Fix/prometheus rules backport

.gitignore

@@ -0,0 +1 @@
+.debug

charts/helm_lib/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
 type: library
 name: deckhouse_lib_helm
-version: 1.64.0
+version: 1.64.11
 description: "Helm utils template definitions for Deckhouse modules."

charts/helm_lib/README.md

@@ -9,6 +9,8 @@
 | **Api Version And Kind** |
 | [helm_lib_kind_exists](#helm_lib_kind_exists) |
 | [helm_lib_get_api_version_by_kind](#helm_lib_get_api_version_by_kind) |
+| **Csi Controller** |
+| [helm_lib_csi_image_with_common_fallback](#helm_lib_csi_image_with_common_fallback) |
 | **Enable Ds Eviction** |
 | [helm_lib_prevent_ds_eviction_annotation](#helm_lib_prevent_ds_eviction_annotation) |
 | **Envs For Proxy** |
@@ -163,6 +165,23 @@ list:
 -  Template context with .Values, .Chart, etc 
 -  Kind name portion 
 
+## Csi Controller
+
+### helm_lib_csi_image_with_common_fallback
+
+ returns image name from storage foundation module if enabled, otherwise from common module 
+
+#### Usage
+
+`{{ include "helm_lib_csi_image_with_common_fallback" (list . "<raw-container-name>" "<semver>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Container raw name 
+-  Kubernetes semantic version 
+
 ## Enable Ds Eviction
 
 ### helm_lib_prevent_ds_eviction_annotation
@@ -650,16 +669,17 @@ list:
 
 ### helm_lib_module_container_security_context_pss_restricted_flexible
 
- SecurityContext for Deckhouse UID/GID 64535, PSS Restricted 
+ SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted 
  Optional keys: 
  .ro   – bool, read-only root FS (default true) 
  .caps – []string, capabilities.add (default empty) 
  .uid  – int, runAsUser/runAsGroup (default 64535) 
+ .runAsNonRoot   – bool, run as Deckhouse user when true, root when false (default true) 
  .seccompProfile  – bool, disable seccompProfile when false (default true) 
 
 #### Usage
 
-`include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false) `
+`include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) `
 
 
 

charts/helm_lib/templates/_csi_controller.tpl

@@ -1,3 +1,43 @@
+{{- /* Usage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "<raw-container-name>" "<semver>") }} */ -}}
+{{- /* returns image name from storage foundation module if enabled, otherwise from common module */ -}}
+{{- define "helm_lib_csi_image_with_common_fallback" }}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $rawContainerName := index . 1 | trimAll "\"" }} {{- /* Container raw name */ -}}
+  {{- $kubernetesSemVer := index . 2 }} {{- /* Kubernetes semantic version */ -}}
+  {{- $imageDigest := "" }}
+  {{- $registryBase := $context.Values.global.modulesImages.registry.base }}
+  {{- /* Try to get from storage foundation module if enabled */}}
+  {{- if $context.Values.global.enabledModules | has "storage-foundation" }}
+    {{- $registryBase = join "/" (list $registryBase "modules" "storage-foundation" ) }}
+    {{- $storageFoundationDigests := index $context.Values.global.modulesImages.digests "storageFoundation" | default dict }}
+    {{- $currentMinor := int $kubernetesSemVer.Minor }}
+    {{- $kubernetesMajor := int $kubernetesSemVer.Major }}
+    {{- /* Iterate from currentMinor down to 0: use offset from 0 to currentMinor, then calculate minorVersion = currentMinor - offset */}}
+    {{- range $offset := until (int (add $currentMinor 1)) }}
+      {{- if not $imageDigest }}
+        {{- $minorVersion := int (sub $currentMinor $offset) }}
+        {{- $containerName := join "" (list $rawContainerName "ForK8SGE" $kubernetesMajor $minorVersion) }}
+        {{- $digest := index $storageFoundationDigests $containerName | default "" }}
+        {{- if $digest }}
+          {{- $imageDigest = $digest }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- /* Fallback to base container name if no versioned image found (when minor reached 0) */}}
+    {{- if not $imageDigest }}
+      {{- $imageDigest = index $storageFoundationDigests $rawContainerName | default "" }}
+    {{- end }}
+  {{- /* Fallback to common module if storage foundation module is not enabled */}}
+  {{- else }}
+    {{- $containerName := join "" (list $rawContainerName $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+    {{- $imageDigest = index $context.Values.global.modulesImages.digests "common" $containerName | default "" }}
+  {{- end }}
+  {{- if $imageDigest }}
+    {{- printf "%s@%s" $registryBase $imageDigest }}
+  {{- end }}
+{{- end }}
+
+
 {{- define "attacher_resources" }}
 cpu: 10m
 memory: 25Mi
@@ -74,26 +114,22 @@ memory: 50Mi
   {{- $customNodeSelector := $config.customNodeSelector }}
   {{- $additionalPullSecrets := $config.additionalPullSecrets }}
   {{- $forceCsiControllerPrivilegedContainer := $config.forceCsiControllerPrivilegedContainer | default false }}
+  {{- $dnsPolicy := $config.dnsPolicy | default "ClusterFirstWithHostNet" }}
 
   {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }}
 
-  {{- $provisionerImageName := join "" (list "csiExternalProvisioner" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
-  {{- $provisionerImage := include "helm_lib_module_common_image_no_fail" (list $context $provisionerImageName) }}
+  {{- $provisionerImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalProvisioner" $kubernetesSemVer) }}
 
-  {{- $attacherImageName := join "" (list "csiExternalAttacher" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
-  {{- $attacherImage := include "helm_lib_module_common_image_no_fail" (list $context $attacherImageName) }}
+  {{- $attacherImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalAttacher" $kubernetesSemVer) }}
 
-  {{- $resizerImageName := join "" (list "csiExternalResizer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
-  {{- $resizerImage := include "helm_lib_module_common_image_no_fail" (list $context $resizerImageName) }}
+  {{- $resizerImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalResizer" $kubernetesSemVer) }}
 
   {{- $syncerImageName := join "" (list "csiVsphereSyncer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
   {{- $syncerImage := include "helm_lib_module_common_image_no_fail" (list $context $syncerImageName) }}
 
-  {{- $snapshotterImageName := join "" (list "csiExternalSnapshotter" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
-  {{- $snapshotterImage := include "helm_lib_module_common_image_no_fail" (list $context $snapshotterImageName) }}
+  {{- $snapshotterImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalSnapshotter" $kubernetesSemVer) }}
 
-  {{- $livenessprobeImageName := join "" (list "csiLivenessprobe" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
-  {{- $livenessprobeImage := include "helm_lib_module_common_image_no_fail" (list $context $livenessprobeImageName) }}
+  {{- $livenessprobeImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiLivenessprobe" $kubernetesSemVer) }}
 
   {{- if $provisionerImage }}
     {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
@@ -187,7 +223,7 @@ metadata:
 
 spec:
   {{- if $csiControllerHaMode }}
-  {{- include "helm_lib_deployment_strategy_and_replicas_for_ha" $context | nindent 2 }}
+  {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" $context | nindent 2 }}
   {{- else }}
   replicas: 1
   strategy:
@@ -217,7 +253,7 @@ spec:
       hostNetwork: {{ $csiControllerHostNetwork }}
       hostPID: {{ $csiControllerHostPID }}
       {{- if eq $csiControllerHostNetwork "true" }}
-      dnsPolicy: ClusterFirstWithHostNet
+      dnsPolicy: {{ $dnsPolicy | quote }}
       {{- end }}
       imagePullSecrets:
       - name: deckhouse-registry
@@ -241,7 +277,7 @@ spec:
       automountServiceAccountToken: true
       containers:
       - name: provisioner
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $provisionerImage | quote }}
         args:
         - "--timeout={{ $provisionerTimeout }}"
@@ -294,7 +330,7 @@ spec:
             {{- include "provisioner_resources" $context | nindent 12 }}
   {{- end }}
       - name: attacher
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $attacherImage | quote }}
         args:
         - "--timeout={{ $attacherTimeout }}"
@@ -325,7 +361,7 @@ spec:
   {{- end }}
             {{- if $resizerEnabled }}
       - name: resizer
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $resizerImage | quote }}
         args:
         - "--timeout={{ $resizerTimeout }}"
@@ -357,7 +393,7 @@ spec:
             {{- end }}
             {{- if $syncerEnabled }}
       - name: syncer
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $syncerImage | quote }}
         args:
         - "--leader-election"
@@ -384,7 +420,7 @@ spec:
             {{- end }}
     {{- if $snapshotterEnabled }}
       - name: snapshotter
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $snapshotterImage | quote }}
         args:
         - "--timeout={{ $snapshotterTimeout }}"
@@ -418,7 +454,7 @@ spec:
   {{- end }}
             {{- end }}
       - name: livenessprobe
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $livenessprobeImage | quote }}
         args:
         - "--csi-address=$(ADDRESS)"
@@ -454,7 +490,7 @@ spec:
 {{- if $forceCsiControllerPrivilegedContainer }}
         {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }}
 {{- else }}
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
 {{- end }}
         image: {{ $controllerImage | quote }}
         args:

charts/helm_lib/templates/_csi_node.tpl

@@ -28,17 +28,17 @@ memory: 25Mi
   {{- $customNodeSelector := $config.customNodeSelector }}
   {{- $forceCsiNodeAndStaticNodesDepoloy := $config.forceCsiNodeAndStaticNodesDepoloy | default false }}
   {{- $setSysAdminCapability := $config.setSysAdminCapability | default false }}
-  {{- $additionalContainers := $config.additionalContainers }} 
+  {{- $additionalContainers := $config.additionalContainers }}
   {{- $initContainers := $config.initContainers }}
   {{- $additionalPullSecrets := $config.additionalPullSecrets }}
   {{- $csiNodeLifecycle := $config.csiNodeLifecycle | default false }}
   {{- $csiNodeDriverRegistrarLifecycle := $config.csiNodeDriverRegistrarLifecycle | default false }}
   {{- $additionalCsiNodePodAnnotations := $config.additionalCsiNodePodAnnotations | default false }}
   {{- $csiNodeHostNetwork := $config.csiNodeHostNetwork | default "true" }}
   {{- $csiNodeHostPID := $config.csiNodeHostPID | default "false" }}
+  {{- $dnsPolicy := $config.dnsPolicy | default "ClusterFirstWithHostNet" }}
   {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }}
-  {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
-  {{- $driverRegistrarImage := include "helm_lib_module_common_image_no_fail" (list $context $driverRegistrarImageName) }}
+  {{- $driverRegistrarImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiNodeDriverRegistrar" $kubernetesSemVer) }}
   {{- if $driverRegistrarImage }}
     {{- if or $forceCsiNodeAndStaticNodesDepoloy (include "_helm_lib_cloud_or_hybrid_cluster" $context) }}
       {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
@@ -134,11 +134,11 @@ spec:
       hostNetwork: {{ $csiNodeHostNetwork }}
       hostPID: {{ $csiNodeHostPID }}
       {{- if eq $csiNodeHostNetwork "true" }}
-      dnsPolicy: ClusterFirstWithHostNet
+      dnsPolicy: {{ $dnsPolicy | quote }}
       {{- end }}
       containers:
       - name: node-driver-registrar
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $context | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true "uid" "0" "runAsNonRoot" false) | nindent 8 }}
         image: {{ $driverRegistrarImage | quote }}
         args:
         - "--v=5"
@@ -182,6 +182,8 @@ spec:
         securityContext:
           privileged: true
           readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
         {{- if $setSysAdminCapability }}
           capabilities:
             add:
@@ -207,7 +209,7 @@ spec:
             port: {{ $livenessProbePort }}
           initialDelaySeconds: 5
           timeoutSeconds: 5
-      {{- end }}      
+      {{- end }}
         volumeMounts:
         - name: kubelet-dir
           mountPath: /var/lib/kubelet

charts/helm_lib/templates/_envs_for_proxy.tpl

@@ -17,7 +17,7 @@
 - name: https_proxy
   value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }}
       {{- end }}
-      {{- $noProxy := list "127.0.0.1" "169.254.169.254" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }}
+      {{- $noProxy := list "127.0.0.1" "169.254.169.254" "registry.d8-system.svc" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }}
       {{- if $context.Values.global.clusterConfiguration.proxy.noProxy }}
         {{- $noProxy = concat $noProxy $context.Values.global.clusterConfiguration.proxy.noProxy }}
       {{- end }}

charts/helm_lib/templates/_module_image.tpl

@@ -19,7 +19,7 @@
     {{- if index $context.Values $moduleName "registry" }}
       {{- if index $context.Values $moduleName "registry" "base" }}
         {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }}
-        {{- $path := trimAll "/" $moduleName }}
+        {{- $path := trimAll "/" (include "helm_lib_module_kebabcase_name" $rawModuleName) }}
         {{- $registryBase = join "/" (list $host $path) }}
       {{- end }}
     {{- end }}
@@ -33,19 +33,18 @@
 {{- define "helm_lib_module_image_no_fail" }}
   {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
   {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}}
-  {{- $rawModuleName := $context.Chart.Name }}
+  {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }}
   {{- if ge (len .) 3 }}
-  {{- $rawModuleName = (index . 2) }} {{- /* Optional module name */ -}}
+  {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}}
   {{- end }}
-  {{- $moduleName := (include "helm_lib_module_camelcase_name" $rawModuleName) }}
   {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }}
   {{- if $imageDigest }}
     {{- $registryBase := $context.Values.global.modulesImages.registry.base }}
     {{- if index $context.Values $moduleName }}
       {{- if index $context.Values $moduleName "registry" }}
         {{- if index $context.Values $moduleName "registry" "base" }}
           {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }}
-          {{- $path := trimAll "/" $moduleName }}
+          {{- $path := trimAll "/" $context.Chart.Name }}
           {{- $registryBase = join "/" (list $host $path) }}
         {{- end }}
       {{- end }}
@@ -102,12 +101,11 @@
 {{- define "helm_lib_module_image_digest_no_fail" }}
   {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
   {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}}
-  {{- $rawModuleName := $context.Chart.Name }}
+  {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }}
   {{- if ge (len .) 3 }}
-  {{- $rawModuleName = (index . 2) }} {{- /* Optional module name */ -}}
+  {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}}
   {{- end }}
-  {{- $moduleName := (include "helm_lib_module_camelcase_name" $rawModuleName) }}
   {{- $moduleMap := index $context.Values.global.modulesImages.digests $moduleName | default dict }}
   {{- $imageDigest := index $moduleMap $containerName | default "" }}
   {{- printf "%s" $imageDigest }}
-{{- end }}
+{{- end }}

charts/helm_lib/templates/_module_security_context.tpl

@@ -69,13 +69,14 @@ securityContext:
 {{- end }}
 
 
-{{- /* SecurityContext for Deckhouse UID/GID 64535, PSS Restricted */ -}}
+{{- /* SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted */ -}}
 {{- /* Optional keys: */ -}}
 {{- /* .ro   – bool, read-only root FS (default true) */ -}}
 {{- /* .caps – []string, capabilities.add (default empty) */ -}}
 {{- /* .uid  – int, runAsUser/runAsGroup (default 64535) */ -}}
+{{- /* .runAsNonRoot   – bool, run as Deckhouse user when true, root when false (default true) */ -}}
 {{- /* .seccompProfile  – bool, disable seccompProfile when false (default true) */ -}}
-{{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false) */ -}}
+{{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) */ -}}
 {{- define "helm_lib_module_container_security_context_pss_restricted_flexible" -}}
 {{- $ro := true -}}
 {{- if hasKey . "ro" -}}
@@ -87,19 +88,26 @@ securityContext:
 {{- end -}}
 {{- $caps := default (list) .caps -}}
 {{- $uid  := default 64535 .uid  -}}
+{{- $runAsNonRoot := true -}}
+{{- if hasKey . "runAsNonRoot" -}}
+  {{- $runAsNonRoot = .runAsNonRoot -}}
+{{- end -}}
 
 securityContext:
   readOnlyRootFilesystem: {{ $ro }}
-  allowPrivilegeEscalation: false
+  allowPrivilegeEscalation: {{ not $runAsNonRoot }}
+{{- if $runAsNonRoot }}
+  privileged: false
+{{- end }}
   capabilities:
     drop:
       - ALL
 {{- if $caps }}
     add: {{ $caps | toJson }}
 {{- end }}
-  runAsUser:   {{ $uid }}
-  runAsGroup:  {{ $uid }}
-  runAsNonRoot: true
+  runAsUser:   {{ ternary $uid 0 $runAsNonRoot }}
+  runAsGroup:  {{ ternary $uid 0 $runAsNonRoot }}
+  runAsNonRoot: {{ $runAsNonRoot }}
 {{- if $seccompProfile }}
   seccompProfile:
     type: RuntimeDefault