diff --git a/assets/rancher-monitoring/rancher-monitoring-103.0.0+up40.1.2.tgz b/assets/rancher-monitoring/rancher-monitoring-103.0.0+up40.1.2.tgz index 5706f8abdd..6e4ce52836 100644 Binary files a/assets/rancher-monitoring/rancher-monitoring-103.0.0+up40.1.2.tgz and b/assets/rancher-monitoring/rancher-monitoring-103.0.0+up40.1.2.tgz differ diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/Chart.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/Chart.yaml index 31c5f21199..e51e33010f 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/Chart.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/Chart.yaml @@ -6,7 +6,7 @@ annotations: catalog.rancher.io/namespace: cattle-monitoring-system catalog.rancher.io/release-name: rancher-kube-state-metrics apiVersion: v2 -appVersion: 2.6.0 +appVersion: 2.9.2 description: Install kube-state-metrics to generate and expose cluster-level metrics home: https://github.com/kubernetes/kube-state-metrics/ keywords: @@ -19,10 +19,10 @@ maintainers: name: tariq1890 - email: manuel@rueg.eu name: mrueg -- email: davidcalvertfr@gmail.com +- email: david@0xdc.me name: dotdc name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 4.18.0 +version: 5.8.1 diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/README.md b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/README.md index 7c2e16918f..843be89e69 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/README.md +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/README.md @@ -2,14 +2,15 @@ Installs the [kube-state-metrics agent](https://github.com/kubernetes/kube-state-metrics). -## Get Repo Info - +## Get Repository Info + ```console helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update ``` _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + ## Install Chart @@ -43,20 +44,19 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen You can upgrade in-place: -1. [get repo info](#get-repo-info) -1. [upgrade](#upgrading-chart) your existing release name using the new chart repo - +1. [get repository info](#get-repository-info) +1. [upgrade](#upgrading-chart) your existing release name using the new chart repository ## Upgrading to v3.0.0 v3.0.0 includes kube-state-metrics v2.0, see the [changelog](https://github.com/kubernetes/kube-state-metrics/blob/release-2.0/CHANGELOG.md) for major changes on the application-side. The upgraded chart now the following changes: + * Dropped support for helm v2 (helm v3 or later is required) * collectors key was renamed to resources * namespace key was renamed to namespaces - ## Configuration See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: @@ -65,4 +65,21 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h helm show values prometheus-community/kube-state-metrics ``` -You may also run `helm show values` on this chart's [dependencies](#dependencies) for additional options. +### kube-rbac-proxy + +You can enable `kube-state-metrics` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy one RBAC proxy container per endpoint (metrics & telemetry). +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-state-metrics-read +rules: + - apiGroups: [ "" ] + resources: ["services/kube-state-metrics"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/NOTES.txt b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/NOTES.txt index 5a646e0cca..3589c24ec3 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/NOTES.txt +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/NOTES.txt @@ -8,3 +8,16 @@ In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-s They are served either as plaintext or protobuf depending on the Accept header. They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. +{{- if .Values.kubeRBACProxy.enabled}} + +kube-rbac-proxy endpoint protections is enabled: +- Metrics endpoints are now HTTPS +- Ensure that the client authenticates the requests (e.g. via service account) with the following role permissions: +``` +rules: + - apiGroups: [ "" ] + resources: ["services/{{ template "kube-state-metrics.fullname" . }}"] + verbs: + - get +``` +{{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/_helpers.tpl b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/_helpers.tpl index 4de75db2a9..0069b68152 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/_helpers.tpl +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/_helpers.tpl @@ -106,6 +106,80 @@ release: {{ .Release.Name }} Selector labels */}} {{- define "kube-state-metrics.selectorLabels" }} +{{- if .Values.selectorOverride }} +{{ toYaml .Values.selectorOverride }} +{{- else }} app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{- end }} + +{{/* Sets default scrape limits for servicemonitor */}} +{{- define "servicemonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end -}} + +{{/* +Formats imagePullSecrets. Input is (dict "Values" .Values "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "kube-state-metrics.imagePullSecrets" -}} +{{- range (concat .Values.global.imagePullSecrets .imagePullSecrets) }} + {{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml . | trim }} + {{- else }} +- name: {{ . }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +The image to use for kube-state-metrics +*/}} +{{- define "kube-state-metrics.image" -}} +{{- if .Values.image.sha }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +The image to use for kubeRBACProxy +*/}} +{{- define "kubeRBACProxy.image" -}} +{{- if .Values.kubeRBACProxy.image.sha }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) .Values.kubeRBACProxy.image.sha }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.kubeRBACProxy.image.registry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) .Values.kubeRBACProxy.image.sha }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.kubeRBACProxy.image.registry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml new file mode 100644 index 0000000000..025cd47a88 --- /dev/null +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +spec: + endpointSelector: + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + egress: + {{- if and .Values.networkPolicy.cilium .Values.networkPolicy.cilium.kubeApiServerSelector }} + {{ toYaml .Values.networkPolicy.cilium.kubeApiServerSelector | nindent 6 }} + {{- else }} + - toEntities: + - kube-apiserver + {{- end }} + ingress: + - toPorts: + - ports: + - port: {{ .Values.service.port | quote }} + protocol: TCP + {{- if .Values.selfMonitor.enabled }} + - port: {{ .Values.selfMonitor.telemetryPort | default 8081 | quote }} + protocol: TCP + {{ end }} +{{ end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/crs-configmap.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/crs-configmap.yaml new file mode 100644 index 0000000000..72986a6077 --- /dev/null +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/crs-configmap.yaml @@ -0,0 +1,9 @@ +{{- if .Values.customResourceState.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config +data: + config.yaml: | + {{- toYaml .Values.customResourceState.config | nindent 4 }} +{{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/deployment.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/deployment.yaml index a3c8f96b21..175375c45e 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/deployment.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/deployment.yaml @@ -40,6 +40,8 @@ spec: priorityClassName: {{ .Values.priorityClassName }} {{- end }} containers: + {{- $httpPort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}} + {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} - name: {{ template "kube-state-metrics.name" . }} {{- if .Values.autosharding.enabled }} env: @@ -56,9 +58,7 @@ spec: {{- if .Values.extraArgs }} {{- .Values.extraArgs | toYaml | nindent 8 }} {{- end }} - {{- if .Values.service.port }} - - --port={{ .Values.service.port | default 8080}} - {{- end }} + - --port={{ $httpPort }} {{- if .Values.collectors }} - --resources={{ .Values.collectors | join "," }} {{- end }} @@ -74,10 +74,17 @@ spec: {{- if .Values.metricDenylist }} - --metric-denylist={{ .Values.metricDenylist | join "," }} {{- end }} + {{- $namespaces := list }} + {{- if .Values.namespaces }} + {{- range $ns := join "," .Values.namespaces | split "," }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end }} + {{- end }} {{- if .Values.releaseNamespace }} - - --namespaces={{ template "kube-state-metrics.namespace" . }} - {{- else if .Values.namespaces }} - - --namespaces={{ tpl (.Values.namespaces | join ",") $ }} + {{- $namespaces = append $namespaces ( include "kube-state-metrics.namespace" . ) }} + {{- end }} + {{- if $namespaces }} + - --namespaces={{ $namespaces | mustUniq | join "," }} {{- end }} {{- if .Values.namespacesDenylist }} - --namespaces-denylist={{ tpl (.Values.namespacesDenylist | join ",") $ }} @@ -89,46 +96,57 @@ spec: {{- if .Values.kubeconfig.enabled }} - --kubeconfig=/opt/k8s/.kube/config {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - --telemetry-host=127.0.0.1 + - --telemetry-port={{ $telemetryPort }} + {{- else }} {{- if .Values.selfMonitor.telemetryHost }} - --telemetry-host={{ .Values.selfMonitor.telemetryHost }} {{- end }} {{- if .Values.selfMonitor.telemetryPort }} - - --telemetry-port={{ .Values.selfMonitor.telemetryPort | default 8081 }} + - --telemetry-port={{ $telemetryPort }} {{- end }} - {{- if or (.Values.kubeconfig.enabled) (.Values.volumeMounts) }} + {{- if .Values.customResourceState.enabled }} + - --custom-resource-state-config-file=/etc/customresourcestate/config.yaml + {{- end }} + {{- end }} + {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumeMounts) }} volumeMounts: {{- if .Values.kubeconfig.enabled }} - name: kubeconfig mountPath: /opt/k8s/.kube/ readOnly: true {{- end }} + {{- if .Values.customResourceState.enabled }} + - name: customresourcestate-config + mountPath: /etc/customresourcestate + readOnly: true + {{- end }} {{- if .Values.volumeMounts }} {{ toYaml .Values.volumeMounts | indent 8 }} {{- end }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.image.sha }} - image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}@sha256:{{ .Values.image.sha }}" - {{- else }} - image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- end }} + image: {{ include "kube-state-metrics.image" . }} + {{- if eq .Values.kubeRBACProxy.enabled false }} ports: - containerPort: {{ .Values.service.port | default 8080}} name: "http" {{- if .Values.selfMonitor.enabled }} - - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + - containerPort: {{ $telemetryPort }} name: "metrics" {{- end }} + {{- end }} livenessProbe: httpGet: path: /healthz - port: {{ .Values.service.port | default 8080}} + port: {{ $httpPort }} initialDelaySeconds: 5 timeoutSeconds: 5 readinessProbe: httpGet: path: / - port: {{ .Values.service.port | default 8080}} + port: {{ $httpPort }} initialDelaySeconds: 5 timeoutSeconds: 5 {{- if .Values.resources }} @@ -139,9 +157,87 @@ spec: securityContext: {{ toYaml .Values.containerSecurityContext | indent 10 }} {{- end }} -{{- if .Values.imagePullSecrets }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy-http + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --secure-listen-address=:{{ .Values.service.port | default 8080}} + - --upstream=http://127.0.0.1:{{ $httpPort }}/ + - --proxy-endpoints-port=8888 + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.service.port | default 8080}} + name: "http" + - containerPort: 8888 + name: "http-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: 8888 + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: +{{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} +{{- end }} +{{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: +{{ toYaml .Values.kubeRBACProxy.containerSecurityContext | indent 10 }} +{{- end }} + {{- if .Values.selfMonitor.enabled }} + - name: kube-rbac-proxy-telemetry + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --secure-listen-address=:{{ .Values.selfMonitor.telemetryPort | default 8081 }} + - --upstream=http://127.0.0.1:{{ $telemetryPort }}/ + - --proxy-endpoints-port=8889 + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + name: "metrics" + - containerPort: 8889 + name: "metrics-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: 8889 + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: +{{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} +{{- end }} +{{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: +{{ toYaml .Values.kubeRBACProxy.containerSecurityContext | indent 10 }} +{{- end }} + {{- end }} + {{- end }} +{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.imagePullSecrets) | indent 8 }} {{- end }} {{- if .Values.affinity }} affinity: @@ -159,13 +255,23 @@ spec: topologySpreadConstraints: {{ toYaml .Values.topologySpreadConstraints | indent 8 }} {{- end }} - {{- if or (.Values.kubeconfig.enabled) (.Values.volumes) }} + {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumes) (.Values.kubeRBACProxy.enabled) }} volumes: {{- if .Values.kubeconfig.enabled}} - name: kubeconfig secret: secretName: {{ template "kube-state-metrics.fullname" . }}-kubeconfig {{- end }} + {{- if .Values.kubeRBACProxy.enabled}} + - name: kube-rbac-proxy-config + configMap: + name: {{ template "kube-state-metrics.fullname" . }}-rbac-config + {{- end }} + {{- if .Values.customResourceState.enabled}} + - name: customresourcestate-config + configMap: + name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config + {{- end }} {{- if .Values.volumes }} {{ toYaml .Values.volumes | indent 8 }} {{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/networkpolicy.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/networkpolicy.yaml new file mode 100644 index 0000000000..309b38ec54 --- /dev/null +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/networkpolicy.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "kubernetes") }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +spec: + {{- if .Values.networkPolicy.egress }} + ## Deny all egress by default + egress: + {{- toYaml .Values.networkPolicy.egress | nindent 4 }} + {{- end }} + ingress: + {{- if .Values.networkPolicy.ingress }} + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- else }} + ## Allow ingress on default ports by default + - ports: + - port: {{ .Values.service.port | default 8080 }} + protocol: TCP + {{- if .Values.selfMonitor.enabled }} + {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} + - port: {{ $telemetryPort }} + protocol: TCP + {{- end }} + {{- end }} + podSelector: + {{- if .Values.networkPolicy.podSelector }} + {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }} + {{- else }} + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + {{- end }} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/podsecuritypolicy.yaml index 72872cf893..c242601ab9 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/podsecuritypolicy.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.cattle.psp.enabled }} +{{- if or .Values.global.cattle.psp.enabled (and .Values.rbac.create (and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy"))) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrole.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrole.yaml index 9814623c55..eccc433145 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrole.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.global.cattle.psp.enabled .Values.rbac.create -}} +{{- if or .Values.global.cattle.psp.enabled (and .Values.rbac.create (and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy"))) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml index 60f8a72d95..7e4339a0d5 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.global.cattle.psp.enabled .Values.rbac.create -}} +{{- if or .Values.global.cattle.psp.enabled (and .Values.rbac.create (and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy"))) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rbac-configmap.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rbac-configmap.yaml new file mode 100644 index 0000000000..812c13b875 --- /dev/null +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rbac-configmap.yaml @@ -0,0 +1,15 @@ +{{- if .Values.kubeRBACProxy.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-rbac-config +data: + config-file.yaml: |+ + authorization: + resourceAttributes: + namespace: {{ template "kube-state-metrics.namespace" . }} + apiVersion: v1 + resource: services + subresource: {{ template "kube-state-metrics.fullname" . }} + name: {{ template "kube-state-metrics.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/role.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/role.yaml index 5fbd43c6f9..0170878376 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/role.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/role.yaml @@ -2,7 +2,7 @@ {{- fail "Collectors need to be a List since kube-state-metrics chart 3.2.2. Please check README for more information."}} {{- end }} {{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}} -{{- range (ternary (split "," .Values.namespaces) (list "") (eq $.Values.rbac.useClusterRole false)) }} +{{- range (ternary (join "," .Values.namespaces | split "," ) (list "") (eq $.Values.rbac.useClusterRole false)) }} --- apiVersion: rbac.authorization.k8s.io/v1 {{- if eq $.Values.rbac.useClusterRole false }} @@ -54,6 +54,12 @@ rules: - endpoints verbs: ["list", "watch"] {{ end -}} +{{ if has "endpointslices" $.Values.collectors }} +- apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: ["list", "watch"] +{{ end -}} {{ if has "horizontalpodautoscalers" $.Values.collectors }} - apiGroups: ["autoscaling"] resources: @@ -72,6 +78,12 @@ rules: - jobs verbs: ["list", "watch"] {{ end -}} +{{ if has "leases" $.Values.collectors }} +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["list", "watch"] +{{ end -}} {{ if has "limitranges" $.Values.collectors }} - apiGroups: [""] resources: @@ -180,12 +192,22 @@ rules: - volumeattachments verbs: ["list", "watch"] {{ end -}} -{{ if has "verticalpodautoscalers" $.Values.collectors }} -- apiGroups: ["autoscaling.k8s.io"] +{{- if $.Values.kubeRBACProxy.enabled }} +- apiGroups: ["authentication.k8s.io"] resources: - - verticalpodautoscalers + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] +{{- end }} +{{- if $.Values.customResourceState.enabled }} +- apiGroups: ["apiextensions.k8s.io"] + resources: + - customresourcedefinitions verbs: ["list", "watch"] -{{ end -}} +{{- end }} {{ if $.Values.rbac.extraRules }} {{ toYaml $.Values.rbac.extraRules }} {{ end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rolebinding.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rolebinding.yaml index 135094f7bc..330651b73f 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rolebinding.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/rolebinding.yaml @@ -1,5 +1,5 @@ {{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}} -{{- range (split "," $.Values.namespaces) }} +{{- range (join "," $.Values.namespaces) | split "," }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/service.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/service.yaml index 92c6d4fcad..6c486a662a 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/service.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/service.yaml @@ -34,7 +34,15 @@ spec: {{- if .Values.service.loadBalancerIP }} loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" {{- end }} -{{- if .Values.service.clusterIP }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} +{{- if .Values.autosharding.enabled }} + clusterIP: None +{{- else if .Values.service.clusterIP }} clusterIP: "{{ .Values.service.clusterIP }}" {{- end }} selector: diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/serviceaccount.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/serviceaccount.yaml index e1229eb95e..a7ff4dd3d7 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/serviceaccount.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/serviceaccount.yaml @@ -11,5 +11,5 @@ metadata: {{ toYaml .Values.serviceAccount.annotations | indent 4 }} {{- end }} imagePullSecrets: -{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} + {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }} {{- end -}} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/servicemonitor.yaml index 13c78204eb..58619127bf 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/servicemonitor.