From 738cea62602f7ace0c166470b497e3e70a6234ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Mon, 20 Nov 2023 16:28:25 +0100 Subject: [PATCH 1/7] [kube-prometheus-stack] Allow run Prometheus Operator Webhook receiver separately MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- charts/kube-prometheus-stack/Chart.yaml | 2 +- ...04-prometheus-operator-webhook-values.yaml | 4 + .../templates/_helpers.tpl | 9 + .../deployment/deployment.yaml | 114 +++++++++++ .../deployment/service.yaml | 58 ++++++ .../deployment/serviceaccount.yaml | 17 ++ .../job-patch/job-createSecret.yaml | 2 +- .../mutatingWebhookConfiguration.yaml | 2 +- .../prometheus-operator/certmanager.yaml | 5 + charts/kube-prometheus-stack/values.yaml | 181 ++++++++++++++++++ 10 files changed, 391 insertions(+), 3 deletions(-) create mode 100644 charts/kube-prometheus-stack/ci/04-prometheus-operator-webhook-values.yaml create mode 100644 charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml create mode 100644 charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/service.yaml create mode 100644 charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/serviceaccount.yaml diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml index 5233e847fe08..d367c59621c2 100644 --- a/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kube-prometheus-stack/Chart.yaml @@ -21,7 +21,7 @@ name: kube-prometheus-stack sources: - https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-operator/kube-prometheus -version: 54.1.0 +version: 54.2.0 appVersion: v0.69.1 kubeVersion: ">=1.19.0-0" home: https://github.com/prometheus-operator/kube-prometheus diff --git a/charts/kube-prometheus-stack/ci/04-prometheus-operator-webhook-values.yaml b/charts/kube-prometheus-stack/ci/04-prometheus-operator-webhook-values.yaml new file mode 100644 index 000000000000..7482b3128d1c --- /dev/null +++ b/charts/kube-prometheus-stack/ci/04-prometheus-operator-webhook-values.yaml @@ -0,0 +1,4 @@ +prometheusOperator: + admissionWebhooks: + deployment: + enabled: true diff --git a/charts/kube-prometheus-stack/templates/_helpers.tpl b/charts/kube-prometheus-stack/templates/_helpers.tpl index 9e3e4d6779e3..fb7f5471258a 100644 --- a/charts/kube-prometheus-stack/templates/_helpers.tpl +++ b/charts/kube-prometheus-stack/templates/_helpers.tpl @@ -91,6 +91,15 @@ heritage: {{ $.Release.Service | quote }} {{- end -}} {{- end -}} +{{/* Create the name of kube-prometheus-stack service account to use */}} +{{- define "kube-prometheus-stack.operator.admissionWebhooks.serviceAccountName" -}} +{{- if .Values.prometheusOperator.serviceAccount.create -}} + {{ default (printf "%s-webhook" (include "kube-prometheus-stack.operator.fullname" .)) .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create the name of prometheus service account to use */}} {{- define "kube-prometheus-stack.prometheus.serviceAccountName" -}} {{- if .Values.prometheus.serviceAccount.create -}} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml new file mode 100644 index 000000000000..fbb4da3e0d8f --- /dev/null +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml @@ -0,0 +1,114 @@ +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-operator-webhook + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook +{{ include "kube-prometheus-stack.labels" . | indent 4 }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.labels }} +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.labels | indent 4 }} +{{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.annotations }} + annotations: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.annotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.prometheusOperator.admissionWebhooks.deployment.replicas }} + revisionHistoryLimit: {{ .Values.prometheusOperator.admissionWebhooks.deployment.revisionHistoryLimit }} + selector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook + release: {{ $.Release.Name | quote }} + template: + metadata: + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook +{{ include "kube-prometheus-stack.labels" . | indent 8 }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podLabels }} +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podLabels | indent 8 }} +{{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podAnnotations }} + annotations: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podAnnotations | indent 8 }} +{{- end }} + spec: + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.priorityClassName }} + priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.deployment.priorityClassName }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- include "kube-prometheus-stack.imagePullSecrets" . | indent 8 }} + {{- end }} + containers: + - name: prometheus-operator-admission-webhook + {{- $operatorRegistry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.deployment.image.registry -}} + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.image.sha }} + image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.sha }}" + {{- else }} + image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: "{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.pullPolicy }}" + args: + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.logFormat }} + - --log-format={{ .Values.prometheusOperator.admissionWebhooks.deployment.logFormat }} + {{- end }} + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.logLevel }} + - --log-level={{ .Values.prometheusOperator.admissionWebhooks.deployment.logLevel }} + {{- end }} + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }} + - "--web.enable-tls=true" + - "--web.cert-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.crt{{ else }}cert{{ end }}" + - "--web.key-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.key{{ else }}key{{ end }}" + - "--web.listen-address=:{{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.internalPort }}" + - "--web.tls-min-version={{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.tlsMinVersion }}" + ports: + - containerPort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.internalPort }} + name: https + {{- else }} + ports: + - containerPort: 8080 + name: http + {{- end }} + resources: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.resources | indent 12 }} + securityContext: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.containerSecurityContext | indent 12 }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }} + volumeMounts: + - name: tls-secret + mountPath: /cert + readOnly: true + volumes: + - name: tls-secret + secret: + defaultMode: 420 + secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission +{{- end }} + {{- with .Values.prometheusOperator.admissionWebhooks.deployment.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.securityContext }} + securityContext: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.securityContext | indent 8 }} +{{- end }} + serviceAccountName: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}-webhook +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.hostNetwork }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + {{- with .Values.prometheusOperator.admissionWebhooks.deployment.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.prometheusOperator.admissionWebhooks.deployment.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.prometheusOperator.admissionWebhooks.deployment.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/service.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/service.yaml new file mode 100644 index 000000000000..c9fd3203e081 --- /dev/null +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/service.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-operator-webhook + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook +{{ include "kube-prometheus-stack.labels" . | indent 4 }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.labels }} +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.labels | indent 4 }} +{{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.annotations }} + annotations: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.clusterIP }} + clusterIP: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.clusterIP }} +{{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.externalIPs }} + externalIPs: +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerIP }} +{{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} +{{- if ne .Values.prometheusOperator.admissionWebhooks.deployment.service.type "ClusterIP" }} + externalTrafficPolicy: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.externalTrafficPolicy }} +{{- end }} + ports: + {{- if not .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }} + - name: http + {{- if eq .Values.prometheusOperator.admissionWebhooks.deployment.service.type "NodePort" }} + nodePort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.nodePort }} + {{- end }} + port: 8080 + targetPort: http + {{- end }} + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }} + - name: https + {{- if eq .Values.prometheusOperator.admissionWebhooks.deployment.service.type "NodePort"}} + nodePort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.nodePortTls }} + {{- end }} + port: 443 + targetPort: https + {{- end }} + selector: + app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook + release: {{ $.Release.Name | quote }} + type: "{{ .Values.prometheusOperator.admissionWebhooks.deployment.service.type }}" +{{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/serviceaccount.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/serviceaccount.yaml new file mode 100644 index 000000000000..48011e67dc35 --- /dev/null +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "kube-prometheus-stack.operator.admissionWebhooks.serviceAccountName" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator + app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator + app.kubernetes.io/component: prometheus-operator-webhook +{{ include "kube-prometheus-stack.labels" . | indent 4 }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml index 1bb9b02ff3c5..92e25473d6d7 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,7 +43,7 @@ spec: imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }} args: - create - - --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc + - --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }},{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook,{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- end }} - --namespace={{ template "kube-prometheus-stack.namespace" . }} - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission {{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml index d8552140bbde..d07d52527823 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml @@ -35,7 +35,7 @@ webhooks: clientConfig: service: namespace: {{ template "kube-prometheus-stack.namespace" . }} - name: {{ template "kube-prometheus-stack.operator.fullname" $ }} + name: {{ template "kube-prometheus-stack.operator.fullname" $ }}{{ if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}-webhook{{ end }} path: /admission-prometheusrules/mutate {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml index a1e06aec4619..5ccdbd43e5b9 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml @@ -54,4 +54,9 @@ spec: - {{ template "kube-prometheus-stack.operator.fullname" . }} - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }} - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} + - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook + - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }} + - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc + {{- end -}} {{- end -}} diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index bd37eaa98a0e..2c9ba71c3785 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -2058,6 +2058,187 @@ prometheusOperator: annotations: {} # argocd.argoproj.io/hook: PreSync # argocd.argoproj.io/hook-delete-policy: HookSucceeded + + deployment: + enabled: false + + ## Number of replicas + ## + replicas: 1 + + ## Number of old replicasets to retain ## + ## The default value is 10, 0 will garbage-collect old replicasets ## + revisionHistoryLimit: 10 + + ## Prometheus-Operator v0.39.0 and later support TLS natively. + ## + tls: + enabled: true + # Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants + tlsMinVersion: VersionTLS13 + # The default webhook port is 10250 in order to work out-of-the-box in GKE private clusters and avoid adding firewall rules. + internalPort: 10250 + + ## Service account for Prometheus Operator Webhook to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + automountServiceAccountToken: false + create: true + name: "" + + ## Configuration for Prometheus operator Webhook service + ## + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Port to expose on each node + ## Only used if service.type is 'NodePort' + ## + nodePort: 31080 + + nodePortTls: 31443 + + ## Additional ports to open for Prometheus operator Webhook service + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services + ## + additionalPorts: [] + + ## Loadbalancer IP + ## Only use if service.type is "LoadBalancer" + ## + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## NodePort, ClusterIP, LoadBalancer + ## + type: ClusterIP + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # ## Labels to add to the operator webhook deployment + # ## + labels: {} + + ## Annotations to add to the operator webhook deployment + ## + annotations: {} + + ## Labels to add to the operator webhook pod + ## + podLabels: {} + + ## Annotations to add to the operator webhook pod + ## + podAnnotations: {} + + ## Assign a PriorityClassName to pods if set + # priorityClassName: "" + + ## Define Log Format + # Use logfmt (default) or json logging + # logFormat: logfmt + + ## Decrease log verbosity to errors only + # logLevel: error + + ## Prometheus-operator webhook image + ## + image: + registry: quay.io + repository: prometheus-operator/admission-webhook + # if not set appVersion field from Chart.yaml is used + tag: "" + sha: "" + pullPolicy: IfNotPresent + + ## Define Log Format + # Use logfmt (default) or json logging + # logFormat: logfmt + + ## Decrease log verbosity to errors only + # logLevel: error + + ## Resource limits & requests + ## + resources: {} + # limits: + # cpu: 200m + # memory: 200Mi + # requests: + # cpu: 100m + # memory: 100Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for use with node taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## Assign custom affinity rules to the prometheus operator + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + + ## Container-specific security context configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + patch: enabled: true image: From 9e8576b6359c7e4611b6d2355226023e148ea117 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Tue, 21 Nov 2023 20:01:24 +0100 Subject: [PATCH 2/7] [kube-prometheus-stack] unify hostnames MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .../templates/_helpers.tpl | 11 ++++++ .../job-patch/job-createSecret.yaml | 2 +- .../prometheus-operator/certmanager.yaml | 37 ++++++++----------- 3 files changed, 28 insertions(+), 22 deletions(-) diff --git a/charts/kube-prometheus-stack/templates/_helpers.tpl b/charts/kube-prometheus-stack/templates/_helpers.tpl index fb7f5471258a..9df77521f4aa 100644 --- a/charts/kube-prometheus-stack/templates/_helpers.tpl +++ b/charts/kube-prometheus-stack/templates/_helpers.tpl @@ -286,3 +286,14 @@ global: {{- end }} {{- end }} {{- end -}} + +{{- define "kube-prometheus-stack.operator.admission-webhook.dnsNames" }} +{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }} +{{- $namespace := include "kube-prometheus-stack.namespace" . }} +{{- $fullname }} +{{ $fullname }}.