feat(release-argus-5.2.0): release argus charts v5.2.0 (#83)

Co-authored-by: Shubhashri Shirode <shubhashri.shirode@logicmonitor.com>

charts/argus/Chart.yaml

@@ -6,11 +6,11 @@ maintainers:
   - email: argus@logicmonitor.com
     name: LogicMonitor
 name: argus
-version: 5.1.0
+version: 5.2.0
 home: https://logicmonitor.github.io/helm-charts
-appVersion: v10.1.0
+appVersion: v10.2.0
 dependencies:
   - name: lmutil
     repository: https://logicmonitor.github.io/helm-charts
     # repository: file://../lmutil
-    version: 0.1.1
+    version: 0.1.6

charts/argus/templates/_argus_config.tpl

@@ -51,6 +51,9 @@ selfMonitor:
 monitoring:
   disable:
     {{- include "monitoring.disable" . | nindent 4 }}
+  annotations:
+    ignore:
+      {{- include "monitoring.annotations.ignore" . | nindent 6}}
 alerting:
   disable:
     {{- include "alerting.disable" . | nindent 4 }}

charts/argus/templates/_collector.tpl

@@ -0,0 +1,78 @@
+{{- define "argus.custom-collector-pod-sec-context-nonroot" }}
+{{- toYaml .Values.collector.podSecurityContext | nindent 0 }}
+{{- end }}
+{{- define "argus.collector-pod-sec-context-nonroot" -}}
+{{- include "lmutil.merge" (append . "argus.collector-default-pod-sec-context-nonroot" ) -}}
+{{- end -}}
+
+{{- define "argus.custom-collector-container-sec-context-nonroot" }}
+{{- $addCaps := .Values.collector.securityContext.capabilities.add }}
+
+{{- if and (eq (include "lmutil.get-platform" .) "gke") (not (has "NET_RAW" $addCaps)) }}
+{{- $addCaps = append $addCaps "NET_RAW" }}
+{{- end }}
+
+{{- if (eq (include "lmutil.is-openshift" .) "true")  }}
+{{- if not (has "NET_RAW" $addCaps) }}
+{{- $addCaps = append $addCaps "NET_RAW" }}
+{{- end }}
+{{- if not (has "SETFCAP" $addCaps) }}
+{{- $addCaps = append $addCaps "SETFCAP" }}
+{{- end }}
+{{- end }}
+{{- with .Values.collector.securityContext }}
+{{- if not (hasKey . "capabilities") }}
+{{ toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}
+capabilities:
+  drop: {{ toYaml .Values.collector.securityContext.capabilities.drop | nindent 4 }}
+  add: {{ toYaml $addCaps | nindent 4 }}
+{{- end }}
+
+
+{{- define "argus.collector-container-sec-context-nonroot" -}}
+{{- include "lmutil.merge" (append . "argus.collector-default-container-sec-context-nonroot" ) -}}
+{{- end -}}
+
+{{- define "argus.collector-default-pod-sec-context-nonroot" }}
+{{ if eq (include "lmutil.is-openshift" .) "true" }}
+{{ if and (hasKey .Values.collector.env "COLLECTOR_NON_ROOT") (eq .Values.collector.env.COLLECTOR_NON_ROOT "true")  }}
+runAsUser: 2000
+fsGroup: 2000
+runAsGroup: 2000
+runAsNonRoot: true
+{{ else }}
+runAsUser: 0
+fsGroup: 0
+runAsGroup: 0
+runAsNonRoot: false
+{{ end }}
+{{- end }}
+{{- end }}
+
+
+{{- define "argus.collector-default-container-sec-context-nonroot" }}
+{{- if eq (include "lmutil.is-openshift" .) "true" }}
+{{ $caps := .Values.collector.securityContext.capabilities.add }}
+{{- if not (has "NET_RAW" $caps) }}
+{{- $caps = append $caps "NET_RAW" }}
+{{- end }}
+{{- if not (has "SETFCAP" $caps) }}
+{{- $caps = append $caps "SETFCAP" }}
+{{- end }}
+allowPrivilegeEscalation: true
+capabilities:
+  add: {{ toYaml $caps | nindent 4 }}
+{{- end }}
+{{- if eq (include "lmutil.get-platform" .) "gke" }}
+capabilities:
+  add:
+    - NET_RAW
+{{- range .Values.collector.securityContext.capabilities.add }}
+    {{- if ne "NET_RAW" . }}
+    - {{ . }}
+    {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/argus/templates/_helpers.tpl

@@ -48,6 +48,12 @@ logicmonitor.com/provider: lm-container
 {{- toYaml $resultList | nindent 0}}
 {{- end }}
 