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -9,13 +9,26 @@ metadata: {{- with .Values.prometheus.monitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.prometheus.monitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- with .Values.prometheus.monitor.targetLabels }} + targetLabels: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.monitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }} selector: matchLabels: - {{- if .Values.prometheus.monitor.selectorOverride -}} - {{ toYaml .Values.prometheus.monitor.selectorOverride | nindent 6 }} - {{ else }} + {{- with .Values.prometheus.monitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} {{- end }} endpoints: @@ -57,6 +70,13 @@ spec: tlsConfig: {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} {{- end }} + {{- if .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with .Values.prometheus.monitor.bearerTokenSecret }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.selfMonitor.enabled }} - port: metrics {{- if .Values.prometheus.monitor.interval }} @@ -82,5 +102,12 @@ spec: tlsConfig: {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} {{- end }} + {{- if .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with .Values.prometheus.monitor.bearerTokenSecret }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml new file mode 100644 index 0000000000..5facc37b4d --- /dev/null +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml @@ -0,0 +1,38 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + resourcePolicy: + containerPolicies: + - containerName: {{ template "kube-state-metrics.name" . }} + {{- if .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: {{ .Values.verticalPodAutoscaler.controlledResources }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{ toYaml .Values.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{ toYaml .Values.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + {{- if .Values.autosharding.enabled }} + kind: StatefulSet + {{- else }} + kind: Deployment + {{- end }} + name: {{ template "kube-state-metrics.fullname" . }} + {{- if .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- if .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + updateMode: {{ .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/values.yaml b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/values.yaml index d96131a035..d349e4ba4c 100644 --- a/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/values.yaml +++ b/charts/rancher-monitoring/103.0.0+up40.1.2/charts/kube-state-metrics/values.yaml @@ -1,12 +1,7 @@ -global: - cattle: - psp: - enabled: false - systemDefaultRegistry: "" - # Default values for kube-state-metrics. prometheusScrape: true image: + registry: docker.io repository: rancher/mirrored-kube-state-metrics-kube-state-metrics tag: v2.6.0 sha: "" @@ -15,6 +10,28 @@ image: imagePullSecrets: [] # - name: "image-pull-secret" +global: + cattle: + psp: + enabled: false + systemDefaultRegistry: "" + + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + # + # Allow parent charts to override registry hostname + imageRegistry: "" + # If set to true, this will deploy kube-state-metrics as a StatefulSet and the data # will be automatically sharded across <.Values.replicas> pods using the built-in # autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding @@ -35,6 +52,8 @@ service: type: ClusterIP nodePort: 0 loadBalancerIP: "" + # Only allow access to the loadBalancerIP from these IPs + loadBalancerSourceRanges: [] clusterIP: "" annotations: {} @@ -42,6 +61,9 @@ service: customLabels: {} # app: kube-state-metrics +## Override selector labels +selectorOverride: {} + ## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box releaseLabel: false @@ -64,6 +86,45 @@ rbac: # verbs: ["list", "watch"] extraRules: [] +# Configure kube-rbac-proxy. When enabled, creates one kube-rbac-proxy container per exposed HTTP endpoint (metrics and telemetry if enabled). +# The requests are served through the same service but requests are then HTTPS. +kubeRBACProxy: + enabled: false + image: + repository: rancher/mirrored-kube-rbac-proxy + tag: v0.14.0 + sha: "" + pullPolicy: IfNotPresent + + # List of additional cli arguments to configure kube-rbac-prxy + # for example: --tls-cipher-suites, --log-file, etc. + # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage + extraArgs: [] + + ## Specify security settings for a Container + ## Allows overrides and additional options compared to (Pod) securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## volumeMounts enables mounting custom volumes in rbac-proxy containers + ## Useful for TLS certificates and keys + volumeMounts: [] + # - mountPath: /etc/tls + # name: kube-rbac-proxy-tls + # readOnly: true + serviceAccount: # Specifies whether a ServiceAccount should be created, require rbac true create: true @@ -81,10 +142,32 @@ serviceAccount: prometheus: monitor: enabled: false + annotations: {} additionalLabels: {} namespace: "" jobLabel: "" + targetLabels: [] + podTargetLabels: [] interval: "" + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 scrapeTimeout: "" proxyUrl: "" selectorOverride: {} @@ -92,6 +175,14 @@ prometheus: metricRelabelings: [] relabelings: [] scheme: "" + ## File to read bearer token for scraping targets + bearerTokenFile: "" + ## Secret to mount to read bearer token for scraping targets. The secret needs + ## to be in the same namespace as the service monitor and accessible by the + ## Prometheus Operator + bearerTokenSecret: {} + # name: secret-name + # key: key-name tlsConfig: {} ## Specify if a Pod Security Policy for kube-state-metrics must be created @@ -110,17 +201,46 @@ podSecurityPolicy: additionalVolumes: [] +## Configure network policy for kube-state-metrics +networkPolicy: + enabled: false + # networkPolicy.flavor -- Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + ## Configure the cilium network policy kube-apiserver selector + # cilium: + # kubeApiServerSelector: + # - toEntities: + # - kube-apiserver + + # egress: + # - {} + # ingress: + # - {} + # podSelector: + # matchLabels: + # app.kubernetes.io/name: kube-state-metrics + securityContext: enabled: true - runAsNonRoot: true runAsGroup: 65534 runAsUser: 65534 fsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ## Specify security settings for a Container ## Allows overrides and additional options compared to (Pod) securityContext ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -containerSecurityContext: {} +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ @@ -190,6 +310,7 @@ collectors: - horizontalpodautoscalers - ingresses - jobs + - leases - limitranges - mutatingwebhookconfigurations - namespaces @@ -208,7 +329,6 @@ collectors: - storageclasses - validatingwebhookconfigurations - volumeattachments - # - verticalpodautoscalers # not a default resource, see also: https://github.com/kubernetes/kube-state-metrics#enabling-verticalpodautoscalers # Enabling kubeconfig will pass the --kubeconfig argument to the container kubeconfig: @@ -216,11 +336,17 @@ kubeconfig: # base64 encoded kube-config file secret: +# Enabling support for customResourceState, will create a configMap including your config that will be read from kube-state-metrics +customResourceState: + enabled: false + # Add (Cluster)Role permissions to list/watch the customResources defined in the config to rbac.extraRules + config: {} + # Enable only the release namespace for collecting resources. By default all namespaces are collected. -# If releaseNamespace and namespaces are both set only releaseNamespace will be used. +# If releaseNamespace and namespaces are both set a merged list will be collected. releaseNamespace: false -# Comma-separated list of namespaces to be enabled for collecting resources. By default all namespaces are collected. +# Comma-separated list(string) or yaml list of namespaces to be enabled for collecting resources. By default all namespaces are collected. namespaces: "" # Comma-separated list of namespaces not to be enabled. If namespaces and namespaces-denylist are both set, @@ -257,6 +383,26 @@ selfMonitor: # telemetryPort: 8081 # telemetryNodePort: 0 +# Enable vertical pod autoscaler support for kube-state-metrics +verticalPodAutoscaler: + enabled: false + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + # updatePolicy: + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + # updateMode: Auto + # volumeMounts are used to add custom volume mounts to deployment. # See example below volumeMounts: [] diff --git a/index.yaml b/index.yaml index fe9b09df3c..d122b0b778 100755 --- a/index.yaml +++ b/index.yaml @@ -11746,7 +11746,7 @@ entries: catalog.cattle.io/upstream-version: 19.0.3 apiVersion: v2 appVersion: 0.59.1 - created: "2023-07-11T16:08:44.299055553-04:00" + created: "2023-09-22T14:33:36.77069096-04:00" dependencies: - condition: grafana.enabled name: grafana @@ -11817,7 +11817,271 @@ entries: description: Collects several related Helm charts, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. - digest: 76a9b059e6f830e41ca8223d459e89b92860d6cee28c7d3dd39fb99db54d1d10 + digest: 37a837a1091ea9c1a59ec1ce2d039d61b267a1225693c0f1c1bc82a80611a1e0 + home: https://github.com/prometheus-operator/kube-prometheus + icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png + keywords: + - operator + - prometheus + - kube-prometheus + - monitoring + kubeVersion: '>=1.16.0-0' + maintainers: + - email: andrew@quadcorps.co.uk + name: andrewgkew + - email: cedric@desaintmartin.fr + name: desaintmartin + - email: gianrubio@gmail.com + name: gianrubio + - email: github.gkarthiks@gmail.com + name: gkarthiks + - email: kube-prometheus-stack@sisti.pt + name: GMartinez-Sisti + - email: scott@r6by.com + name: scottrigby + - email: miroslav.hadzhiev@gmail.com + name: Xtigyro + - email: arvind.iyengar@suse.com + name: Arvind + - email: amangeet.samra@suse.com + name: Geet + url: https://github.com/geethub97 + name: rancher-monitoring + sources: + - https://github.com/prometheus-community/helm-charts + - https://github.com/prometheus-operator/kube-prometheus + type: application + urls: + - assets/rancher-monitoring/rancher-monitoring-103.0.0+up40.1.2.tgz + version: 103.0.0+up40.1.2 + - annotations: + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts + - name: Upstream