Latest metrics incl. support for cluster external node-exporter

2023-05-13 08:38:33 +00:00 · 2023-05-13 08:38:33 +00:00 · ed04b43192
commit ed04b43192
parent ad99454f8f
67 changed files with 582 additions and 110 deletions
--- a/charts/kubezero-ci/README.md
+++ b/charts/kubezero-ci/README.md
@ -34,8 +34,10 @@ Kubernetes: `>= 1.24.0`

 # Gitea

-## OpenSSH 8.8 RSA disabled
- https://github.com/go-gitea/gitea/issues/17798
+# Verdaccio
+
+## Authentication sealed-secret
+```htpasswd -n -b -B -C 4 <username> <password> | kubeseal --raw --namespace verdaccio --name verdaccio-htpasswd```

 ## Resources

--- a/charts/kubezero-metrics/Chart.yaml
+++ b/charts/kubezero-metrics/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-metrics
 description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
 type: application
-version: 0.9.0
+version: 0.9.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -19,7 +19,7 @@ dependencies:
    repository: https://cdn.zero-downtime.net/charts/
    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
  - name: kube-prometheus-stack
-    version: 45.9.1
+    version: 45.27.2
    # Switch back to upstream once all alerts are fixed eg. etcd gpcr
    # repository: https://prometheus-community.github.io/helm-charts
  - name: prometheus-adapter
--- a/charts/kubezero-metrics/README.md
+++ b/charts/kubezero-metrics/README.md
@ -1,6 +1,6 @@
 # kubezero-metrics

-![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.

@ -18,7 +18,7 @@ Kubernetes: `>= 1.25.0`

 | Repository | Name | Version |
 |------------|------|---------|
-|  | kube-prometheus-stack | 45.9.1 |
+|  | kube-prometheus-stack | 45.27.2 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 | https://prometheus-community.github.io/helm-charts | prometheus-adapter | 4.1.1 |
 | https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.1.3 |
@ -155,7 +155,7 @@ Kubernetes: `>= 1.25.0`
 | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].replacement | string | `"$1"` |  |
 | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].separator | string | `";"` |  |
 | kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` |  |
-| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"node"` |  |
+| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"instance"` |  |
 | kube-prometheus-stack.prometheus-node-exporter.resources.requests.cpu | string | `"20m"` |  |
 | kube-prometheus-stack.prometheus-node-exporter.resources.requests.memory | string | `"16Mi"` |  |
 | kube-prometheus-stack.prometheus.enabled | bool | `true` |  |
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml
@ -7,20 +7,20 @@ annotations:
      url: https://github.com/prometheus-operator/kube-prometheus
  artifacthub.io/operator: "true"
 apiVersion: v2
-appVersion: v0.63.0
+appVersion: v0.65.1
 dependencies:
 - condition: kubeStateMetrics.enabled
  name: kube-state-metrics
  repository: https://prometheus-community.github.io/helm-charts
-  version: 5.0.*
+  version: 5.5.*
 - condition: nodeExporter.enabled
  name: prometheus-node-exporter
  repository: https://prometheus-community.github.io/helm-charts
-  version: 4.14.*
+  version: 4.16.*
 - condition: grafana.enabled
  name: grafana
  repository: https://grafana.github.io/helm-charts
-  version: 6.51.*
+  version: 6.56.*
 description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards,
  and Prometheus rules combined with documentation and scripts to provide easy to
  operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus
@ -52,4 +52,4 @@ sources:
 - https://github.com/prometheus-community/helm-charts
 - https://github.com/prometheus-operator/kube-prometheus
 type: application
-version: 45.9.1
+version: 45.27.2
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml
@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 9.3.8
+appVersion: 9.5.1
 description: The leading tool for querying and visualizing time series and metrics.
 home: https://grafana.net
 icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png
@ -19,4 +19,4 @@ name: grafana
 sources:
 - https://github.com/grafana/grafana
 type: application
-version: 6.51.5
+version: 6.56.2
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md
@ -87,6 +87,7 @@ This version requires Helm >= 3.1.0.
 | `ingress.hosts`                           | Ingress accepted hostnames                    | `["chart-example.local"]`                                                    |
 | `ingress.extraPaths`                      | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]`                                                    |
 | `ingress.tls`                             | Ingress TLS configuration                     | `[]`                                                    |
+| `ingress.ingressClassName`                | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | `""`                              |
 | `resources`                               | CPU/Memory resource requests/limits           | `{}`                                                    |
 | `nodeSelector`                            | Node labels for pod assignment                | `{}`                                                    |
 | `tolerations`                             | Toleration labels for pod assignment          | `[]`                                                    |
@ -216,8 +217,8 @@ This version requires Helm >= 3.1.0.
 | `rbac.create`                             | Create and use RBAC resources                 | `true`                                                  |
 | `rbac.namespaced`                         | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance  | `false` |
 | `rbac.useExistingRole`                    | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` |
-| `rbac.pspEnabled`                         | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true`                 |
-| `rbac.pspUseAppArmor`                     | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`)  | `true`                    |
+| `rbac.pspEnabled`                         | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `false`                |
+| `rbac.pspUseAppArmor`                     | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`)  | `false`                   |
 | `rbac.extraRoleRules`                     | Additional rules to add to the Role           | []                                                      |
 | `rbac.extraClusterRoleRules`              | Additional rules to add to the ClusterRole    | []                                                      |
 | `command`                                 | Define command to be executed by grafana container at startup | `nil`                                   |
@ -251,6 +252,7 @@ This version requires Helm >= 3.1.0.
 | `imageRenderer.image.sha`                  | image-renderer Image sha (optional)                                                | `""`                             |
 | `imageRenderer.image.pullPolicy`           | image-renderer ImagePullPolicy                                                     | `Always`                         |
 | `imageRenderer.env`                        | extra env-vars for image-renderer                                                  | `{}`                             |
+| `imageRenderer.envValueFrom`               | Environment variables for image-renderer from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` |
 | `imageRenderer.serviceAccountName`         | image-renderer deployment serviceAccountName                                       | `""`                             |
 | `imageRenderer.securityContext`            | image-renderer deployment securityContext                                          | `{}`                             |
 | `imageRenderer.hostAliases`                | image-renderer deployment Host Aliases                                             | `[]`                             |
@ -397,9 +399,41 @@ filters out the ones with a label as defined in `sidecar.datasources.label`. The
 those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
 the data sources in grafana can be imported.

+Should you aim for reloading datasources in Grafana each time the config is changed, set `sidecar.datasources.skipReload: false` and adjust `sidecar.datasources.reloadURL` to `http://<svc-name>.<namespace>.svc.cluster.local/api/admin/provisioning/datasources/reload`.
+
 Secrets are recommended over configmaps for this usecase because datasources usually contain private
 data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those.

+Example values to add a postgres datasource as a kubernetes secret:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-datasources
+  labels:
+    grafana_datasource: 'true' # default value for: sidecar.datasources.label
+stringData:
+  pg-db.yaml: |-
+    apiVersion: 1
+    datasources:
+      - name: My pg db datasource
+        type: postgres
+        url: my-postgresql-db:5432
+        user: db-readonly-user
+        secureJsonData:
+          password: 'SUperSEcretPa$$word'
+        jsonData:
+          database: my_datase
+          sslmode: 'disable' # disable/require/verify-ca/verify-full
+          maxOpenConns: 0 # Grafana v5.4+
+          maxIdleConns: 2 # Grafana v5.4+
+          connMaxLifetime: 14400 # Grafana v5.4+
+          postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
+          timescaledb: false
+        # <bool> allow users to edit datasources from the UI.
+        editable: false
+```
+
 Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file):

 ```yaml
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl
@ -786,7 +786,7 @@ containers:
      {{- range .Values.extraConfigmapMounts }}
      - name: {{ tpl .name $root }}
        mountPath: {{ tpl .mountPath $root }}
-        subPath: {{ (tpl .subPath $root) | default "" }}
+        subPath: {{ tpl (.subPath | default "") $root }}
        readOnly: {{ .readOnly }}
      {{- end }}
      - name: storage
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml
@ -9,9 +9,9 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "grafana.fullname" . }}-clusterrole
-{{- if or .Values.sidecar.dashboards.enabled (or .Values.rbac.extraClusterRoleRules (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled)) }}
+{{- if or .Values.sidecar.dashboards.enabled .Values.rbac.extraClusterRoleRules .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }}
 rules:
-  {{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }}
+  {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }}
  - apiGroups: [""] # "" indicates the core API group
    resources: ["configmaps", "secrets"]
    verbs: ["get", "watch", "list"]
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml
@ -87,7 +87,11 @@ data:
    --connect-timeout 60 \
    --max-time 60 \
      {{- if not $value.b64content }}
+        {{- if not $value.acceptHeader }}
    -H "Accept: application/json" \
+        {{- else }}
+    -H "Accept: {{ $value.acceptHeader }}" \
+        {{- end }}
        {{- if $value.token }}
    -H "Authorization: token {{ $value.token }}" \
        {{- end }}
@ -95,7 +99,7 @@ data:
    -H "Authorization: Bearer {{ $value.bearerToken }}" \
        {{- end }}
        {{- if $value.basic }}
-    -H "Basic: {{ $value.basic }}" \
+    -H "Authorization: Basic {{ $value.basic }}" \
        {{- end }}
        {{- if $value.gitlabToken }}
    -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml
@ -42,6 +42,7 @@ spec:
        {{- if .Values.envRenderSecret }}
        checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }}
        {{- end }}
+        kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml
@ -92,6 +92,11 @@ spec:
            - name: ENABLE_METRICS
              value: "true"
          {{- end }}
+          {{- range $key, $value := .Values.imageRenderer.envValueFrom }}
+            - name: {{ $key | quote }}
+              valueFrom:
+                {{- tpl (toYaml $value) $ | nindent 16 }}
+          {{- end }}
          {{- range $key, $value := .Values.imageRenderer.env }}
            - name: {{ $key | quote }}
              value: {{ $value | quote }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml
@ -31,6 +31,7 @@ spec:
        {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }}
        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
        {{- end }}
+        kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml
@ -84,7 +84,7 @@ livenessProbe:
 # schedulerName: "default-scheduler"

 image:
-  repository: grafana/grafana
+  repository: docker.io/grafana/grafana
  # Overrides the Grafana image tag whose default is the chart appVersion
  tag: ""
  sha: ""
@ -100,17 +100,23 @@ image:

 testFramework:
  enabled: true
-  image: "bats/bats"
+  image: docker.io/bats/bats
  tag: "v1.4.1"
  imagePullPolicy: IfNotPresent
  securityContext: {}

 securityContext:
+  runAsNonRoot: true
  runAsUser: 472
  runAsGroup: 472
  fsGroup: 472

-containerSecurityContext: {}
+containerSecurityContext:
+  capabilities:
+    drop:
+    - ALL
+  seccompProfile:
+    type: RuntimeDefault

 # Enable creating the grafana configmap
 createConfigmap: true
@ -137,7 +143,7 @@ extraLabels: {}
 # priorityClassName:

 downloadDashboardsImage:
-  repository: curlimages/curl
+  repository: docker.io/curlimages/curl
  tag: 7.85.0
  sha: ""
  pullPolicy: IfNotPresent
@ -146,7 +152,13 @@ downloadDashboards:
  env: {}
  envFromSecret: ""
  resources: {}
-  securityContext: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    seccompProfile:
+      type: RuntimeDefault
  envValueFrom: {}
  #  ENV_NAME:
  #    configMapKeyRef:
@ -346,7 +358,7 @@ initChownData:
  ## initChownData container image
  ##
  image:
-    repository: busybox
+    repository: docker.io/library/busybox
    tag: "1.31.1"
    sha: ""
    pullPolicy: IfNotPresent
@ -364,7 +376,11 @@ initChownData:
  securityContext:
    runAsNonRoot: false
    runAsUser: 0
-
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      add:
+        - CHOWN

 # Administrator credentials when not using an existing secret (see below)
 adminUser: admin
@ -520,6 +536,9 @@ lifecycleHooks: {}
 plugins: []
  # - digrich-bubblechart-panel
  # - grafana-clock-panel
+  ## You can also use other plugin download URL, as long as they are valid zip files,
+  ## and specify the name of the plugin after the semicolon. Like this:
+  # - https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource

 ## Configure grafana datasources
 ## ref: http://docs.grafana.org/administration/provisioning/#datasources
@ -676,6 +695,7 @@ dashboards: {}
  #   local-dashboard-azure:
  #     url: https://example.com/repository/test-azure.json
  #     basic: ''
+  #     acceptHeader: '*/*'

 ## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
 ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
@ -777,7 +797,13 @@ sidecar:
 #   requests:
 #     cpu: 50m
 #     memory: 50Mi
-  securityContext: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    seccompProfile:
+      type: RuntimeDefault
  # skipTlsVerify Set to true to skip tls verification for kube api calls
  # skipTlsVerify: true
  enableUniqueFilenames: false
@ -1030,7 +1056,7 @@ imageRenderer:
    behavior: {}
  image:
    # image-renderer Image repository
-    repository: grafana/grafana-image-renderer
+    repository: docker.io/grafana/grafana-image-renderer
    # image-renderer Image tag
    tag: latest
    # image-renderer Image sha (optional)
@ -1043,12 +1069,29 @@ imageRenderer:
    # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
    # RENDERING_MODE: clustered
    # IGNORE_HTTPS_ERRORS: true
+
+  ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
+  ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
+  ## Renders in container spec as:
+  ##   env:
+  ##     ...
+  ##     - name: <key>
+  ##       valueFrom:
+  ##         <value rendered as YAML>
+  envValueFrom: {}
+    #  ENV_NAME:
+    #    configMapKeyRef:
+    #      name: configmap-name
+    #      key: value_key
+
  # image-renderer deployment serviceAccount
  serviceAccountName: ""
  # image-renderer deployment securityContext
  securityContext: {}
  # image-renderer deployment container securityContext
  containerSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
    capabilities:
      drop: ['ALL']
    allowPrivilegeEscalation: false
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml
@ -18,4 +18,4 @@ name: kube-state-metrics
 sources:
 - https://github.com/kubernetes/kube-state-metrics/
 type: application
-version: 5.0.1
+version: 5.5.0
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml
@ -162,6 +162,9 @@ spec:
        volumeMounts:
          - name: kube-rbac-proxy-config
            mountPath: /etc/kube-rbac-proxy-config
+          {{- with .Values.kubeRBACProxy.volumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
        imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }}
        image: {{ include "kubeRBACProxy.image" . }}
        ports:
@ -197,6 +200,9 @@ spec:
        volumeMounts:
          - name: kube-rbac-proxy-config
            mountPath: /etc/kube-rbac-proxy-config
+          {{- with .Values.kubeRBACProxy.volumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
        imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }}
        image: {{ include "kubeRBACProxy.image" . }}
        ports:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml
@ -9,6 +9,10 @@ metadata:
  {{- with .Values.prometheus.monitor.additionalLabels }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
+  {{- with .Values.prometheus.monitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }}
  {{- with .Values.prometheus.monitor.targetLabels }}
@ -56,6 +60,13 @@ spec:
      tlsConfig:
        {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }}
    {{- end }}
+    {{- if .Values.prometheus.monitor.bearerTokenFile }}
+      bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }}
+    {{- end }}
+    {{- with .Values.prometheus.monitor.bearerTokenSecret }}
+      bearerTokenSecret:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
  {{- if .Values.selfMonitor.enabled }}
    - port: metrics
    {{- if .Values.prometheus.monitor.interval }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml
@ -115,6 +115,13 @@ kubeRBACProxy:
    #  cpu: 10m
    #  memory: 32Mi

+  ## volumeMounts enables mounting custom volumes in rbac-proxy containers
+  ## Useful for TLS certificates and keys
+  volumeMounts: []
+    # - mountPath: /etc/tls
+    #   name: kube-rbac-proxy-tls
+    #   readOnly: true
+
 serviceAccount:
  # Specifies whether a ServiceAccount should be created, require rbac true
  create: true
@ -132,6 +139,7 @@ serviceAccount:
 prometheus:
  monitor:
    enabled: false
+    annotations: {}
    additionalLabels: {}
    namespace: ""
    jobLabel: ""
@ -164,6 +172,14 @@ prometheus:
    metricRelabelings: []
    relabelings: []
    scheme: ""
+    ## File to read bearer token for scraping targets
+    bearerTokenFile: ""
+    ## Secret to mount to read bearer token for scraping targets. The secret needs
+    ## to be in the same namespace as the service monitor and accessible by the
+    ## Prometheus Operator
+    bearerTokenSecret: {}
+      # name: secret-name
+      # key:  key-name
    tlsConfig: {}

 ## Specify if a Pod Security Policy for kube-state-metrics must be created
@ -199,11 +215,18 @@ securityContext:
  runAsGroup: 65534
  runAsUser: 65534
  fsGroup: 65534
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault

 ## Specify security settings for a Container
 ## Allows overrides and additional options compared to (Pod) securityContext
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-containerSecurityContext: {}
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL

 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml
@ -15,4 +15,4 @@ name: prometheus-node-exporter
 sources:
 - https://github.com/prometheus/node_exporter/
 type: application
-version: 4.14.0
+version: 4.16.0
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl
@ -76,10 +76,12 @@ The image to use
 */}}
 {{- define "prometheus-node-exporter.image" -}}
 {{- if .Values.image.sha }}
+{{- fail "image.sha forbidden. Use image.digest instead" }}
+{{- else if .Values.image.digest }}
 {{- if .Values.global.imageRegistry }}
-{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }}
+{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }}
 {{- else }}
-{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }}
+{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }}
 {{- end }}
 {{- else }}
 {{- if .Values.global.imageRegistry }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/networkpolicy.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/networkpolicy.yaml
@ -0,0 +1,23 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "prometheus-node-exporter.fullname" . }}
+  namespace: {{ include "prometheus-node-exporter.namespace" . }}
+  labels:
+    {{- include "prometheus-node-exporter.labels" $ | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingress:
+    - ports:
+      - port: {{ .Values.service.port }}
+  policyTypes:
+    - Egress
+    - Ingress
+  podSelector:
+    matchLabels:
+      {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }}
+{{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml
@ -23,6 +23,10 @@ spec:
    {{- else }}
      {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }}
    {{- end }}
+  {{- with .Values.prometheus.monitor.attachMetadata }}
+  attachMetadata:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
  endpoints:
    - port: {{ .Values.service.portName }}
      scheme: {{ .Values.prometheus.monitor.scheme }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml
@ -7,7 +7,7 @@ image:
  # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }}
  tag: ""
  pullPolicy: IfNotPresent
-  sha: ""
+  digest: ""

 imagePullSecrets: []
 # - name: "image-pull-secret"
@ -72,6 +72,12 @@ service:
  annotations:
    prometheus.io/scrape: "true"

+# Set a NetworkPolicy with:
+# ingress only on service.port
+# no egress permitted
+networkPolicy:
+  enabled: false
+
 # Additional environment variables that will be passed to the daemonset
 env: {}
 ##  env:
@ -102,6 +108,11 @@ prometheus:
    ##
    selectorOverride: {}

+    ## Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above.
+    ##
+    attachMetadata:
+      node: false
+
    relabelings: []
    metricRelabelings: []
    interval: ""
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml
@ -13,6 +13,7 @@ metadata:
  annotations:
 {{ toYaml .Values.alertmanager.serviceAccount.annotations | indent 4 }}
 {{- end }}
+automountServiceAccountToken: {{ .Values.alertmanager.serviceAccount.automountServiceAccountToken }}
 {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
 {{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2}}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml
@ -1,4 +1,4 @@
-{{- if .Values.coreDns.enabled }}
+{{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if .Values.coreDns.enabled }}
+{{- if and .Values.coreDns.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if .Values.kubeApiServer.enabled }}
+{{- if and .Values.kubeApiServer.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/endpoints.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.endpoints }}
+{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.endpoints .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Endpoints
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/service.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled }}
+{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-controller-manager/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled }}
+{{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/service.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/service.yaml
@ -1,4 +1,4 @@
-{{- if .Values.kubeDns.enabled }}
+{{- if and .Values.kubeDns.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-dns/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if .Values.kubeDns.enabled }}
+{{- if and .Values.kubeDns.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/endpoints.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.endpoints }}
+{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.endpoints .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Endpoints
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled }}
+{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled }}
+{{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/endpoints.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.endpoints }}
+{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.endpoints .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Endpoints
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/service.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled }}
+{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-proxy/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled }}
+{{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/endpoints.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.endpoints }}
+{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.endpoints .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Endpoints
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/service.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled }}
+{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kube-scheduler/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled }}
+{{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml
@ -1,4 +1,4 @@
-{{- if .Values.kubelet.enabled }}
+{{- if and .Values.kubelet.enabled .Values.kubernetesServiceMonitors.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml
@ -33,7 +33,11 @@ data:
      access: proxy
      isDefault: {{ .Values.grafana.sidecar.datasources.isDefaultDatasource }}
      jsonData:
+        httpMethod: {{ .Values.grafana.sidecar.datasources.httpMethod }}
        timeInterval: {{ $scrapeInterval }}
+        {{- if .Values.grafana.sidecar.datasources.timeout }}
+        timeout: {{ .Values.grafana.sidecar.datasources.timeout }}
+        {{- end }}
 {{- if .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations }}
        exemplarTraceIdDestinations:
        - datasourceUid: {{ .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations.datasourceUid }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-createSecret.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-createSecret.yaml
@ -0,0 +1,32 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-create
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    ## Ensure this is run before the job
+    helm.sh/hook-weight: "-5"
+    {{- with .Values.prometheusOperator.admissionWebhooks.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}  
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+    {{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+  egress:
+    {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
+    {{- else }}
+    - toEntities:
+      - kube-apiserver
+    {{- end }}
+{{- end }}
+{{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-patchWebhook.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/ciliumnetworkpolicy-patchWebhook.yaml
@ -0,0 +1,33 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    ## Ensure this is run before the job
+    helm.sh/hook-weight: "-5"
+    {{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}   
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+    {{- include "kube-prometheus-stack.labels" $ | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+  egress:
+    {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
+    {{- else }}
+    - toEntities:
+      - kube-apiserver
+    {{- end }}
+{{- end }}
+{{- end }}
+
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml
@ -1,4 +1,4 @@
-{{- if .Values.prometheusOperator.networkPolicy.enabled }}
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
 {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml
@ -1,4 +1,4 @@
-{{- if .Values.prometheusOperator.networkPolicy.enabled }}
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
 {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml
@ -5,8 +5,8 @@ metadata:
  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
 {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}
  annotations:
-    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }}
-    cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }}
+    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
 {{- end }}
  labels:
    app: {{ template "kube-prometheus-stack.name" $ }}-admission
@ -41,4 +41,27 @@ webhooks:
    timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
+    namespaceSelector:
+      matchExpressions:
+      {{- if .Values.prometheusOperator.denyNamespaces }}
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} 
+        - {{ $namespace }}
+        {{- end }}
+      {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+        {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
+        {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
+        - {{ $namespace }}
+        {{- end }}
+        {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }} 
+        - {{ $namespace }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
 {{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml
@ -5,8 +5,8 @@ metadata:
  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
 {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}
  annotations:
-    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }}
-    cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }}
+    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
 {{- end }}
  labels:
    app: {{ template "kube-prometheus-stack.name" $ }}-admission
@ -41,4 +41,27 @@ webhooks:
    timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
+    namespaceSelector:
+      matchExpressions:
+      {{- if .Values.prometheusOperator.denyNamespaces }}
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} 
+        - {{ $namespace }}
+        {{- end }}
+      {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+        {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
+        {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
+        - {{ $namespace }}
+        {{- end }}
+        {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }} 
+        - {{ $namespace }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
 {{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/ciliumnetworkpolicy.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/ciliumnetworkpolicy.yaml
@ -0,0 +1,35 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-operator
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator
+      {{- include "kube-prometheus-stack.labels" $ | nindent 6 }}
+  egress:
+  {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
+    {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
+  {{- else }}
+  - toEntities:
+    - kube-apiserver
+  {{- end }}
+  ingress:
+  - toPorts:
+    - ports:
+      {{- if .Values.prometheusOperator.tls.enabled }}
+      - port: {{ .Values.prometheusOperator.tls.internalPort | quote }}
+      {{- else }}
+      - port: "8080"
+      {{- end }}
+        protocol: "TCP"
+      rules:
+        http:
+        - method: "GET"
+          path: "/metrics"
+{{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml
@ -90,15 +90,24 @@ spec:
            - --config-reloader-cpu-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.cpu }}
            - --config-reloader-memory-request={{ .Values.prometheusOperator.prometheusConfigReloader.resources.requests.memory }}
            - --config-reloader-memory-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.memory }}
+            {{- if .Values.prometheusOperator.prometheusConfigReloader.enableProbe }}
+            - --enable-config-reloader-probes=true
+            {{- end }}
            {{- if .Values.prometheusOperator.alertmanagerInstanceNamespaces }}
            - --alertmanager-instance-namespaces={{ .Values.prometheusOperator.alertmanagerInstanceNamespaces | join "," }}
            {{- end }}
+            {{- if .Values.prometheusOperator.alertmanagerInstanceSelector }}
+            - --alertmanager-instance-selector={{ .Values.prometheusOperator.alertmanagerInstanceSelector }}
+            {{- end }}
            {{- if .Values.prometheusOperator.alertmanagerConfigNamespaces }}
            - --alertmanager-config-namespaces={{ .Values.prometheusOperator.alertmanagerConfigNamespaces | join "," }}
            {{- end }}
            {{- if .Values.prometheusOperator.prometheusInstanceNamespaces }}
            - --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }}
            {{- end }}
+            {{- if .Values.prometheusOperator.prometheusInstanceSelector }}
+            - --prometheus-instance-selector={{ .Values.prometheusOperator.prometheusInstanceSelector }}
+            {{- end }}
            {{- if .Values.prometheusOperator.thanosImage.sha }}
            - --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }}
            {{- else }}
@ -107,8 +116,11 @@ spec:
            {{- if .Values.prometheusOperator.thanosRulerInstanceNamespaces }}
            - --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }}
            {{- end }}
+            {{- if .Values.prometheusOperator.thanosRulerInstanceSelector }}
+            - --thanos-ruler-instance-selector={{ .Values.prometheusOperator.thanosRulerInstanceSelector }}
+            {{- end }}
            {{- if .Values.prometheusOperator.secretFieldSelector }}
-            - --secret-field-selector={{ .Values.prometheusOperator.secretFieldSelector }}
+            - --secret-field-selector={{ tpl (.Values.prometheusOperator.secretFieldSelector) $ }}
            {{- end }}
            {{- if .Values.prometheusOperator.clusterDomain }}
            - --cluster-domain={{ .Values.prometheusOperator.clusterDomain }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml
@ -1,4 +1,4 @@
-{{- if .Values.prometheusOperator.networkPolicy.enabled }}
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
 apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
 kind: NetworkPolicy
 metadata:
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ciliumnetworkpolicy.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ciliumnetworkpolicy.yaml
@ -0,0 +1,27 @@
+{{- if and .Values.prometheus.networkPolicy.enabled (eq .Values.prometheus.networkPolicy.flavor "cilium") }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-prometheus
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    {{- if .Values.prometheus.networkPolicy.cilium.endpointSelector }}
+    {{- toYaml .Values.prometheus.networkPolicy.cilium.endpointSelector | nindent 4 }}
+    {{- else }}
+    matchExpressions:
+      - {key: app.kubernetes.io/name, operator: In, values: [prometheus]}
+      - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.prometheus.crname" . }}]}
+    {{- end }}
+  {{- if and .Values.prometheus.networkPolicy.cilium .Values.prometheus.networkPolicy.cilium.egress }}  
+  egress:
+    {{ toYaml .Values.prometheus.networkPolicy.cilium.egress | nindent 4 }}
+  {{- end }}
+  {{- if and .Values.prometheus.networkPolicy.cilium .Values.prometheus.networkPolicy.cilium.ingress }}  
+  ingress:
+    {{ toYaml .Values.prometheus.networkPolicy.cilium.ingress | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingressThanosSidecar.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/ingressThanosSidecar.yaml
@ -14,6 +14,7 @@ metadata:
 {{ toYaml .Values.prometheus.thanosIngress.annotations | indent 4 }}
 {{- end }}
  name: {{ template "kube-prometheus-stack.fullname" . }}-thanos-gateway
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
  labels:
    app: {{ template "kube-prometheus-stack.name" . }}-prometheus
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml
@ -1,4 +1,4 @@
-{{- if .Values.prometheus.networkPolicy.enabled }}
+{{- if and .Values.prometheus.networkPolicy.enabled (eq .Values.prometheus.networkPolicy.flavor "kubernetes") }}
 apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
 kind: NetworkPolicy
 metadata:
@ -9,12 +9,10 @@ metadata:
  namespace: {{ template "kube-prometheus-stack.namespace" . }}
 spec:
  {{- if .Values.prometheus.networkPolicy.egress }}
-  ## Deny all egress by default
  egress:
    {{- toYaml .Values.prometheus.networkPolicy.egress | nindent 4 }}
  {{- end }}
  {{- if .Values.prometheus.networkPolicy.ingress }}
-  # Deny all ingress by default (prometheus scrapes itself using localhost)
  ingress:
    {{- toYaml .Values.prometheus.networkPolicy.ingress | nindent 4 }}
  {{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml
@ -42,10 +42,7 @@ spec:
  {{- else }}
  image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}"
  {{- end }}
-  version: {{ .Values.prometheus.prometheusSpec.image.tag }}
-  {{- if .Values.prometheus.prometheusSpec.image.sha }}
-  sha: {{ .Values.prometheus.prometheusSpec.image.sha }}
-  {{- end }}
+  version: {{ default .Values.prometheus.prometheusSpec.image.tag .Values.prometheus.prometheusSpec.version }}
 {{- end }}
 {{- if .Values.prometheus.prometheusSpec.additionalArgs }}
  additionalArgs:
@ -364,7 +361,8 @@ spec:
 {{- end }}
  excludedFromEnforcement:
 {{- range $prometheusDefaultRulesExcludedFromEnforce.rules }}
-    - resource: prometheusrules
+    - group: monitoring.coreos.com
+      resource: prometheusrules
      namespace: "{{ template "kube-prometheus-stack.namespace" $ }}"
      name: "{{ printf "%s-%s" (include "kube-prometheus-stack.fullname" $) . | trunc 63 | trimSuffix "-" }}"
 {{- end }}
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml
@ -158,6 +158,7 @@ alertmanager:
    create: true
    name: ""
    annotations: {}
+    automountServiceAccountToken: true

  ## Configure pod disruption budgets for Alertmanager
  ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
@ -822,6 +823,8 @@ grafana:
      enabled: true
      label: grafana_dashboard
      labelValue: "1"
+      # Allow discovery in all namespaces for dashboards
+      searchNamespace: ALL

      ## Annotations for Grafana dashboard configmaps
      ##
@ -844,6 +847,9 @@ grafana:
      ##
      # url: http://prometheus-stack-prometheus:9090/

+      ## Prometheus request timeout in seconds
+      # timeout: 30
+
      # If not defined, will use prometheus.prometheusSpec.scrapeInterval or its default
      # defaultDatasourceScrapeInterval: 15s

@ -851,6 +857,9 @@ grafana:
      ##
      annotations: {}

+      ## Set method for HTTP to send query to datasource
+      httpMethod: POST
+
      ## Create datasource for each Pod of Prometheus StatefulSet;
      ## this uses headless service `prometheus-operated` which is
      ## created by Prometheus Operator
@ -929,6 +938,11 @@ grafana:
    #   replacement: $1
    #   action: replace

+## Flag to disable all the kubernetes component scrapers
+##
+kubernetesServiceMonitors:
+  enabled: true
+
 ## Component scraping the kube api server
 ##
 kubeApiServer:
@ -1949,6 +1963,15 @@ prometheusOperator:
    ##
    enabled: false

+    ## Flavor of the network policy to use.
+    #  Can be:
+    #  * kubernetes for networking.k8s.io/v1/NetworkPolicy
+    #  * cilium     for cilium.io/v2/CiliumNetworkPolicy
+    flavor: kubernetes
+
+    # cilium:
+    #   egress:
+
  ## Service account for Alertmanager to use.
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
  ##
@ -2202,6 +2225,9 @@ prometheusOperator:
      tag: ""
      sha: ""

+    # add prometheus config reloader liveness and readiness probe. Default: false
+    enableProbe: false
+
    # resource config for prometheusConfigReloader
    resources:
      requests:
@ -2219,6 +2245,17 @@ prometheusOperator:
    tag: v0.30.2
    sha: ""

+  ## Set a Label Selector to filter watched prometheus and prometheusAgent
+  ##
+  prometheusInstanceSelector: ""
+
+  ## Set a Label Selector to filter watched alertmanager
+  ##
+  alertmanagerInstanceSelector: ""
+
+  ## Set a Label Selector to filter watched thanosRuler
+  thanosRulerInstanceSelector: ""
+
  ## Set a Field Selector to filter watched secrets
  ##
  secretFieldSelector: ""
@ -2235,6 +2272,18 @@ prometheus:
  ## Configure network policy for the prometheus
  networkPolicy:
    enabled: false
+
+    ## Flavor of the network policy to use.
+    #  Can be:
+    #  * kubernetes for networking.k8s.io/v1/NetworkPolicy
+    #  * cilium     for cilium.io/v2/CiliumNetworkPolicy
+    flavor: kubernetes
+
+    # cilium:
+    #   endpointSelector:
+    #   egress:
+    #   ingress:
+
    # egress:
    # - {}
    # ingress:
@ -2670,6 +2719,10 @@ prometheus:
    ##
    enableAdminAPI: false

+    ## Sets version of Prometheus overriding the Prometheus version as derived
+    ## from the image tag. Useful in cases where the tag does not follow semver v2.
+    version: ""
+
    ## WebTLSConfig defines the TLS parameters for HTTPS
    ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#webtlsconfig
    web: {}
@ -2780,11 +2833,12 @@ prometheus:
    ##
    query: {}

-    ## Namespaces to be selected for PrometheusRules discovery.
-    ## If nil, select own namespace. Namespaces to be selected for ServiceMonitor discovery.
-    ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage
-    ##
+    ## If nil, select own namespace. Namespaces to be selected for PrometheusRules discovery.
    ruleNamespaceSelector: {}
+    ## Example which selects PrometheusRules in namespaces with label "prometheus" set to "somelabel"
+    # ruleNamespaceSelector:
+    #   matchLabels:
+    #     prometheus: somelabel

    ## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the
    ## prometheus resource to be created with selectors based on values in the helm deployment,
@ -2849,10 +2903,12 @@ prometheus:
    #   matchLabels:
    #     prometheus: somelabel

-    ## Namespaces to be selected for PodMonitor discovery.
-    ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage
-    ##
+    ## If nil, select own namespace. Namespaces to be selected for PodMonitor discovery.
    podMonitorNamespaceSelector: {}
+    ## Example which selects PodMonitor in namespaces with label "prometheus" set to "somelabel"
+    # podMonitorNamespaceSelector:
+    #   matchLabels:
+    #     prometheus: somelabel

    ## If true, a nil or {} value for prometheus.prometheusSpec.probeSelector will cause the
    ## prometheus resource to be created with selectors based on values in the helm deployment,
@ -2869,10 +2925,12 @@ prometheus:
    #   matchLabels:
    #     prometheus: somelabel

-    ## Namespaces to be selected for Probe discovery.
-    ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#namespaceselector for usage
-    ##
+    ## If nil, select own namespace. Namespaces to be selected for Probe discovery.
    probeNamespaceSelector: {}
+    ## Example which selects Probe in namespaces with label "prometheus" set to "somelabel"
+    # probeNamespaceSelector:
+    #   matchLabels:
+    #     prometheus: somelabel

    ## How long to retain metrics
    ##
--- a/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json
+++ b/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json
@ -18,7 +18,7 @@
          "subdir": "contrib/mixin"
        }
      },
-      "version": "49b59cc8e5c838bdc5e661de6388a0e348b3985c",
+      "version": "2a0c9896623cc64543b01bd0bdf1140f6d622a67",
      "sum": "QTzBqwjnM6cGGVBhOiVJyA+ZVTkmCTuH6C6YW7XKRFw="
    },
    {
@ -58,7 +58,7 @@
          "subdir": "grafana-builder"
        }
      },
-      "version": "d680faafc0727c4c5086f1624333363e57d2ce81",
+      "version": "d303b2031264728728dd1e1c05f74f67027139f6",
      "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0="
    },
    {
@ -68,8 +68,8 @@
          "subdir": ""
        }
      },
-      "version": "eed459199703c969afc318ea55b9361ae48180a7",
-      "sum": "iKDOR7+jXw3Rctog6Z1ofweIK5BLjuGeguIZjXLP8ls="
+      "version": "d87b757edc73a5f5b78e9f6a9bbae9023131c946",
+      "sum": "fsAZNroGj9QOUt63dI78jcahPnCXlBhpfxuPJC3dTac="
    },
    {
      "source": {
@ -78,7 +78,7 @@
          "subdir": "jsonnet/kube-state-metrics"
        }
      },
-      "version": "32f8c5e80500855dcdec0c0b7398b580b12f3470",
+      "version": "5f31736e444a674a969d65aaa9afd9d0864c8639",
      "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
    },
    {
@ -88,7 +88,7 @@
          "subdir": "jsonnet/kube-state-metrics-mixin"
        }
      },
-      "version": "32f8c5e80500855dcdec0c0b7398b580b12f3470",
+      "version": "5f31736e444a674a969d65aaa9afd9d0864c8639",
      "sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk="
    },
    {
@ -98,8 +98,8 @@
          "subdir": "jsonnet/kube-prometheus"
        }
      },
-      "version": "2a955da550e33f75e3a7ecf30d45e8fd19dc6c31",
-      "sum": "8SUhAtqVsKsqUmDYgmrdZWrvS6bQ1dHnVSi2LFJeCZU="
+      "version": "c9e1145027df233fa3d1d7aed86cacbf6001d1f5",
+      "sum": "Skpy4SojW1KNz8dJpg8J6mx/z596xf9nW8VEGvXnGJg="
    },
    {
      "source": {
@ -108,8 +108,8 @@
          "subdir": "jsonnet/mixin"
        }
      },
-      "version": "06b5c4189f3f72737766d86103d049115c3aff48",
-      "sum": "GQmaVFJwKMiD/P4n3N2LrAZVcwutriWrP8joclDtBYQ=",
+      "version": "e8841ea9546b08693aefbb945bfebc11c8b33186",
+      "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
      "name": "prometheus-operator-mixin"
    },
    {
@ -119,8 +119,8 @@
          "subdir": "jsonnet/prometheus-operator"
        }
      },
-      "version": "06b5c4189f3f72737766d86103d049115c3aff48",
-      "sum": "8XqdRl/MXzaSKjhHkrMFWbrP8Tw0k5tsI5hNfX++1Pw="
+      "version": "e8841ea9546b08693aefbb945bfebc11c8b33186",
+      "sum": "cNcVEO+LVAJK7fGxfL8RAIo/G/9ZU/ZUhCzUpdcgytc="
    },
    {
      "source": {
@ -129,7 +129,7 @@
          "subdir": "doc/alertmanager-mixin"
        }
      },
-      "version": "0f14383b61c1e301a70130ecfc22df52bd85df6e",
+      "version": "f67d03fe2854191bb36dbcb305ec507237583aa2",
      "sum": "PsK+V7oETCPKu2gLoPfqY0wwPKH9TzhNj6o2xezjjXc=",
      "name": "alertmanager"
    },
@ -140,8 +140,8 @@
          "subdir": "docs/node-mixin"
        }
      },
-      "version": "c8129fadd660ae90598b84791d8915a995a27815",
-      "sum": "TwdaTm0Z++diiLyaKAAimmC6hBL7XbrJc0RHhBCpAdU="
+      "version": "184a4e0893dd5c28e540ca3070f2e3a07f939f11",
+      "sum": "aFUI56y6Y8EpniS4cfYqrSaHFnxeomIw4S4+Sz8yPtQ="
    },
    {
      "source": {
@ -150,7 +150,7 @@
          "subdir": "documentation/prometheus-mixin"
        }
      },
-      "version": "0ab95536115adfe50af249d36d73674be694ca3f",
+      "version": "5c5fa5c319fca713506fa144ec6768fddf00d466",
      "sum": "LRx0tbMnoE1p8KEn+i81j2YsA5Sgt3itE5Y6jBf5eOQ=",
      "name": "prometheus"
    },
@ -161,8 +161,8 @@
          "subdir": "config/crd/bases"
        }
      },
-      "version": "cd05347647955a378f32a888d194cb0f7c0134a6",
-      "sum": "bY/Pcrrbynguq8/HaI88cQ3B2hLv/xc+76QILY7IL+g="
+      "version": "05405777468aca15ee63824512f8f13af9f08039",
+      "sum": "MK8+uumteRncS0hkyjocvU2vdtlGbfBRPcU0/mJnU2M="
    },
    {
      "source": {
@ -171,7 +171,7 @@
          "subdir": "mixin"
        }
      },
-      "version": "a1ec4d5365e88967e4bb4b0f127d174617ed2bbc",
+      "version": "cdb395a7100be554e804d61c735b8d4a4b678f11",
      "sum": "zSLNV/0bN4DcVKojzCqjmhfjtzTY4pDKZXqbAUzw5R0=",
      "name": "thanos-mixin"
    }
--- a/charts/kubezero-metrics/jsonnet/rules/node-exporter-prometheusRule
+++ b/charts/kubezero-metrics/jsonnet/rules/node-exporter-prometheusRule
@ -175,7 +175,7 @@
               {
                  "alert": "NodeClockSkewDetected",
                  "annotations": {
-                     "description": "Clock on {{ $labels.instance }} is out of sync by more than 300s. Ensure NTP is configured correctly on this host.",
+                     "description": "Clock on {{ $labels.instance }} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host.",
                     "runbook_url": "https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected",
                     "summary": "Clock skew detected."
                  },
--- a/charts/kubezero-metrics/jsonnet/rules/prometheus-operator-prometheusRule
+++ b/charts/kubezero-metrics/jsonnet/rules/prometheus-operator-prometheusRule
@ -6,7 +6,7 @@
         "app.kubernetes.io/component": "controller",
         "app.kubernetes.io/name": "prometheus-operator",
         "app.kubernetes.io/part-of": "kube-prometheus",
-         "app.kubernetes.io/version": "0.64.1",
+         "app.kubernetes.io/version": "0.65.1",
         "prometheus": "k8s",
         "role": "alert-rules"
      },
--- a/charts/kubezero-metrics/jsonnet/rules/prometheus-prometheusRule
+++ b/charts/kubezero-metrics/jsonnet/rules/prometheus-prometheusRule
@ -7,7 +7,7 @@
         "app.kubernetes.io/instance": "k8s",
         "app.kubernetes.io/name": "prometheus",
         "app.kubernetes.io/part-of": "kube-prometheus",
-         "app.kubernetes.io/version": "2.43.0",
+         "app.kubernetes.io/version": "2.43.1",
         "prometheus": "k8s",
         "role": "alert-rules"
      },
--- a/charts/kubezero-metrics/templates/rules/node-exporter.yaml
+++ b/charts/kubezero-metrics/templates/rules/node-exporter.yaml
@ -125,7 +125,7 @@ spec:
        severity: warning
    - alert: NodeClockSkewDetected
      annotations:
-        description: Clock on {{`{{`}} $labels.instance {{`}}`}} is out of sync by more than 300s. Ensure NTP is configured correctly on this host.
+        description: Clock on {{`{{`}} $labels.instance {{`}}`}} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host.
        runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected
        summary: Clock skew detected.
      expr: "(\n  node_timex_offset_seconds{job=\"node-exporter\"} > 0.05\nand\n  deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) >= 0\n)\nor\n(\n  node_timex_offset_seconds{job=\"node-exporter\"} < -0.05\nand\n  deriv(node_timex_offset_seconds{job=\"node-exporter\"}[5m]) <= 0\n)\n"
--- a/charts/kubezero-metrics/values.yaml
+++ b/charts/kubezero-metrics/values.yaml
@ -85,7 +85,7 @@ kube-prometheus-stack:
        - sourceLabels: [__meta_kubernetes_pod_node_name]
          separator: ;
          regex: ^(.*)$
-          targetLabel: node
+          targetLabel: instance
          replacement: $1
          action: replace
    resources:
--- a/charts/kubezero-redis/README.md
+++ b/charts/kubezero-redis/README.md
@ -1,6 +1,6 @@
 # kubezero-redis

-![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 KubeZero Umbrella Chart for Redis HA

@ -14,7 +14,7 @@ KubeZero Umbrella Chart for Redis HA

 ## Requirements

-Kubernetes: `>= 1.20.0`
+Kubernetes: `>= 1.25.0`

 | Repository | Name | Version |
 |------------|------|---------|
--- a/charts/kubezero/Chart.yaml
+++ b/charts/kubezero/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero
 description: KubeZero - Root App of Apps chart
 type: application
-version: 1.25.8
+version: 1.25.8-1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
--- a/charts/kubezero/README.md
+++ b/charts/kubezero/README.md
@ -1,6 +1,6 @@
 # kubezero

-![Version: 1.25.8](https://img.shields.io/badge/Version-1.25.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.25.8-1](https://img.shields.io/badge/Version-1.25.8--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 KubeZero - Root App of Apps chart

@ -67,7 +67,7 @@ Kubernetes: `>= 1.25.0`
 | metrics.istio.grafana | object | `{}` |  |
 | metrics.istio.prometheus | object | `{}` |  |
 | metrics.namespace | string | `"monitoring"` |  |
-| metrics.targetRevision | string | `"0.9.0"` |  |
+| metrics.targetRevision | string | `"0.9.1"` |  |
 | network.cilium.cluster | object | `{}` |  |
 | network.enabled | bool | `true` |  |
 | network.retain | bool | `true` |  |
--- a/charts/kubezero/templates/metrics.yaml
+++ b/charts/kubezero/templates/metrics.yaml
@ -1,3 +1,60 @@
+{{- define "_kube-prometheus-stack" }}
+
+{{- if .global.aws }}
+alertmanager:
+  config:
+    receivers:
+      - name: 'null'
+      - name: alerthub-notifications
+        webhook_configs:
+          - send_resolved: true
+            url: http://localhost:9087/alert/AlertHub
+    route:
+      receiver: alerthub-notifications
+prometheus:
+  prometheusSpec:
+    externalLabels:
+      awsAccount: '{{ .global.aws.accountId }}'
+      awsRegion: {{ .global.aws.region }}
+      clusterName: {{ .global.clusterName }}
+    volumes:
+      - name: aws-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: 86400
+              audience: "sts.amazonaws.com"
+    volumeMounts:
+      - name: aws-token
+        mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+        readOnly: true
+    additionalScrapeConfigs:
+      - job_name: 'nodes'
+        ec2_sd_configs:
+          - port: 9100
+            region: {{ .global.aws.region }}
+            filters:
+              - name: 'tag-key'
+                values: ['zdt:prometheus.node-exporter']
+        relabel_configs:
+          - source_labels:
+            - '__meta_ec2_instance_id'
+            target_label: 'instance_id'
+          - source_labels:
+            - '__meta_ec2_availability_zone'
+            target_label: 'availability_zone'
+          - source_labels:
+            - '__meta_ec2_private_dns_name'
+            target_label: 'instance'
+          - source_labels:
+            - '__meta_ec2_tag_Name'
+            target_label: 'instance'
+{{- end }}
+
+{{- end }}
+
+
 {{- define "metrics-values" }}

 {{- with .Values.metrics.istio }}
@ -6,7 +63,7 @@ istio:
 {{- end }}
 {{- with index .Values "metrics" "kube-prometheus-stack" }}
 kube-prometheus-stack:
-  {{- toYaml . | nindent 2 }}
+  {{- toYaml ( merge ( include "_kube-prometheus-stack" $.Values | fromYaml ) . ) | nindent 2 }}
 {{- end }}
 {{- with index .Values "metrics" "prometheus-adapter" }}
 prometheus-adapter:
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -76,7 +76,7 @@ istio-private-ingress:
 metrics:
  enabled: false
  namespace: monitoring
-  targetRevision: 0.9.0
+  targetRevision: 0.9.1
  istio:
    grafana: {}
    prometheus: {}