{{ $namespace }}.svc +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} +{{ $fullname }}-webhook +{{ $fullname }}-webhook.{{ $namespace }}.svc +{{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml index 92e25473d6d7..a871dade5b3b 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,7 +43,7 @@ spec: imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }} args: - create - - --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }},{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook,{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- end }} + - --host={{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | replace "\n" "," }} - --namespace={{ template "kube-prometheus-stack.namespace" . }} - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission {{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml index 5ccdbd43e5b9..5c61f37491fa 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml @@ -1,12 +1,14 @@ {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled -}} +{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }} +{{- $namespace := include "kube-prometheus-stack.namespace" . }} {{- if not .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef -}} # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer - namespace: {{ template "kube-prometheus-stack.namespace" . }} + name: {{ $fullname }}-self-signed-issuer + namespace: {{ $namespace }} spec: selfSigned: {} --- @@ -14,13 +16,13 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ template "kube-prometheus-stack.fullname" . }}-root-cert - namespace: {{ template "kube-prometheus-stack.namespace" . }} + name: {{ $fullname }}-root-cert + namespace: {{ $namespace }} spec: - secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert + secretName: {{ $fullname }}-root-cert duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} issuerRef: - name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer + name: {{ $fullname }}-self-signed-issuer commonName: "ca.webhook.kube-prometheus-stack" isCA: true --- @@ -28,35 +30,28 @@ spec: apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer - namespace: {{ template "kube-prometheus-stack.namespace" . }} + name: {{ $fullname }}-root-issuer + namespace: {{ $namespace }} spec: ca: - secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert + secretName: {{ $fullname }}-root-cert {{- end }} --- # generate a server certificate for the apiservices to use apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ template "kube-prometheus-stack.fullname" . }}-admission - namespace: {{ template "kube-prometheus-stack.namespace" . }} + name: {{ $fullname }}-admission + namespace: {{ $namespace }} spec: - secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission + secretName: {{ $fullname }}-admission duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} issuerRef: {{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }} {{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }} {{- else }} - name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer + name: {{ $fullname }}-root-issuer {{- end }} dnsNames: - - {{ template "kube-prometheus-stack.operator.fullname" . }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc - {{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook - - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc - {{- end -}} + {{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }} {{- end -}} From 104dd39ddc769a443df053a5ec4c2ceb0a6b2e22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Wed, 6 Dec 2023 23:20:36 +0100 Subject: [PATCH 3/7] Add PDB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .../admission-webhooks/deployment/deployment.yaml | 2 +- .../admission-webhooks/deployment/pdb.yaml | 15 +++++++++++++++ charts/kube-prometheus-stack/values.yaml | 5 +++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml index fbb4da3e0d8f..386838510dea 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml @@ -25,7 +25,7 @@ spec: metadata: labels: app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook -{{ include "kube-prometheus-stack.labels" . | indent 8 }} + release: {{ $.Release.Name | quote }} {{- if .Values.prometheusOperator.admissionWebhooks.deployment.podLabels }} {{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podLabels | indent 8 }} {{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml new file mode 100644 index 000000000000..4ae2987337d8 --- /dev/null +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml @@ -0,0 +1,15 @@ +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget -}} +apiVersion: policy/v1{{ ternary "" "beta1" ($.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + {{- include "kube-prometheus-stack.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook + release: {{ $.Release.Name | quote }} +{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget | indent 2 }} +{{- end }} diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index 1491dcf70b75..26427cbcf725 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -2083,6 +2083,11 @@ prometheusOperator: ## replicas: 1 + # Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 1 + ## Number of old replicasets to retain ## ## The default value is 10, 0 will garbage-collect old replicasets ## revisionHistoryLimit: 10 From 34efc6cb0e4288f7d9cb3febca828f6cf8d7a793 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 8 Dec 2023 16:06:15 +0100 Subject: [PATCH 4/7] [kube-prometheus-stack] revert unify hostnames MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- charts/kube-prometheus-stack/templates/_helpers.tpl | 11 ----------- .../job-patch/job-createSecret.yaml | 2 +- .../templates/prometheus-operator/certmanager.yaml | 9 ++++++++- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/charts/kube-prometheus-stack/templates/_helpers.tpl b/charts/kube-prometheus-stack/templates/_helpers.tpl index 9df77521f4aa..fb7f5471258a 100644 --- a/charts/kube-prometheus-stack/templates/_helpers.tpl +++ b/charts/kube-prometheus-stack/templates/_helpers.tpl @@ -286,14 +286,3 @@ global: {{- end }} {{- end }} {{- end -}} - -{{- define "kube-prometheus-stack.operator.admission-webhook.dnsNames" }} -{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }} -{{- $namespace := include "kube-prometheus-stack.namespace" . }} -{{- $fullname }} -{{ $fullname }}.{{ $namespace }}.svc -{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} -{{ $fullname }}-webhook -{{ $fullname }}-webhook.{{ $namespace }}.svc -{{- end }} -{{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml index a871dade5b3b..92e25473d6d7 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,7 +43,7 @@ spec: imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }} args: - create - - --host={{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | replace "\n" "," }} + - --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }},{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook,{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- end }} - --namespace={{ template "kube-prometheus-stack.namespace" . }} - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission {{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml index 5c61f37491fa..626d776a3001 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml @@ -53,5 +53,12 @@ spec: name: {{ $fullname }}-root-issuer {{- end }} dnsNames: - {{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }} + - {{ template "kube-prometheus-stack.operator.fullname" . }} + - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }} + - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} + - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook + - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }} + - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc + {{- end -}} {{- end -}} From f2e1ca9c1079138320e17cfedbf6c714e65dba2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 8 Dec 2023 16:15:31 +0100 Subject: [PATCH 5/7] [kube-prometheus-stack] fix pdb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .../prometheus-operator/admission-webhooks/deployment/pdb.yaml | 2 +- .../admission-webhooks/validatingWebhookConfiguration.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml index 4ae2987337d8..25eac46e207c 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/pdb.yaml @@ -2,7 +2,7 @@ apiVersion: policy/v1{{ ternary "" "beta1" ($.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") }} kind: PodDisruptionBudget metadata: - name: {{ template "kube-prometheus-stack.fullname" . }} + name: {{ template "kube-prometheus-stack.fullname" . }}-operator-webhook namespace: {{ template "kube-prometheus-stack.namespace" . }} labels: {{- include "kube-prometheus-stack.labels" . | nindent 4 }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml index ab662726757a..83c2a310e2ab 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml @@ -35,7 +35,7 @@ webhooks: clientConfig: service: namespace: {{ template "kube-prometheus-stack.namespace" . }} - name: {{ template "kube-prometheus-stack.operator.fullname" $ }} + name: {{ template "kube-prometheus-stack.operator.fullname" $ }}{{ if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}-webhook{{ end }} path: /admission-prometheusrules/validate {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }} From 37aeaad5a8dab7777684551aefe96b38a6c3afa6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 8 Dec 2023 16:39:09 +0100 Subject: [PATCH 6/7] [kube-prometheus-stack] add probes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .../deployment/deployment.yaml | 24 +++++++++++++++++++ charts/kube-prometheus-stack/values.yaml | 21 ++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml index 386838510dea..935668dec081 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/deployment/deployment.yaml @@ -71,6 +71,30 @@ spec: - containerPort: 8080 name: http {{- end }} + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "https" "http" }} + scheme: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "HTTPS" "HTTP" }} + initialDelaySeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "https" "http" }} + scheme: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "HTTPS" "HTTP" }} + initialDelaySeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.failureThreshold }} + {{- end }} resources: {{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.resources | indent 12 }} securityContext: diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index 26427cbcf725..d50e646f0fb6 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -2191,6 +2191,27 @@ prometheusOperator: ## Decrease log verbosity to errors only # logLevel: error + + ## Liveness probe + ## + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Readiness probe + ## + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ## Resource limits & requests ## resources: {} From 44e3e8904d3cf4f2ffc24853f5507cf9d76e3b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 8 Dec 2023 16:45:31 +0100 Subject: [PATCH 7/7] revert template calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .../templates/_helpers.tpl | 11 ++++++ .../job-patch/job-createSecret.yaml | 2 +- .../prometheus-operator/certmanager.yaml | 37 +++++++------------ 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/charts/kube-prometheus-stack/templates/_helpers.tpl b/charts/kube-prometheus-stack/templates/_helpers.tpl index fb7f5471258a..9df77521f4aa 100644 --- a/charts/kube-prometheus-stack/templates/_helpers.tpl +++ b/charts/kube-prometheus-stack/templates/_helpers.tpl @@ -286,3 +286,14 @@ global: {{- end }} {{- end }} {{- end -}} + +{{- define "kube-prometheus-stack.operator.admission-webhook.dnsNames" }} +{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }} +{{- $namespace := include "kube-prometheus-stack.namespace" . }} +{{- $fullname }} +{{ $fullname }}.{{ $namespace }}.svc +{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} +{{ $fullname }}-webhook +{{ $fullname }}-webhook.{{ $namespace }}.svc +{{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml index 92e25473d6d7..a871dade5b3b 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,7 +43,7 @@ spec: imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }} args: - create - - --host={{ template "kube-prometheus-stack.operator.fullname" . }},{{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }},{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook,{{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc{{- end }} + - --host={{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | replace "\n" "," }} - --namespace={{ template "kube-prometheus-stack.namespace" . }} - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission {{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml index 626d776a3001..cb27e49f488e 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/certmanager.yaml @@ -1,14 +1,12 @@ {{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled -}} -{{- $fullname := include "kube-prometheus-stack.operator.fullname" . }} -{{- $namespace := include "kube-prometheus-stack.namespace" . }} {{- if not .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef -}} # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ $fullname }}-self-signed-issuer - namespace: {{ $namespace }} + name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer + namespace: {{ template "kube-prometheus-stack.namespace" . }} spec: selfSigned: {} --- @@ -16,13 +14,13 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ $fullname }}-root-cert - namespace: {{ $namespace }} + name: {{ template "kube-prometheus-stack.fullname" . }}-root-cert + namespace: {{ template "kube-prometheus-stack.namespace" . }} spec: - secretName: {{ $fullname }}-root-cert + secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} issuerRef: - name: {{ $fullname }}-self-signed-issuer + name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer commonName: "ca.webhook.kube-prometheus-stack" isCA: true --- @@ -30,35 +28,28 @@ spec: apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ $fullname }}-root-issuer - namespace: {{ $namespace }} + name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer + namespace: {{ template "kube-prometheus-stack.namespace" . }} spec: ca: - secretName: {{ $fullname }}-root-cert + secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert {{- end }} --- # generate a server certificate for the apiservices to use apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ $fullname }}-admission - namespace: {{ $namespace }} + name: {{ template "kube-prometheus-stack.fullname" . }}-admission + namespace: {{ template "kube-prometheus-stack.namespace" . }} spec: - secretName: {{ $fullname }}-admission + secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} issuerRef: {{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }} {{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }} {{- else }} - name: {{ $fullname }}-root-issuer + name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer {{- end }} dnsNames: - - {{ template "kube-prometheus-stack.operator.fullname" . }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc - {{- if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook - - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }} - - {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook.{{ template "kube-prometheus-stack.namespace" . }}.svc - {{- end -}} + {{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }} {{- end -}}