Project + url: https://github.com/prometheus-operator/kube-prometheus + artifacthub.io/operator: "true" + catalog.cattle.io/auto-install: rancher-monitoring-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/deploys-on-os: windows + catalog.cattle.io/display-name: Monitoring + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-monitoring-system + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: monitoring.coreos.com.prometheus/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-monitoring + catalog.cattle.io/requests-cpu: 4500m + catalog.cattle.io/requests-memory: 4000Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: monitoring + catalog.cattle.io/upstream-version: 19.0.3 + apiVersion: v2 + appVersion: 0.59.1 + created: "2023-09-22T14:31:48.708009243-04:00" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + - condition: hardenedKubelet.enabled + name: hardenedKubelet + repository: file://./charts/hardenedKubelet + - condition: hardenedNodeExporter.enabled + name: hardenedNodeExporter + repository: file://./charts/hardenedNodeExporter + - condition: k3sServer.enabled + name: k3sServer + repository: file://./charts/k3sServer + - condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + - condition: kubeAdmControllerManager.enabled + name: kubeAdmControllerManager + repository: file://./charts/kubeAdmControllerManager + - condition: kubeAdmEtcd.enabled + name: kubeAdmEtcd + repository: file://./charts/kubeAdmEtcd + - condition: kubeAdmProxy.enabled + name: kubeAdmProxy + repository: file://./charts/kubeAdmProxy + - condition: kubeAdmScheduler.enabled + name: kubeAdmScheduler + repository: file://./charts/kubeAdmScheduler + - condition: prometheus-adapter.enabled + name: prometheus-adapter + repository: file://./charts/prometheus-adapter + - condition: nodeExporter.enabled + name: prometheus-node-exporter + repository: file://./charts/prometheus-node-exporter + - condition: rke2ControllerManager.enabled + name: rke2ControllerManager + repository: file://./charts/rke2ControllerManager + - condition: rke2Etcd.enabled + name: rke2Etcd + repository: file://./charts/rke2Etcd + - condition: rke2IngressNginx.enabled + name: rke2IngressNginx + repository: file://./charts/rke2IngressNginx + - condition: rke2Proxy.enabled + name: rke2Proxy + repository: file://./charts/rke2Proxy + - condition: rke2Scheduler.enabled + name: rke2Scheduler + repository: file://./charts/rke2Scheduler + - condition: rkeControllerManager.enabled + name: rkeControllerManager + repository: file://./charts/rkeControllerManager + - condition: rkeEtcd.enabled + name: rkeEtcd + repository: file://./charts/rkeEtcd + - condition: rkeIngressNginx.enabled + name: rkeIngressNginx + repository: file://./charts/rkeIngressNginx + - condition: rkeProxy.enabled + name: rkeProxy + repository: file://./charts/rkeProxy + - condition: rkeScheduler.enabled + name: rkeScheduler + repository: file://./charts/rkeScheduler + - condition: global.cattle.windows.enabled + name: windowsExporter + repository: file://./charts/windowsExporter + description: Collects several related Helm charts, Grafana dashboards, and Prometheus + rules combined with documentation and scripts to provide easy to operate end-to-end + Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. + digest: 5ea30bcd8f77b030ea0d37dfdf5a7798577c7613e615c964eb0671fba690b516 + home: https://github.com/prometheus-operator/kube-prometheus + icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png + keywords: + - operator + - prometheus + - kube-prometheus + - monitoring + kubeVersion: '>=1.16.0-0' + maintainers: + - email: andrew@quadcorps.co.uk + name: andrewgkew + - email: cedric@desaintmartin.fr + name: desaintmartin + - email: gianrubio@gmail.com + name: gianrubio + - email: github.gkarthiks@gmail.com + name: gkarthiks + - email: kube-prometheus-stack@sisti.pt + name: GMartinez-Sisti + - email: scott@r6by.com + name: scottrigby + - email: miroslav.hadzhiev@gmail.com + name: Xtigyro + - email: arvind.iyengar@suse.com + name: Arvind + - email: amangeet.samra@suse.com + name: Geet + url: https://github.com/geethub97 + name: rancher-monitoring + sources: + - https://github.com/prometheus-community/helm-charts + - https://github.com/prometheus-operator/kube-prometheus + type: application + urls: + - assets/rancher-monitoring/rancher-monitoring-102.0.2+up40.1.2.tgz + version: 102.0.2+up40.1.2 + - annotations: + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts + - name: Upstream Project + url: https://github.com/prometheus-operator/kube-prometheus + artifacthub.io/operator: "true" + catalog.cattle.io/auto-install: rancher-monitoring-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/deploys-on-os: windows + catalog.cattle.io/display-name: Monitoring + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-monitoring-system + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: monitoring.coreos.com.prometheus/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-monitoring + catalog.cattle.io/requests-cpu: 4500m + catalog.cattle.io/requests-memory: 4000Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: monitoring + catalog.cattle.io/upstream-version: 19.0.3 + apiVersion: v2 + appVersion: 0.59.1 + created: "2023-09-22T14:31:48.680943567-04:00" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + - condition: hardenedKubelet.enabled + name: hardenedKubelet + repository: file://./charts/hardenedKubelet + - condition: hardenedNodeExporter.enabled + name: hardenedNodeExporter + repository: file://./charts/hardenedNodeExporter + - condition: k3sServer.enabled + name: k3sServer + repository: file://./charts/k3sServer + - condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + - condition: kubeAdmControllerManager.enabled + name: kubeAdmControllerManager + repository: file://./charts/kubeAdmControllerManager + - condition: kubeAdmEtcd.enabled + name: kubeAdmEtcd + repository: file://./charts/kubeAdmEtcd + - condition: kubeAdmProxy.enabled + name: kubeAdmProxy + repository: file://./charts/kubeAdmProxy + - condition: kubeAdmScheduler.enabled + name: kubeAdmScheduler + repository: file://./charts/kubeAdmScheduler + - condition: prometheus-adapter.enabled + name: prometheus-adapter + repository: file://./charts/prometheus-adapter + - condition: nodeExporter.enabled + name: prometheus-node-exporter + repository: file://./charts/prometheus-node-exporter + - condition: rke2ControllerManager.enabled + name: rke2ControllerManager + repository: file://./charts/rke2ControllerManager + - condition: rke2Etcd.enabled + name: rke2Etcd + repository: file://./charts/rke2Etcd + - condition: rke2IngressNginx.enabled + name: rke2IngressNginx + repository: file://./charts/rke2IngressNginx + - condition: rke2Proxy.enabled + name: rke2Proxy + repository: file://./charts/rke2Proxy + - condition: rke2Scheduler.enabled + name: rke2Scheduler + repository: file://./charts/rke2Scheduler + - condition: rkeControllerManager.enabled + name: rkeControllerManager + repository: file://./charts/rkeControllerManager + - condition: rkeEtcd.enabled + name: rkeEtcd + repository: file://./charts/rkeEtcd + - condition: rkeIngressNginx.enabled + name: rkeIngressNginx + repository: file://./charts/rkeIngressNginx + - condition: rkeProxy.enabled + name: rkeProxy + repository: file://./charts/rkeProxy + - condition: rkeScheduler.enabled + name: rkeScheduler + repository: file://./charts/rkeScheduler + - condition: global.cattle.windows.enabled + name: windowsExporter + repository: file://./charts/windowsExporter + description: Collects several related Helm charts, Grafana dashboards, and Prometheus + rules combined with documentation and scripts to provide easy to operate end-to-end + Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. + digest: affcd74e7d8064c7868d3089805b03448e74b99fd71016c6967bd838bc96695f home: https://github.com/prometheus-operator/kube-prometheus icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png keywords: diff --git a/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/podsecuritypolicy.yaml.patch b/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/podsecuritypolicy.yaml.patch index eecde98956..00e269f864 100644 --- a/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/podsecuritypolicy.yaml.patch +++ b/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/podsecuritypolicy.yaml.patch @@ -2,7 +2,7 @@ +++ charts/templates/podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -+{{- if or .Values.global.cattle.psp.enabled (and .Values.rbac.create (and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy"))) }} ++{{- if and .Values.rbac.create (and (or .Values.global.cattle.psp.enabled .Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy")) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrole.yaml.patch b/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrole.yaml.patch index 0ae3456a74..7791a6f673 100644 --- a/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrole.yaml.patch +++ b/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrole.yaml.patch @@ -2,7 +2,7 @@ +++ charts/templates/psp-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -+{{- if or .Values.global.cattle.psp.enabled (and .Values.rbac.create (and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy"))) }} ++{{- if and .Values.rbac.create (and (or .Values.global.cattle.psp.enabled .Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy")) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrolebinding.yaml.patch b/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrolebinding.yaml.patch index 2aefe17083..8dab6fd4e4 100644 --- a/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrolebinding.yaml.patch +++ b/packages/rancher-monitoring/rancher-kube-state-metrics/generated-changes/patch/templates/psp-clusterrolebinding.yaml.patch @@ -2,7 +2,7 @@ +++ charts/templates/psp-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -+{{- if or .Values.global.cattle.psp.enabled (and .Values.rbac.create (and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy"))) }} ++{{- if and .Values.rbac.create (and (or .Values.global.cattle.psp.enabled .Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy")) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: