 @@ annotations:
url: https://github.com/prometheus-operator/kube-prometheus url: https://github.com/prometheus-operator/kube-prometheus
artifacthub.io/operator: "true" artifacthub.io/operator: "true"
apiVersion: v2 apiVersion: v2
appVersion: v0.63.0 appVersion: v0.65.1
dependencies: dependencies:
- condition: kubeStateMetrics.enabled - condition: kubeStateMetrics.enabled
name: kube-state-metrics name: kube-state-metrics
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
version: 5.0.* version: 5.5.*
- condition: nodeExporter.enabled - condition: nodeExporter.enabled
name: prometheus-node-exporter name: prometheus-node-exporter
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
version: 4.14.* version: 4.16.*
- condition: grafana.enabled - condition: grafana.enabled
name: grafana name: grafana
repository: https://grafana.github.io/helm-charts repository: https://grafana.github.io/helm-charts
version: 6.51.* version: 6.56.*
description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards,
and Prometheus rules combined with documentation and scripts to provide easy to and Prometheus rules combined with documentation and scripts to provide easy to
operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus
@ -52,4 +52,4 @@ sources:
- https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-community/helm-charts
- https://github.com/prometheus-operator/kube-prometheus - https://github.com/prometheus-operator/kube-prometheus
type: application type: application
version: 45.9.1 version: 45.27.2

View File

@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
appVersion: 9.3.8 appVersion: 9.5.1
description: The leading tool for querying and visualizing time series and metrics. description: The leading tool for querying and visualizing time series and metrics.
home: https://grafana.net home: https://grafana.net
icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png
@ -19,4 +19,4 @@ name: grafana
sources: sources:
- https://github.com/grafana/grafana - https://github.com/grafana/grafana
type: application type: application
version: 6.51.5 version: 6.56.2

View File

@ -87,6 +87,7 @@ This version requires Helm >= 3.1.0.
| `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` | | `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` |
| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` | | `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` |
| `ingress.tls` | Ingress TLS configuration | `[]` | | `ingress.tls` | Ingress TLS configuration | `[]` |
| `ingress.ingressClassName` | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | `""` |
| `resources` | CPU/Memory resource requests/limits | `{}` | | `resources` | CPU/Memory resource requests/limits | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Toleration labels for pod assignment | `[]` | | `tolerations` | Toleration labels for pod assignment | `[]` |
@ -216,8 +217,8 @@ This version requires Helm >= 3.1.0.
| `rbac.create` | Create and use RBAC resources | `true` | | `rbac.create` | Create and use RBAC resources | `true` |
| `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` | | `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` |
| `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | | `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` |
| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true` | | `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `false` |
| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `true` | | `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `false` |
| `rbac.extraRoleRules` | Additional rules to add to the Role | [] | | `rbac.extraRoleRules` | Additional rules to add to the Role | [] |
| `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] | | `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] |
| `command` | Define command to be executed by grafana container at startup | `nil` | | `command` | Define command to be executed by grafana container at startup | `nil` |
@ -251,6 +252,7 @@ This version requires Helm >= 3.1.0.
| `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` | | `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` |
| `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` | | `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` |
| `imageRenderer.env` | extra env-vars for image-renderer | `{}` | | `imageRenderer.env` | extra env-vars for image-renderer | `{}` |
| `imageRenderer.envValueFrom` | Environment variables for image-renderer from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` |
| `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` | | `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` |
| `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` | | `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` |
| `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` | | `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` |
@ -397,9 +399,41 @@ filters out the ones with a label as defined in `sidecar.datasources.label`. The
those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
the data sources in grafana can be imported. the data sources in grafana can be imported.
Should you aim for reloading datasources in Grafana each time the config is changed, set `sidecar.datasources.skipReload: false` and adjust `sidecar.datasources.reloadURL` to `http://<svc-name>.<namespace>.svc.cluster.local/api/admin/provisioning/datasources/reload`.
Secrets are recommended over configmaps for this usecase because datasources usually contain private Secrets are recommended over configmaps for this usecase because datasources usually contain private
data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those. data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those.
Example values to add a postgres datasource as a kubernetes secret:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: grafana-datasources
labels:
grafana_datasource: 'true' # default value for: sidecar.datasources.label
stringData:
pg-db.yaml: |-
apiVersion: 1
datasources:
- name: My pg db datasource
type: postgres
url: my-postgresql-db:5432
user: db-readonly-user
secureJsonData:
password: 'SUperSEcretPa$$word'
jsonData:
database: my_datase
sslmode: 'disable' # disable/require/verify-ca/verify-full
maxOpenConns: 0 # Grafana v5.4+
maxIdleConns: 2 # Grafana v5.4+
connMaxLifetime: 14400 # Grafana v5.4+
postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
timescaledb: false
# <bool> allow users to edit datasources from the UI.
editable: false
```
Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file):
```yaml ```yaml

View File

@ -786,7 +786,7 @@ containers:
{{- range .Values.extraConfigmapMounts }} {{- range .Values.extraConfigmapMounts }}
- name: {{ tpl .name $root }} - name: {{ tpl .name $root }}
mountPath: {{ tpl .mountPath $root }} mountPath: {{ tpl .mountPath $root }}
subPath: {{ (tpl .subPath $root) | default "" }} subPath: {{ tpl (.subPath | default "") $root }}
readOnly: {{ .readOnly }} readOnly: {{ .readOnly }}
{{- end }} {{- end }}
- name: storage - name: storage

View File

@ -9,9 +9,9 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "grafana.fullname" . }}-clusterrole name: {{ include "grafana.fullname" . }}-clusterrole
{{- if or .Values.sidecar.dashboards.enabled (or .Values.rbac.extraClusterRoleRules (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled)) }} {{- if or .Values.sidecar.dashboards.enabled .Values.rbac.extraClusterRoleRules .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }}
rules: rules:
{{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }} {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }}
- apiGroups: [""] # "" indicates the core API group - apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "secrets"] resources: ["configmaps", "secrets"]
verbs: ["get", "watch", "list"] verbs: ["get", "watch", "list"]

View File

@ -87,7 +87,11 @@ data:
--connect-timeout 60 \ --connect-timeout 60 \
--max-time 60 \ --max-time 60 \
{{- if not $value.b64content }} {{- if not $value.b64content }}
{{- if not $value.acceptHeader }}
-H "Accept: application/json" \ -H "Accept: application/json" \
{{- else }}
-H "Accept: {{ $value.acceptHeader }}" \
{{- end }}
{{- if $value.token }} {{- if $value.token }}
-H "Authorization: token {{ $value.token }}" \ -H "Authorization: token {{ $value.token }}" \
{{- end }} {{- end }}
@ -95,7 +99,7 @@ data:
-H "Authorization: Bearer {{ $value.bearerToken }}" \ -H "Authorization: Bearer {{ $value.bearerToken }}" \
{{- end }} {{- end }}
{{- if $value.basic }} {{- if $value.basic }}
-H "Basic: {{ $value.basic }}" \ -H "Authorization: Basic {{ $value.basic }}" \
{{- end }} {{- end }}
{{- if $value.gitlabToken }} {{- if $value.gitlabToken }}
-H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \

View File

@ -42,6 +42,7 @@ spec:
{{- if .Values.envRenderSecret }} {{- if .Values.envRenderSecret }}
checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }}
{{- end }} {{- end }}
kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
{{- with .Values.podAnnotations }} {{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}

View File

@ -92,6 +92,11 @@ spec:
- name: ENABLE_METRICS - name: ENABLE_METRICS
value: "true" value: "true"
{{- end }} {{- end }}
{{- range $key, $value := .Values.imageRenderer.envValueFrom }}
- name: {{ $key | quote }}
valueFrom:
{{- tpl (toYaml $value) $ | nindent 16 }}
{{- end }}
{{- range $key, $value := .Values.imageRenderer.env }} {{- range $key, $value := .Values.imageRenderer.env }}
- name: {{ $key | quote }} - name: {{ $key | quote }}
value: {{ $value | quote }} value: {{ $value | quote }}

View File

@ -31,6 +31,7 @@ spec:
{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }} {{- end }}
kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
{{- with .Values.podAnnotations }} {{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}

View File

@ -84,7 +84,7 @@ livenessProbe:
# schedulerName: "default-scheduler" # schedulerName: "default-scheduler"
image: image:
repository: grafana/grafana repository: docker.io/grafana/grafana
# Overrides the Grafana image tag whose default is the chart appVersion # Overrides the Grafana image tag whose default is the chart appVersion
tag: "" tag: ""
sha: "" sha: ""
@ -100,17 +100,23 @@ image:
testFramework: testFramework:
enabled: true enabled: true
image: "bats/bats" image: docker.io/bats/bats
tag: "v1.4.1" tag: "v1.4.1"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: {} securityContext: {}
securityContext: securityContext:
runAsNonRoot: true
runAsUser: 472 runAsUser: 472
runAsGroup: 472 runAsGroup: 472
fsGroup: 472 fsGroup: 472
containerSecurityContext: {} containerSecurityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# Enable creating the grafana configmap # Enable creating the grafana configmap
createConfigmap: true createConfigmap: true
@ -137,7 +143,7 @@ extraLabels: {}
# priorityClassName: # priorityClassName:
downloadDashboardsImage: downloadDashboardsImage:
repository: curlimages/curl repository: docker.io/curlimages/curl
tag: 7.85.0 tag: 7.85.0
sha: "" sha: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -146,7 +152,13 @@ downloadDashboards:
env: {} env: {}
envFromSecret: "" envFromSecret: ""
resources: {} resources: {}
securityContext: {} securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
envValueFrom: {} envValueFrom: {}
# ENV_NAME: # ENV_NAME:
# configMapKeyRef: # configMapKeyRef:
@ -346,7 +358,7 @@ initChownData:
## initChownData container image ## initChownData container image
## ##
image: image:
repository: busybox repository: docker.io/library/busybox
tag: "1.31.1" tag: "1.31.1"
sha: "" sha: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -364,7 +376,11 @@ initChownData:
securityContext: securityContext:
runAsNonRoot: false runAsNonRoot: false
runAsUser: 0 runAsUser: 0
seccompProfile:
type: RuntimeDefault
capabilities:
add:
- CHOWN
# Administrator credentials when not using an existing secret (see below) # Administrator credentials when not using an existing secret (see below)
adminUser: admin adminUser: admin
@ -520,6 +536,9 @@ lifecycleHooks: {}
plugins: [] plugins: []
# - digrich-bubblechart-panel # - digrich-bubblechart-panel
# - grafana-clock-panel # - grafana-clock-panel
## You can also use other plugin download URL, as long as they are valid zip files,
## and specify the name of the plugin after the semicolon. Like this:
# - https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource
## Configure grafana datasources ## Configure grafana datasources
## ref: http://docs.grafana.org/administration/provisioning/#datasources ## ref: http://docs.grafana.org/administration/provisioning/#datasources
@ -676,6 +695,7 @@ dashboards: {}
# local-dashboard-azure: # local-dashboard-azure:
# url: https://example.com/repository/test-azure.json # url: https://example.com/repository/test-azure.json
# basic: '' # basic: ''
# acceptHeader: '*/*'
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. ## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
@ -777,7 +797,13 @@ sidecar:
# requests: # requests:
# cpu: 50m # cpu: 50m
# memory: 50Mi # memory: 50Mi
securityContext: {} securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# skipTlsVerify Set to true to skip tls verification for kube api calls # skipTlsVerify Set to true to skip tls verification for kube api calls
# skipTlsVerify: true # skipTlsVerify: true
enableUniqueFilenames: false enableUniqueFilenames: false
@ -1030,7 +1056,7 @@ imageRenderer:
behavior: {} behavior: {}
image: image:
# image-renderer Image repository # image-renderer Image repository
repository: grafana/grafana-image-renderer repository: docker.io/grafana/grafana-image-renderer
# image-renderer Image tag # image-renderer Image tag
tag: latest tag: latest
# image-renderer Image sha (optional) # image-renderer Image sha (optional)
@ -1043,12 +1069,29 @@ imageRenderer:
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758 # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
# RENDERING_MODE: clustered # RENDERING_MODE: clustered
# IGNORE_HTTPS_ERRORS: true # IGNORE_HTTPS_ERRORS: true
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
## Renders in container spec as:
## env:
## ...
## - name: <key>
## valueFrom:
## <value rendered as YAML>
envValueFrom: {}
# ENV_NAME:
# configMapKeyRef:
# name: configmap-name
# key: value_key
# image-renderer deployment serviceAccount # image-renderer deployment serviceAccount
serviceAccountName: "" serviceAccountName: ""
# image-renderer deployment securityContext # image-renderer deployment securityContext
securityContext: {} securityContext: {}
# image-renderer deployment container securityContext # image-renderer deployment container securityContext
containerSecurityContext: containerSecurityContext:
seccompProfile:
type: RuntimeDefault
capabilities: capabilities:
drop: ['ALL'] drop: ['ALL']
allowPrivilegeEscalation: false allowPrivilegeEscalation: false

View File

@ -18,4 +18,4 @@ name: kube-state-metrics
sources: sources:
- https://github.com/kubernetes/kube-state-metrics/ - https://github.com/kubernetes/kube-state-metrics/
type: application type: application
version: 5.0.1 version: 5.5.0

View File

@ -162,6 +162,9 @@ spec:
volumeMounts: volumeMounts:
- name: kube-rbac-proxy-config - name: kube-rbac-proxy-config
mountPath: /etc/kube-rbac-proxy-config mountPath: /etc/kube-rbac-proxy-config
{{- with .Values.kubeRBACProxy.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }}
image: {{ include "kubeRBACProxy.image" . }} image: {{ include "kubeRBACProxy.image" . }}
ports: ports:
@ -197,6 +200,9 @@ spec:
volumeMounts: volumeMounts:
- name: kube-rbac-proxy-config - name: kube-rbac-proxy-config
mountPath: /etc/kube-rbac-proxy-config mountPath: /etc/kube-rbac-proxy-config
{{- with .Values.kubeRBACProxy.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }}
image: {{ include "kubeRBACProxy.image" . }} image: {{ include "kubeRBACProxy.image" . }}
ports: ports:

View File

@ -9,6 +9,10 @@ metadata:
{{- with .Values.prometheus.monitor.additionalLabels }} {{- with .Values.prometheus.monitor.additionalLabels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with .Values.prometheus.monitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec: spec:
jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }}
{{- with .Values.prometheus.monitor.targetLabels }} {{- with .Values.prometheus.monitor.targetLabels }}
@ -56,6 +60,13 @@ spec:
tlsConfig: tlsConfig:
{{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.prometheus.monitor.bearerTokenFile }}
bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }}
{{- end }}
{{- with .Values.prometheus.monitor.bearerTokenSecret }}
bearerTokenSecret:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.selfMonitor.enabled }} {{- if .Values.selfMonitor.enabled }}
- port: metrics - port: metrics
{{- if .Values.prometheus.monitor.interval }} {{- if .Values.prometheus.monitor.interval }}

View File

@ -115,6 +115,13 @@ kubeRBACProxy:
# cpu: 10m # cpu: 10m
# memory: 32Mi # memory: 32Mi
## volumeMounts enables mounting custom volumes in rbac-proxy containers
## Useful for TLS certificates and keys
volumeMounts: []
# - mountPath: /etc/tls
# name: kube-rbac-proxy-tls
# readOnly: true
serviceAccount: serviceAccount:
# Specifies whether a ServiceAccount should be created, require rbac true # Specifies whether a ServiceAccount should be created, require rbac true
create: true create: true
@ -132,6 +139,7 @@ serviceAccount:
prometheus: prometheus:
monitor: monitor:
enabled: false enabled: false
annotations: {}
additionalLabels: {} additionalLabels: {}
namespace: "" namespace: ""
jobLabel: "" jobLabel: ""
@ -164,6 +172,14 @@ prometheus:
metricRelabelings: [] metricRelabelings: []
relabelings: [] relabelings: []
scheme: "" scheme: ""
## File to read bearer token for scraping targets
bearerTokenFile: ""
## Secret to mount to read bearer token for scraping targets. The secret needs
## to be in the same namespace as the service monitor and accessible by the
## Prometheus Operator
bearerTokenSecret: {}
# name: secret-name
# key: key-name
tlsConfig: {} tlsConfig: {}
## Specify if a Pod Security Policy for kube-state-metrics must be created ## Specify if a Pod Security Policy for kube-state-metrics must be created
@ -199,11 +215,18 @@ securityContext:
runAsGroup: 65534 runAsGroup: 65534
runAsUser: 65534 runAsUser: 65534
fsGroup: 65534 fsGroup: 65534
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
## Specify security settings for a Container ## Specify security settings for a Container
## Allows overrides and additional options compared to (Pod) securityContext ## Allows overrides and additional options compared to (Pod) securityContext
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext: {} containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
## Node labels for pod assignment ## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## Ref: https://kubernetes.io/docs/user-guide/node-selection/

View File

@ -15,4 +15,4 @@ name: prometheus-node-exporter
sources: sources:
- https://github.com/prometheus/node_exporter/ - https://github.com/prometheus/node_exporter/
type: application type: application
version: 4.14.0 version: 4.16.0

View File

@ -76,10 +76,12 @@ The image to use
*/}} */}}
{{- define "prometheus-node-exporter.image" -}} {{- define "prometheus-node-exporter.image" -}}
{{- if .Values.image.sha }} {{- if .Values.image.sha }}
{{- fail "image.sha forbidden. Use image.digest instead" }}
{{- else if .Values.image.digest }}
{{- if .Values.global.imageRegistry }} {{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} {{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }}
{{- else }} {{- else }}
{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} {{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }}
{{- end }} {{- end }}
{{- else }} {{- else }}
{{- if .Values.global.imageRegistry }} {{- if .Values.global.imageRegistry }}

View File

@ -0,0 +1,23 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "prometheus-node-exporter.fullname" . }}
namespace: {{ include "prometheus-node-exporter.namespace" . }}
labels:
{{- include "prometheus-node-exporter.labels" $ | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingress:
- ports:
- port: {{ .Values.service.port }}
policyTypes:
- Egress
- Ingress
podSelector:
matchLabels:
{{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }}
{{- end }}

View File

@ -23,6 +23,10 @@ spec:
{{- else }} {{- else }}
{{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }}
{{- end }} {{- end }}
{{- with .Values.prometheus.monitor.attachMetadata }}
attachMetadata:
{{- toYaml . | nindent 4 }}
{{- end }}
endpoints: endpoints:
- port: {{ .Values.service.portName }} - port: {{ .Values.service.portName }}
scheme: {{ .Values.prometheus.monitor.scheme }} scheme: {{ .Values.prometheus.monitor.scheme }}

View File

@ -7,7 +7,7 @@ image:
# Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }} # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }}
tag: "" tag: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
sha: "" digest: ""
imagePullSecrets: [] imagePullSecrets: []
# - name: "image-pull-secret" # - name: "image-pull-secret"
@ -72,6 +72,12 @@ service:
annotations: annotations:
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
# Set a NetworkPolicy with:
# ingress only on service.port
# no egress permitted
networkPolicy:
enabled: false
# Additional environment variables that will be passed to the daemonset # Additional environment variables that will be passed to the daemonset
env: {} env: {}
## env: ## env:
@ -102,6 +108,11 @@ prometheus:
## ##
selectorOverride: {} selectorOverride: {}
## Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above.
##
attachMetadata:
node: false
relabelings: [] relabelings: []
metricRelabelings: [] metricRelabelings: []
interval: "" interval: ""

View File

@ -13,6 +13,7 @@ metadata:
annotations: annotations:
{{ toYaml .Values.alertmanager.serviceAccount.annotations | indent 4 }} {{ toYaml .Values.alertmanager.serviceAccount.annotations | indent 4 }}
{{- end }} {{- end }}
automountServiceAccountToken: {{ .Values.alertmanager.serviceAccount.automountServiceAccountToken }}
{{- if .Values.global.imagePullSecrets }} {{- if .Values.global.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
{{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2}} {{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2}}

View File

@ -1,4 +1,4 @@
{{- if .Values.coreDns.enabled }} {{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.coreDns.enabled }} {{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeApiServer.enabled }} {{- if and .Values.kubeApiServer.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.endpoints }} {{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.endpoints .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Endpoints kind: Endpoints
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled }} {{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled }} {{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeDns.enabled }} {{- if and .Values.kubeDns.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeDns.enabled }} {{- if and .Values.kubeDns.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.endpoints }} {{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.endpoints .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Endpoints kind: Endpoints
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled }} {{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled }} {{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.endpoints }} {{- if and .Values.kubeProxy.enabled .Values.kubeProxy.endpoints .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Endpoints kind: Endpoints
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled }} {{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled }} {{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.endpoints }} {{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.endpoints .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Endpoints kind: Endpoints
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled }} {{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled }} {{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubelet.enabled }} {{- if and .Values.kubelet.enabled .Values.kubernetesServiceMonitors.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -33,7 +33,11 @@ data:
access: proxy access: proxy
isDefault: {{ .Values.grafana.sidecar.datasources.isDefaultDatasource }} isDefault: {{ .Values.grafana.sidecar.datasources.isDefaultDatasource }}
jsonData: jsonData:
httpMethod: {{ .Values.grafana.sidecar.datasources.httpMethod }}
timeInterval: {{ $scrapeInterval }} timeInterval: {{ $scrapeInterval }}
{{- if .Values.grafana.sidecar.datasources.timeout }}
timeout: {{ .Values.grafana.sidecar.datasources.timeout }}
{{- end }}
{{- if .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations }} {{- if .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations }}
exemplarTraceIdDestinations: exemplarTraceIdDestinations:
- datasourceUid: {{ .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations.datasourceUid }} - datasourceUid: {{ .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations.datasourceUid }}

View File

@ -0,0 +1,32 @@
{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-admission-create
namespace: {{ template "kube-prometheus-stack.namespace" . }}
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
## Ensure this is run before the job
helm.sh/hook-weight: "-5"
{{- with .Values.prometheusOperator.admissionWebhooks.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
{{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
spec:
endpointSelector:
matchLabels:
app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
{{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
egress:
{{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
{{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
{{- else }}
- toEntities:
- kube-apiserver
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,33 @@
{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
namespace: {{ template "kube-prometheus-stack.namespace" . }}
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
## Ensure this is run before the job
helm.sh/hook-weight: "-5"
{{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
{{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
spec:
endpointSelector:
matchLabels:
app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
{{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
egress:
{{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
{{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
{{- else }}
- toEntities:
- kube-apiserver
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,4 +1,4 @@
{{- if .Values.prometheusOperator.networkPolicy.enabled }} {{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy

View File

@ -1,4 +1,4 @@
{{- if .Values.prometheusOperator.networkPolicy.enabled }} {{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy

View File

@ -5,8 +5,8 @@ metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-admission name: {{ template "kube-prometheus-stack.fullname" . }}-admission
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }} {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}
annotations: annotations:
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
{{- end }} {{- end }}
labels: labels:
app: {{ template "kube-prometheus-stack.name" $ }}-admission app: {{ template "kube-prometheus-stack.name" $ }}-admission
@ -41,4 +41,27 @@ webhooks:
timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
admissionReviewVersions: ["v1", "v1beta1"] admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None sideEffects: None
{{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
namespaceSelector:
matchExpressions:
{{- if .Values.prometheusOperator.denyNamespaces }}
- key: kubernetes.io/metadata.name
operator: NotIn
values:
{{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
- {{ $namespace }}
{{- end }}
{{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
- key: kubernetes.io/metadata.name
operator: In
values:
{{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
{{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
- {{ $namespace }}
{{- end }}
{{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
- {{ $namespace }}
{{- end }}
{{- end }}
{{- end }}
{{- end }} {{- end }}

View File

@ -5,8 +5,8 @@ metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-admission name: {{ template "kube-prometheus-stack.fullname" . }}-admission
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }} {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}
annotations: annotations:
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }} cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
{{- end }} {{- end }}
labels: labels:
app: {{ template "kube-prometheus-stack.name" $ }}-admission app: {{ template "kube-prometheus-stack.name" $ }}-admission
@ -41,4 +41,27 @@ webhooks:
timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
admissionReviewVersions: ["v1", "v1beta1"] admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None sideEffects: None
{{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
namespaceSelector:
matchExpressions:
{{- if .Values.prometheusOperator.denyNamespaces }}
- key: kubernetes.io/metadata.name
operator: NotIn
values:
{{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
- {{ $namespace }}
{{- end }}
{{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
- key: kubernetes.io/metadata.name
operator: In
values:
{{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
{{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
- {{ $namespace }}
{{- end }}
{{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
- {{ $namespace }}
{{- end }}
{{- end }}
{{- end }}
{{- end }} {{- end }}

View File

@ -0,0 +1,35 @@
{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-operator
namespace: {{ template "kube-prometheus-stack.namespace" . }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-operator
{{- include "kube-prometheus-stack.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
app: {{ template "kube-prometheus-stack.name" . }}-operator
{{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
egress:
{{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
{{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
{{- else }}
- toEntities:
- kube-apiserver
{{- end }}
ingress:
- toPorts:
- ports:
{{- if .Values.prometheusOperator.tls.enabled }}
- port: {{ .Values.prometheusOperator.tls.internalPort | quote }}
{{- else }}
- port: "8080"
{{- end }}
protocol: "TCP"
rules:
http:
- method: "GET"
path: "/metrics"
{{- end }}

View File

@ -90,15 +90,24 @@ spec:
- --config-reloader-cpu-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.cpu }} - --config-reloader-cpu-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.cpu }}
- --config-reloader-memory-request={{ .Values.prometheusOperator.prometheusConfigReloader.resources.requests.memory }} - --config-reloader-memory-request={{ .Values.prometheusOperator.prometheusConfigReloader.resources.requests.memory }}
- --config-reloader-memory-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.memory }} - --config-reloader-memory-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.memory }}
{{- if .Values.prometheusOperator.prometheusConfigReloader.enableProbe }}
- --enable-config-reloader-probes=true
{{- end }}
{{- if .Values.prometheusOperator.alertmanagerInstanceNamespaces }} {{- if .Values.prometheusOperator.alertmanagerInstanceNamespaces }}
- --alertmanager-instance-namespaces={{ .Values.prometheusOperator.alertmanagerInstanceNamespaces | join "," }} - --alertmanager-instance-namespaces={{ .Values.prometheusOperator.alertmanagerInstanceNamespaces | join "," }}
{{- end }} {{- end }}
{{- if .Values.prometheusOperator.alertmanagerInstanceSelector }}
- --alertmanager-instance-selector={{ .Values.prometheusOperator.alertmanagerInstanceSelector }}
{{- end }}
{{- if .Values.prometheusOperator.alertmanagerConfigNamespaces }} {{- if .Values.prometheusOperator.alertmanagerConfigNamespaces }}
- --alertmanager-config-namespaces={{ .Values.prometheusOperator.alertmanagerConfigNamespaces | join "," }} - --alertmanager-config-namespaces={{ .Values.prometheusOperator.alertmanagerConfigNamespaces | join "," }}
{{- end }} {{- end }}
{{- if .Values.prometheusOperator.prometheusInstanceNamespaces }} {{- if .Values.prometheusOperator.prometheusInstanceNamespaces }}
- --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }} - --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }}
{{- end }} {{- end }}
{{- if .Values.prometheusOperator.prometheusInstanceSelector }}
- --prometheus-instance-selector={{ .Values.prometheusOperator.prometheusInstanceSelector }}
{{- end }}
{{- if .Values.prometheusOperator.thanosImage.sha }} {{- if .Values.prometheusOperator.thanosImage.sha }}
- --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }} - --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }}
{{- else }} {{- else }}
@ -107,8 +116,11 @@ spec:
{{- if .Values.prometheusOperator.thanosRulerInstanceNamespaces }} {{- if .Values.prometheusOperator.thanosRulerInstanceNamespaces }}
- --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }} - --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }}
{{- end }} {{- end }}
{{- if .Values.prometheusOperator.thanosRulerInstanceSelector }}
- --thanos-ruler-instance-selector={{ .Values.prometheusOperator.thanosRulerInstanceSelector }}
{{- end }}
{{- if .Values.prometheusOperator.secretFieldSelector }} {{- if .Values.prometheusOperator.secretFieldSelector }}
- --secret-field-selector={{ .Values.prometheusOperator.secretFieldSelector }} - --secret-field-selector={{ tpl (.Values.prometheusOperator.secretFieldSelector) $ }}
{{- end }} {{- end }}
{{- if .Values.prometheusOperator.clusterDomain }} {{- if .Values.prometheusOperator.clusterDomain }}
- --cluster-domain={{ .Values.prometheusOperator.clusterDomain }} - --cluster-domain={{ .Values.prometheusOperator.clusterDomain }}

View File

@ -1,4 +1,4 @@
{{- if .Values.prometheusOperator.networkPolicy.enabled }} {{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }} apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:

View File

@ -0,0 +1,27 @@
{{- if and .Values.prometheus.networkPolicy.enabled (eq .Values.prometheus.networkPolicy.flavor "cilium") }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
namespace: {{ template "kube-prometheus-stack.namespace" . }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-prometheus
{{- include "kube-prometheus-stack.labels" . | nindent 4 }}
spec:
endpointSelector:
{{- if .Values.prometheus.networkPolicy.cilium.endpointSelector }}
{{- toYaml .Values.prometheus.networkPolicy.cilium.endpointSelector | nindent 4 }}
{{- else }}
matchExpressions:
- {key: app.kubernetes.io/name, operator: In, values: [prometheus]}
- {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.prometheus.crname" . }}]}
{{- end }}
{{- if and .Values.prometheus.networkPolicy.cilium .Values.prometheus.networkPolicy.cilium.egress }}
egress:
{{ toYaml .Values.prometheus.networkPolicy.cilium.egress | nindent 4 }}
{{- end }}
{{- if and .Values.prometheus.networkPolicy.cilium .Values.prometheus.networkPolicy.cilium.ingress }}
ingress:
{{ toYaml .Values.prometheus.networkPolicy.cilium.ingress | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -14,6 +14,7 @@ metadata:
{{ toYaml .Values.prometheus.thanosIngress.annotations | indent 4 }} {{ toYaml .Values.prometheus.thanosIngress.annotations | indent 4 }}
{{- end }} {{- end }}
name: {{ template "kube-prometheus-stack.fullname" . }}-thanos-gateway name: {{ template "kube-prometheus-stack.fullname" . }}-thanos-gateway
namespace: {{ template "kube-prometheus-stack.namespace" . }}
labels: labels:
app: {{ template "kube-prometheus-stack.name" . }}-prometheus app: {{ template "kube-prometheus-stack.name" . }}-prometheus
{{ include "kube-prometheus-stack.labels" . | indent 4 }} {{ include "kube-prometheus-stack.labels" . | indent 4 }}

View File

@ -1,4 +1,4 @@
{{- if .Values.prometheus.networkPolicy.enabled }} {{- if and .Values.prometheus.networkPolicy.enabled (eq .Values.prometheus.networkPolicy.flavor "kubernetes") }}
apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }} apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
@ -9,12 +9,10 @@ metadata:
namespace: {{ template "kube-prometheus-stack.namespace" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec: spec:
{{- if .Values.prometheus.networkPolicy.egress }} {{- if .Values.prometheus.networkPolicy.egress }}
## Deny all egress by default
egress: egress:
{{- toYaml .Values.prometheus.networkPolicy.egress | nindent 4 }} {{- toYaml .Values.prometheus.networkPolicy.egress | nindent 4 }}
{{- end }} {{- end }}
{{- if .Values.prometheus.networkPolicy.ingress }} {{- if .Values.prometheus.networkPolicy.ingress }}
# Deny all ingress by default (prometheus scrapes itself using localhost)
ingress: ingress:
{{- toYaml .Values.prometheus.networkPolicy.ingress | nindent 4 }} {{- toYaml .Values.prometheus.networkPolicy.ingress | nindent 4 }}
{{- end }} {{- end }}

View File

@ -42,10 +42,7 @@ spec:
{{- else }} {{- else }}
image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}" image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}"
{{- end }} {{- end }}
version: {{ .Values.prometheus.prometheusSpec.image.tag }} version: {{ default .Values.prometheus.prometheusSpec.image.tag .Values.prometheus.prometheusSpec.version }}
{{- if .Values.prometheus.prometheusSpec.image.sha }}
sha: {{ .Values.prometheus.prometheusSpec.image.sha }}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.prometheus.prometheusSpec.additionalArgs }} {{- if .Values.prometheus.prometheusSpec.additionalArgs }}
additionalArgs: additionalArgs:
@ -364,7 +361,8 @@ spec:
{{- end }} {{- end }}
excludedFromEnforcement: excludedFromEnforcement:
{{- range $prometheusDefaultRulesExcludedFromEnforce.rules }} {{- range $prometheusDefaultRulesExcludedFromEnforce.rules }}
- resource: prometheusrules - group: monitoring.coreos.com
resource: prometheusrules
namespace: "{{ template "kube-prometheus-stack.namespace" $ }}" namespace: "{{ template "kube-prometheus-stack.namespace" $ }}"
name: "{{ printf "%s-%s" (include "kube-prometheus-stack.fullname" $) . | trunc 63 | trimSuffix "-" }}" name: "{{ printf "%s-%s" (include "kube-prometheus-stack.fullname" $) . | trunc 63 | trimSuffix "-" }}"
{{- end }} {{- end }}

View File

@ -158,6 +158,7 @@ alertmanager:
create: true create: true
name: "" name: ""
annotations: {} annotations: {}
automountServiceAccountToken: true
## Configure pod disruption budgets for Alertmanager ## Configure pod disruption budgets for Alertmanager
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
@ -822,6 +823,8 @@ grafana:
enabled: true enabled: true
label: grafana_dashboard label: grafana_dashboard
labelValue: "1" labelValue: "1"
# Allow discovery in all namespaces for dashboards
searchNamespace: ALL
## Annotations for Grafana dashboard configmaps ## Annotations for Grafana dashboard configmaps
## ##
@ -844,6 +847,9 @@ grafana:
## ##
# url: http://prometheus-stack-prometheus:9090/ # url: http://prometheus-stack-prometheus:9090/
## Prometheus request timeout in seconds
# timeout: 30
# If not defined, will use prometheus.prometheusSpec.scrapeInterval or its default # If not defined, will use prometheus.prometheusSpec.scrapeInterval or its default
# defaultDatasourceScrapeInterval: 15s # defaultDatasourceScrapeInterval: 15s
@ -851,6 +857,9 @@ grafana:
## ##
annotations: {} annotations: {}
## Set method for HTTP to send query to datasource
httpMethod: POST
## Create datasource for each Pod of Prometheus StatefulSet; ## Create datasource for each Pod of Prometheus StatefulSet;
## this uses headless service `prometheus-operated` which is ## this uses headless service `prometheus-operated` which is
## created by Prometheus Operator ## created by Prometheus Operator
@ -929,6 +938,11 @@ grafana:
# replacement: $1 # replacement: $1
# action: replace # action: replace
## Flag to disable all the kubernetes component scrapers
##
kubernetesServiceMonitors:
enabled: true
## Component scraping the kube api server ## Component scraping the kube api server
## ##
kubeApiServer: kubeApiServer:
@ -1949,6 +1963,15 @@ prometheusOperator:
## ##
enabled: false enabled: false
## Flavor of the network policy to use.
# Can be:
# * kubernetes for networking.k8s.io/v1/NetworkPolicy
# * cilium for cilium.io/v2/CiliumNetworkPolicy
flavor: kubernetes
# cilium:
# egress:
## Service account for Alertmanager to use. ## Service account for Alertmanager to use.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
## ##
@ -2202,6 +2225,9 @@ prometheusOperator:
tag: "" tag: ""
sha: "" sha: ""
# add prometheus config reloader liveness and readiness probe. Default: false
enableProbe: false
# resource config for prometheusConfigReloader # resource config for prometheusConfigReloader
resources: resources:
requests: requests:
@ -2219,6 +2245,17 @@ prometheusOperator:
tag: v0.30.2 tag: v0.30.2
sha: "" sha: ""
## Set a Label Selector to filter watched prometheus and prometheusAgent
##
prometheusInstanceSelector: ""
## Set a Label Selector to filter watched alertmanager
##
alertmanagerInstanceSelector: ""
## Set a Label Selector to filter watched thanosRuler
thanosRulerInstanceSelector: ""
## Set a Field Selector to filter watched secrets ## Set a Field Selector to filter watched secrets
## ##
secretFieldSelector: "" secretFieldSelector: ""
@ -2235,6 +2272,18 @@ prometheus:
## Configure network policy for the prometheus ## Configure network policy for the prometheus
networkPolicy: networkPolicy:
enabled: false enabled: false
## Flavor of the network policy to use.
# Can be:
# * kubernetes for networking.k8s.io/v1/NetworkPolicy
# * cilium for cilium.io/v2/CiliumNetworkPolicy
flavor: kubernetes
# cilium:
# endpointSelector:
# egress:
# ingress:
# egress: # egress:
# - {} # - {}
# ingress: # ingress:
@ -2670,6 +2719,10 @@ prometheus:
## ##
enableAdminAPI: false enableAdminAPI: false
## Sets version of Prometheus overriding the Prometheus version as derived
## from the image tag. Useful in cases where the tag does not follow semver v2.
version: ""
## WebTLSConfig defines the TLS parameters for HTTPS ## WebTLSConfig defines the TLS parameters for HTTPS
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#webtlsconfig ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#webtlsconfig
web: {} web: {}
@ -2780,11 +2833,12 @@ prometheus:
## ##
query: {} query: {}
## Namespaces to be selected for PrometheusRules discovery. ## If nil, select own namespace. Namespaces to be selected for PrometheusRules discovery.
## If nil, select own namespace. Namespaces to be selected for ServiceMonitor discovery.
## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage
##
ruleNamespaceSelector: {} ruleNamespaceSelector: {}
## Example which selects PrometheusRules in namespaces with label "prometheus" set to "somelabel"
# ruleNamespaceSelector:
# matchLabels:
# prometheus: somelabel
## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the ## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the
## prometheus resource to be created with selectors based on values in the helm deployment, ## prometheus resource to be created with selectors based on values in the helm deployment,
@ -2849,10 +2903,12 @@ prometheus:
# matchLabels: # matchLabels:
# prometheus: somelabel # prometheus: somelabel
## Namespaces to be selected for PodMonitor discovery. ## If nil, select own namespace. Namespaces to be selected for PodMonitor discovery.
## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage
##
podMonitorNamespaceSelector: {} podMonitorNamespaceSelector: {}
## Example which selects PodMonitor in namespaces with label "prometheus" set to "somelabel"
# podMonitorNamespaceSelector:
# matchLabels:
# prometheus: somelabel
## If true, a nil or {} value for prometheus.prometheusSpec.probeSelector will cause the ## If true, a nil or {} value for prometheus.prometheusSpec.probeSelector will cause the
## prometheus resource to be created with selectors based on values in the helm deployment, ## prometheus resource to be created with selectors based on values in the helm deployment,
@ -2869,10 +2925,12 @@ prometheus:
# matchLabels: # matchLabels:
# prometheus: somelabel # prometheus: somelabel
## Namespaces to be selected for Probe discovery. ## If nil, select own namespace. Namespaces to be selected for Probe discovery.
## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage
##
probeNamespaceSelector: {} probeNamespaceSelector: {}
## Example which selects Probe in namespaces with label "prometheus" set to "somelabel"
# probeNamespaceSelector:
# matchLabels:
# prometheus: somelabel
## How long to retain metrics ## How long to retain metrics
## ##

View File

@ -18,7 +18,7 @@
"subdir": "contrib/mixin" "subdir": "contrib/mixin"
} }
}, },
"version": "49b59cc8e5c838bdc5e661de6388a0e348b3985c", "version": "2a0c9896623cc64543b01bd0bdf1140f6d622a67",
"sum": "QTzBqwjnM6cGGVBhOiVJyA+ZVTkmCTuH6C6YW7XKRFw=" "sum": "QTzBqwjnM6cGGVBhOiVJyA+ZVTkmCTuH6C6YW7XKRFw="
}, },
{ {
@ -58,7 +58,7 @@
"subdir": "grafana-builder" "subdir": "grafana-builder"
} }
}, },
"version": "d680faafc0727c4c5086f1624333363e57d2ce81", "version": "d303b2031264728728dd1e1c05f74f67027139f6",
"sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0="
}, },
{ {
@ -68,8 +68,8 @@
"subdir": "" "subdir": ""
} }
}, },
"version": "eed459199703c969afc318ea55b9361ae48180a7", "version": "d87b757edc73a5f5b78e9f6a9bbae9023131c946",
"sum": "iKDOR7+jXw3Rctog6Z1ofweIK5BLjuGeguIZjXLP8ls=" "sum": "fsAZNroGj9QOUt63dI78jcahPnCXlBhpfxuPJC3dTac="
}, },
{ {
"source": { "source": {
@ -78,7 +78,7 @@
"subdir": "jsonnet/kube-state-metrics" "subdir": "jsonnet/kube-state-metrics"
} }
}, },
"version": "32f8c5e80500855dcdec0c0b7398b580b12f3470", "version": "5f31736e444a674a969d65aaa9afd9d0864c8639",
"sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g=" "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
}, },
{ {
@ -88,7 +88,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin" "subdir": "jsonnet/kube-state-metrics-mixin"
} }
}, },
"version": "32f8c5e80500855dcdec0c0b7398b580b12f3470", "version": "5f31736e444a674a969d65aaa9afd9d0864c8639",
"sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk=" "sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk="
}, },
{ {
@ -98,8 +98,8 @@
"subdir": "jsonnet/kube-prometheus" "subdir": "jsonnet/kube-prometheus"
} }
}, },
"version": "2a955da550e33f75e3a7ecf30d45e8fd19dc6c31", "version": "c9e1145027df233fa3d1d7aed86cacbf6001d1f5",
"sum": "8SUhAtqVsKsqUmDYgmrdZWrvS6bQ1dHnVSi2LFJeCZU=" "sum": "Skpy4SojW1KNz8dJpg8J6mx/z596xf9nW8VEGvXnGJg="
}, },
{ {
"source": { "source": {
@ -108,8 +108,8 @@
"subdir": "jsonnet/mixin" "subdir": "jsonnet/mixin"
} }
}, },
"version": "06b5c4189f3f72737766d86103d049115c3aff48", "version": "e8841ea9546b08693aefbb945bfebc11c8b33186",
"sum": "GQmaVFJwKMiD/P4n3N2LrAZVcwutriWrP8joclDtBYQ=", "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
"name": "prometheus-operator-mixin" "name": "prometheus-operator-mixin"
}, },
{ {
@ -119,8 +119,8 @@
"subdir": "jsonnet/prometheus-operator" "subdir": "jsonnet/prometheus-operator"
} }
}, },
"version": "06b5c4189f3f72737766d86103d049115c3aff48", "version": "e8841ea9546b08693aefbb945bfebc11c8b33186",
"sum": "8XqdRl/MXzaSKjhHkrMFWbrP8Tw0k5tsI5hNfX++1Pw=" "sum": "cNcVEO+LVAJK7fGxfL8RAIo/G/9ZU/ZUhCzUpdcgytc="
}, },
{ {
"source": { "source": {
@ -129,7 +129,7 @@
"subdir": "doc/alertmanager-mixin" "subdir": "doc/alertmanager-mixin"
} }
}, },
"version": "0f14383b61c1e301a70130ecfc22df52bd85df6e", "version": "f67d03fe2854191bb36dbcb305ec507237583aa2",
"sum": "PsK+V7oETCPKu2gLoPfqY0wwPKH9TzhNj6o2xezjjXc=", "sum": "PsK+V7oETCPKu2gLoPfqY0wwPKH9TzhNj6o2xezjjXc=",
"name": "alertmanager" "name": "alertmanager"
}, },
@ -140,8 +140,8 @@
"subdir": "docs/node-mixin" "subdir": "docs/node-mixin"
} }
}, },
"version": "c8129fadd660ae90598b84791d8915a995a27815", "version": "184a4e0893dd5c28e540ca3070f2e3a07f939f11",
"sum": "TwdaTm0Z++diiLyaKAAimmC6hBL7XbrJc0RHhBCpAdU=" "sum": "aFUI56y6Y8EpniS4cfYqrSaHFnxeomIw4S4+Sz8yPtQ="
}, },
{ {
"source": { "source": {
@ -150,7 +150,7 @@
"subdir": "documentation/prometheus-mixin" "subdir": "documentation/prometheus-mixin"
} }
}, },
"version": "0ab95536115adfe50af249d36d73674be694ca3f", "version": "5c5fa5c319fca713506fa144ec6768fddf00d466",
"sum": "LRx0tbMnoE1p8KEn+i81j2YsA5Sgt3itE5Y6jBf5eOQ=", "sum": "LRx0tbMnoE1p8KEn+i81j2YsA5Sgt3itE5Y6jBf5eOQ=",
"name": "prometheus" "name": "prometheus"
}, },
@ -161,8 +161,8 @@
"subdir": "config/crd/bases" "subdir": "config/crd/bases"
} }
}, },
"version": "cd05347647955a378f32a888d194cb0f7c0134a6", "version": "05405777468aca15ee63824512f8f13af9f08039",
"sum": "bY/Pcrrbynguq8/HaI88cQ3B2hLv/xc+76QILY7IL+g=" "sum": "MK8+uumteRncS0hkyjocvU2vdtlGbfBRPcU0/mJnU2M="
}, },
{ {
"source": { "source": {
@ -171,7 +171,7 @@
"subdir": "mixin" "subdir": "mixin"
} }
}, },
"version": "a1ec4d5365e88967e4bb4b0f127d174617ed2bbc", "version": "cdb395a7100be554e804d61c735b8d4a4b678f11",
"sum": "zSLNV/0bN4DcVKojzCqjmhfjtzTY4pDKZXqbAUzw5R0=", "sum": "zSLNV/0bN4DcVKojzCqjmhfjtzTY4pDKZXqbAUzw5R0=",
"name": "thanos-mixin" "name": "thanos-mixin"
} }

View File

@ -175,7 +175,7 @@
{ {
"alert": "NodeClockSkewDetected", "alert": "NodeClockSkewDetected",
"annotations": { "annotations": {
"description": "Clock on {{ $labels.instance }} is out of sync by more than 300s. Ensure NTP is configured correctly on this host.", "description": "Clock on {{ $labels.instance }} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host.",
"runbook_url": "https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected", "runbook_url": "https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected",
"summary": "Clock skew detected." "summary": "Clock skew detected."
}, },

View File

@ -6,7 +6,7 @@
"app.kubernetes.io/component": "controller", "app.kubernetes.io/component": "controller",
"app.kubernetes.io/name": "prometheus-operator", "app.kubernetes.io/name": "prometheus-operator",
"app.kubernetes.io/part-of": "kube-prometheus", "app.kubernetes.io/part-of": "kube-prometheus",
"app.kubernetes.io/version": "0.64.1", "app.kubernetes.io/version": "0.65.1",
"prometheus": "k8s", "prometheus": "k8s",
"role": "alert-rules" "role": "alert-rules"
}, },

View File

@ -7,7 +7,7 @@
"app.kubernetes.io/instance": "k8s", "app.kubernetes.io/instance": "k8s",
"app.kubernetes.io/name": "prometheus", "app.kubernetes.io/name": "prometheus",
"app.kubernetes.io/part-of": "kube-prometheus", "app.kubernetes.io/part-of": "kube-prometheus",
"app.kubernetes.io/version": "2.43.0", "app.kubernetes.io/version": "2.43.1",
"prometheus": "k8s", "prometheus": "k8s",
"role": "alert-rules" "role": "alert-rules"
}, },

View File

@ -125,7 +125,7 @@ spec:
severity: warning severity: warning
- alert: NodeClockSkewDetected - alert: NodeClockSkewDetected
annotations: annotations:
description: Clock on {{`{{`}} $labels.instance {{`}}`}} is out of sync by more than 300s. Ensure NTP is configured correctly on this host. description: Clock on {{`{{`}} $labels.instance {{`}}`}} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected
summary: Clock skew detected. summary: Clock skew detected.
expr: "(\n node_timex_offset_seconds{job=\"node-exporter\"} > 0.05\nand\n deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) >= 0\n)\nor\n(\n node_timex_offset_seconds{job=\"node-exporter\"} < -0.05\nand\n deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) <= 0\n)\n" expr: "(\n node_timex_offset_seconds{job=\"node-exporter\"} > 0.05\nand\n deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) >= 0\n)\nor\n(\n node_timex_offset_seconds{job=\"node-exporter\"} < -0.05\nand\n deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) <= 0\n)\n"

View File

@ -85,7 +85,7 @@ kube-prometheus-stack:
- sourceLabels: [__meta_kubernetes_pod_node_name] - sourceLabels: [__meta_kubernetes_pod_node_name]
separator: ; separator: ;
regex: ^(.*)$ regex: ^(.*)$
targetLabel: node targetLabel: instance
replacement: $1 replacement: $1
action: replace action: replace
resources: resources:

View File

@ -1,6 +1,6 @@
# kubezero-redis # kubezero-redis
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Redis HA KubeZero Umbrella Chart for Redis HA
@ -14,7 +14,7 @@ KubeZero Umbrella Chart for Redis HA
## Requirements ## Requirements
Kubernetes: `>= 1.20.0` Kubernetes: `>= 1.25.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero name: kubezero
description: KubeZero - Root App of Apps chart description: KubeZero - Root App of Apps chart
type: application type: application
version: 1.25.8 version: 1.25.8-1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -1,6 +1,6 @@
# kubezero # kubezero
![Version: 1.25.8](https://img.shields.io/badge/Version-1.25.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 1.25.8-1](https://img.shields.io/badge/Version-1.25.8--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero - Root App of Apps chart KubeZero - Root App of Apps chart
@ -67,7 +67,7 @@ Kubernetes: `>= 1.25.0`
| metrics.istio.grafana | object | `{}` | | | metrics.istio.grafana | object | `{}` | |
| metrics.istio.prometheus | object | `{}` | | | metrics.istio.prometheus | object | `{}` | |
| metrics.namespace | string | `"monitoring"` | | | metrics.namespace | string | `"monitoring"` | |
| metrics.targetRevision | string | `"0.9.0"` | | | metrics.targetRevision | string | `"0.9.1"` | |
| network.cilium.cluster | object | `{}` | | | network.cilium.cluster | object | `{}` | |
| network.enabled | bool | `true` | | | network.enabled | bool | `true` | |
| network.retain | bool | `true` | | | network.retain | bool | `true` | |

View File

@ -1,3 +1,60 @@
{{- define "_kube-prometheus-stack" }}
{{- if .global.aws }}
alertmanager:
config:
receivers:
- name: 'null'
- name: alerthub-notifications
webhook_configs:
- send_resolved: true
url: http://localhost:9087/alert/AlertHub
route:
receiver: alerthub-notifications
prometheus:
prometheusSpec:
externalLabels:
awsAccount: '{{ .global.aws.accountId }}'
awsRegion: {{ .global.aws.region }}
clusterName: {{ .global.clusterName }}
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
volumeMounts:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
additionalScrapeConfigs:
- job_name: 'nodes'
ec2_sd_configs:
- port: 9100
region: {{ .global.aws.region }}
filters:
- name: 'tag-key'
values: ['zdt:prometheus.node-exporter']
relabel_configs:
- source_labels:
- '__meta_ec2_instance_id'
target_label: 'instance_id'
- source_labels:
- '__meta_ec2_availability_zone'
target_label: 'availability_zone'
- source_labels:
- '__meta_ec2_private_dns_name'
target_label: 'instance'
- source_labels:
- '__meta_ec2_tag_Name'
target_label: 'instance'
{{- end }}
{{- end }}
{{- define "metrics-values" }} {{- define "metrics-values" }}
{{- with .Values.metrics.istio }} {{- with .Values.metrics.istio }}
@ -6,7 +63,7 @@ istio:
{{- end }} {{- end }}
{{- with index .Values "metrics" "kube-prometheus-stack" }} {{- with index .Values "metrics" "kube-prometheus-stack" }}
kube-prometheus-stack: kube-prometheus-stack:
{{- toYaml . | nindent 2 }} {{- toYaml ( merge ( include "_kube-prometheus-stack" $.Values | fromYaml ) . ) | nindent 2 }}
{{- end }} {{- end }}
{{- with index .Values "metrics" "prometheus-adapter" }} {{- with index .Values "metrics" "prometheus-adapter" }}
prometheus-adapter: prometheus-adapter:

View File

@ -76,7 +76,7 @@ istio-private-ingress:
metrics: metrics:
enabled: false enabled: false
namespace: monitoring namespace: monitoring
targetRevision: 0.9.0 targetRevision: 0.9.1
istio: istio:
grafana: {} grafana: {}
prometheus: {} prometheus: {}