+{{- define "monitoring.annotations.ignore" }}
+{{ $alwaysIgnore := list "key in ('virtual-kubelet.io/last-applied-node-status', 'control-plane.alpha.kubernetes.io/leader')" "key =~ 'last-applied'"}}
+{{ $resultList := ( concat $alwaysIgnore $.Values.monitoring.annotations.ignore | uniq )  }}
+{{- toYaml $resultList | nindent 0}}
+{{- end }}
+
 {{- define "alerting.disable" }}
 {{ $alwaysDisable := list }}
 {{ $resultList := (concat $alwaysDisable $.Values.lm.resource.alerting.disable | uniq )  }}

charts/argus/templates/collectorset.yaml

@@ -61,5 +61,5 @@ spec:
   {{- end }}
   probe: {{ toYaml .Values.collector.probe | nindent 4 }}
   collectorConfigMapName: {{ include "lmutil.fullname" . }}-collector
-  securityContext: {{ include "collector-csp" . | nindent 4 }}
-  podSecurityContext: {{ include "collector-psp" . | nindent 4 }}
+  securityContext: {{ include "argus.collector-container-sec-context-nonroot" (list . "argus.custom-collector-container-sec-context-nonroot") | nindent 4 }}
+  podSecurityContext: {{ include "argus.collector-pod-sec-context-nonroot" (list . "argus.custom-collector-pod-sec-context-nonroot") | nindent 4 }}

charts/argus/templates/deployment.yaml

@@ -21,7 +21,7 @@ spec:
       annotations:
         {{ include "argus.annotations" . | nindent 8 }}
     spec:
-      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
+      securityContext: {{ include "lmutil.pod-sec-context-nonroot" (list . "lmutil.custom-pod-sec-context-nonroot") | nindent 8 }}
       serviceAccountName: {{ include "lmutil.serviceAccountName" . }}
     {{ if .Values.affinity }}
       affinity:
@@ -40,7 +40,7 @@ spec:
     {{ end }}
       containers:
         - name: argus
-          securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "lmutil.container-sec-context-nonroot" (list . "lmutil.custom-container-sec-context-nonroot") | nindent 12 }}
           image: {{ include "argus-image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy | default (.Values.global.image.pullPolicy | default "Always") }}
           {{ with .Values.resources }}

charts/argus/templates/openshift-scc.yaml

@@ -0,0 +1,3 @@
+{{ $saUsers := list (printf "%s:%s" (include "lmutil.release.namespace" .) (include "lmutil.serviceAccountName" .)) }}
+{{ $params := list . "lm-nonroot-v2-argus" $saUsers }}
+{{ include "lmutil.openshift-scc-nonroot-v2" $params }}

charts/argus/values.schema.json

@@ -838,7 +838,8 @@
       "default": {},
       "examples": [
         {
-          "disable": []
+          "disable": [],
+          "annotations": []
         }
       ],
       "required": [
@@ -860,6 +861,36 @@
             "type": "string"
           },
           "uniqueItems": true
+        },
+        "annotations": {
+          "$comment": "tf:optional,yamlencode",
+          "id": "#/properties/monitoring/properties/annotations",
+          "type": "object",
+          "title": "Annotations settings",
+          "description": "Annotation settings",
+          "default": [],
+          "examples": [
+            {
+              "ignore": []
+            }
+          ],
+          "properties": {
+            "ignore": {
+              "$comment": "tf:optional,yamlencode",
+              "id": "#/properties/monitoring/properties/annotations/ignore",
+              "title": "Ignored Annotations",
+              "description": "Annotations Rules to ignore them while update operation is being performed",
+              "type": "array",
+              "additionalItems": false,
+              "items": {
+                "$id": "#/properties/monitoring/properties/annotations/ignore/items",
+                "type": "string"
+              },
+              "uniqueItems": true
+            }
+          },
+          "additionalItems": false,
+          "items": true
         }
       },
       "additionalProperties": false

charts/argus/values.yaml

@@ -91,6 +91,9 @@ daemons:
 monitoring:
   # list of resources to disable monitoring
   disable: []
+  # annotations to be ignored while performing an update operation
+  annotations:
+    ignore: []
 lm:
   lmlogs:
     k8sevent:
@@ -182,10 +185,7 @@ collector:
       periodSeconds: 10
 
 imagePullSecrets: []
-podSecurityContext:
-  fsGroup: 65534
-  runAsGroup: 65534
-  runAsUser: 65534
+podSecurityContext: {}
 securityContext:
   capabilities:
     add: []