From 69f8812e3776f5006bf3e0749e9919aaac177d42 Mon Sep 17 00:00:00 2001 From: robot Date: Mon, 23 Dec 2024 20:07:21 +0000 Subject: [PATCH] robot: project kube-state-metrics chart upgrades from 4.22.* to 5.27.0 Signed-off-by: robot --- charts/kube-state-metrics/config | 2 +- .../kube-state-metrics/Chart.yaml | 11 +- .../kube-state-metrics/README.md | 31 ++- .../charts/kube-state-metrics/Chart.yaml | 9 +- .../charts/kube-state-metrics/README.md | 31 ++- .../kube-state-metrics/templates/NOTES.txt | 13 + .../kube-state-metrics/templates/_helpers.tpl | 57 +++- .../templates/ciliumnetworkpolicy.yaml | 33 +++ .../templates/crs-configmap.yaml | 16 ++ .../templates/deployment.yaml | 213 ++++++++++++-- .../templates/extra-manifests.yaml | 4 + .../templates/networkpolicy.yaml | 43 +++ .../templates/rbac-configmap.yaml | 22 ++ .../kube-state-metrics/templates/role.yaml | 24 +- .../kube-state-metrics/templates/service.yaml | 10 + .../templates/serviceaccount.yaml | 5 +- .../templates/servicemonitor.yaml | 101 ++++--- .../templates/verticalpodautoscaler.yaml | 22 +- .../charts/kube-state-metrics/values.yaml | 261 +++++++++++++++++- 19 files changed, 805 insertions(+), 103 deletions(-) create mode 100644 charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml create mode 100644 charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/crs-configmap.yaml create mode 100644 charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/extra-manifests.yaml create mode 100644 charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/networkpolicy.yaml create mode 100644 charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/rbac-configmap.yaml diff --git a/charts/kube-state-metrics/config b/charts/kube-state-metrics/config index c6d403454..2c652c8ec 100644 --- a/charts/kube-state-metrics/config +++ b/charts/kube-state-metrics/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://prometheus-community.github.io/helm-charts export REPO_NAME=kube-state-metrics export CHART_NAME=kube-state-metrics -export VERSION=4.22.* +export VERSION=5.27.0 # pr, issue, none export UPGRADE_METHOD=pr diff --git a/charts/kube-state-metrics/kube-state-metrics/Chart.yaml b/charts/kube-state-metrics/kube-state-metrics/Chart.yaml index eafce859f..3ab0ce6ae 100644 --- a/charts/kube-state-metrics/kube-state-metrics/Chart.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/Chart.yaml @@ -1,5 +1,10 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: 2.6.0 +appVersion: 2.14.0 description: Install kube-state-metrics to generate and expose cluster-level metrics home: https://github.com/kubernetes/kube-state-metrics/ keywords: @@ -18,8 +23,8 @@ name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 4.22.3 +version: 5.27.0 dependencies: - name: kube-state-metrics - version: "4.22.*" + version: "5.27.0" repository: "https://prometheus-community.github.io/helm-charts" diff --git a/charts/kube-state-metrics/kube-state-metrics/README.md b/charts/kube-state-metrics/kube-state-metrics/README.md index 7c2e16918..843be89e6 100644 --- a/charts/kube-state-metrics/kube-state-metrics/README.md +++ b/charts/kube-state-metrics/kube-state-metrics/README.md @@ -2,14 +2,15 @@ Installs the [kube-state-metrics agent](https://github.com/kubernetes/kube-state-metrics). -## Get Repo Info - +## Get Repository Info + ```console helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update ``` _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + ## Install Chart @@ -43,20 +44,19 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen You can upgrade in-place: -1. [get repo info](#get-repo-info) -1. [upgrade](#upgrading-chart) your existing release name using the new chart repo - +1. [get repository info](#get-repository-info) +1. [upgrade](#upgrading-chart) your existing release name using the new chart repository ## Upgrading to v3.0.0 v3.0.0 includes kube-state-metrics v2.0, see the [changelog](https://github.com/kubernetes/kube-state-metrics/blob/release-2.0/CHANGELOG.md) for major changes on the application-side. The upgraded chart now the following changes: + * Dropped support for helm v2 (helm v3 or later is required) * collectors key was renamed to resources * namespace key was renamed to namespaces - ## Configuration See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: @@ -65,4 +65,21 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h helm show values prometheus-community/kube-state-metrics ``` -You may also run `helm show values` on this chart's [dependencies](#dependencies) for additional options. +### kube-rbac-proxy + +You can enable `kube-state-metrics` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy one RBAC proxy container per endpoint (metrics & telemetry). +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-state-metrics-read +rules: + - apiGroups: [ "" ] + resources: ["services/kube-state-metrics"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/Chart.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/Chart.yaml index 12eb06d5a..57ff94179 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/Chart.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/Chart.yaml @@ -1,5 +1,10 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: 2.6.0 +appVersion: 2.14.0 description: Install kube-state-metrics to generate and expose cluster-level metrics home: https://github.com/kubernetes/kube-state-metrics/ keywords: @@ -18,4 +23,4 @@ name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 4.22.3 +version: 5.27.0 diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/README.md b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/README.md index 7c2e16918..843be89e6 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/README.md +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/README.md @@ -2,14 +2,15 @@ Installs the [kube-state-metrics agent](https://github.com/kubernetes/kube-state-metrics). -## Get Repo Info - +## Get Repository Info + ```console helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update ``` _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + ## Install Chart @@ -43,20 +44,19 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen You can upgrade in-place: -1. [get repo info](#get-repo-info) -1. [upgrade](#upgrading-chart) your existing release name using the new chart repo - +1. [get repository info](#get-repository-info) +1. [upgrade](#upgrading-chart) your existing release name using the new chart repository ## Upgrading to v3.0.0 v3.0.0 includes kube-state-metrics v2.0, see the [changelog](https://github.com/kubernetes/kube-state-metrics/blob/release-2.0/CHANGELOG.md) for major changes on the application-side. The upgraded chart now the following changes: + * Dropped support for helm v2 (helm v3 or later is required) * collectors key was renamed to resources * namespace key was renamed to namespaces - ## Configuration See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: @@ -65,4 +65,21 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h helm show values prometheus-community/kube-state-metrics ``` -You may also run `helm show values` on this chart's [dependencies](#dependencies) for additional options. +### kube-rbac-proxy + +You can enable `kube-state-metrics` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy one RBAC proxy container per endpoint (metrics & telemetry). +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-state-metrics-read +rules: + - apiGroups: [ "" ] + resources: ["services/kube-state-metrics"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/NOTES.txt b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/NOTES.txt index 5a646e0cc..3589c24ec 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/NOTES.txt +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/NOTES.txt @@ -8,3 +8,16 @@ In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-s They are served either as plaintext or protobuf depending on the Accept header. They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. +{{- if .Values.kubeRBACProxy.enabled}} + +kube-rbac-proxy endpoint protections is enabled: +- Metrics endpoints are now HTTPS +- Ensure that the client authenticates the requests (e.g. via service account) with the following role permissions: +``` +rules: + - apiGroups: [ "" ] + resources: ["services/{{ template "kube-state-metrics.fullname" . }}"] + verbs: + - get +``` +{{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/_helpers.tpl b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/_helpers.tpl index 0d193fbc0..3dd326da4 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/_helpers.tpl +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/_helpers.tpl @@ -66,7 +66,7 @@ app.kubernetes.io/part-of: {{ template "kube-state-metrics.name" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} {{- if .Values.customLabels }} -{{ toYaml .Values.customLabels }} +{{ tpl (toYaml .Values.customLabels) . }} {{- end }} {{- if .Values.releaseLabel }} release: {{ .Release.Name }} @@ -77,9 +77,13 @@ release: {{ .Release.Name }} Selector labels */}} {{- define "kube-state-metrics.selectorLabels" }} +{{- if .Values.selectorOverride }} +{{ toYaml .Values.selectorOverride }} +{{- else }} app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{- end }} {{/* Sets default scrape limits for servicemonitor */}} {{- define "servicemonitor.scrapeLimits" -}} @@ -99,3 +103,54 @@ labelNameLengthLimit: {{ . }} labelValueLengthLimit: {{ . }} {{- end }} {{- end -}} + +{{/* +Formats imagePullSecrets. Input is (dict "Values" .Values "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "kube-state-metrics.imagePullSecrets" -}} +{{- range (concat .Values.global.imagePullSecrets .imagePullSecrets) }} + {{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml . | trim }} + {{- else }} +- name: {{ . }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +The image to use for kube-state-metrics +*/}} +{{- define "kube-state-metrics.image" -}} +{{- if .Values.image.sha }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +The image to use for kubeRBACProxy +*/}} +{{- define "kubeRBACProxy.image" -}} +{{- if .Values.kubeRBACProxy.image.sha }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) .Values.kubeRBACProxy.image.sha }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.kubeRBACProxy.image.registry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) .Values.kubeRBACProxy.image.sha }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.kubeRBACProxy.image.registry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml new file mode 100644 index 000000000..025cd47a8 --- /dev/null +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +spec: + endpointSelector: + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + egress: + {{- if and .Values.networkPolicy.cilium .Values.networkPolicy.cilium.kubeApiServerSelector }} + {{ toYaml .Values.networkPolicy.cilium.kubeApiServerSelector | nindent 6 }} + {{- else }} + - toEntities: + - kube-apiserver + {{- end }} + ingress: + - toPorts: + - ports: + - port: {{ .Values.service.port | quote }} + protocol: TCP + {{- if .Values.selfMonitor.enabled }} + - port: {{ .Values.selfMonitor.telemetryPort | default 8081 | quote }} + protocol: TCP + {{ end }} +{{ end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/crs-configmap.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/crs-configmap.yaml new file mode 100644 index 000000000..d38a75a51 --- /dev/null +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/crs-configmap.yaml @@ -0,0 +1,16 @@ +{{- if .Values.customResourceState.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- toYaml .Values.customResourceState.config | nindent 4 }} +{{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/deployment.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/deployment.yaml index 325357b37..29a74b80d 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/deployment.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/deployment.yaml @@ -18,6 +18,11 @@ spec: matchLabels: {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} replicas: {{ .Values.replicas }} + {{- if not .Values.autosharding.enabled }} + strategy: + type: {{ .Values.updateStrategy | default "RollingUpdate" }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.autosharding.enabled }} serviceName: {{ template "kube-state-metrics.fullname" . }} volumeClaimTemplates: [] @@ -26,11 +31,15 @@ spec: metadata: labels: {{- include "kube-state-metrics.labels" . | indent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.podAnnotations }} annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} + {{ toYaml .Values.podAnnotations | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} hostNetwork: {{ .Values.hostNetwork }} serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }} {{- if .Values.securityContext.enabled }} @@ -39,9 +48,15 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} + {{- end }} containers: + {{- $servicePort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}} + {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} - name: {{ template "kube-state-metrics.name" . }} - {{- if .Values.autosharding.enabled }} + {{- if .Values.autosharding.enabled }} env: - name: POD_NAME valueFrom: @@ -56,9 +71,7 @@ spec: {{- if .Values.extraArgs }} {{- .Values.extraArgs | toYaml | nindent 8 }} {{- end }} - {{- if .Values.service.port }} - - --port={{ .Values.service.port | default 8080}} - {{- end }} + - --port={{ $servicePort }} {{- if .Values.collectors }} - --resources={{ .Values.collectors | join "," }} {{- end }} @@ -96,83 +109,227 @@ spec: {{- if .Values.kubeconfig.enabled }} - --kubeconfig=/opt/k8s/.kube/config {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - --telemetry-host=127.0.0.1 + - --telemetry-port={{ $telemetryPort }} + {{- else }} {{- if .Values.selfMonitor.telemetryHost }} - --telemetry-host={{ .Values.selfMonitor.telemetryHost }} {{- end }} {{- if .Values.selfMonitor.telemetryPort }} - - --telemetry-port={{ .Values.selfMonitor.telemetryPort | default 8081 }} + - --telemetry-port={{ $telemetryPort }} {{- end }} - {{- if or (.Values.kubeconfig.enabled) (.Values.volumeMounts) }} + {{- end }} + {{- if .Values.customResourceState.enabled }} + - --custom-resource-state-config-file=/etc/customresourcestate/config.yaml + {{- end }} + {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumeMounts) }} volumeMounts: {{- if .Values.kubeconfig.enabled }} - name: kubeconfig mountPath: /opt/k8s/.kube/ readOnly: true {{- end }} + {{- if .Values.customResourceState.enabled }} + - name: customresourcestate-config + mountPath: /etc/customresourcestate + readOnly: true + {{- end }} {{- if .Values.volumeMounts }} {{ toYaml .Values.volumeMounts | indent 8 }} {{- end }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.image.sha }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}@sha256:{{ .Values.image.sha }}" - {{- else }} - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- end }} + image: {{ include "kube-state-metrics.image" . }} + {{- if eq .Values.kubeRBACProxy.enabled false }} ports: - containerPort: {{ .Values.service.port | default 8080}} name: "http" {{- if .Values.selfMonitor.enabled }} - - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + - containerPort: {{ $telemetryPort }} name: "metrics" {{- end }} - livenessProbe: + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + failureThreshold: {{ .Values.startupProbe.failureThreshold }} httpGet: + {{- if .Values.hostNetwork }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.startupProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} path: /healthz - port: {{ .Values.service.port | default 8080}} + port: {{ $servicePort }} + scheme: {{ upper .Values.startupProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + {{- end }} + livenessProbe: + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + {{- if .Values.hostNetwork }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: /livez + port: {{ $servicePort }} + scheme: {{ upper .Values.livenessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + readinessProbe: + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + {{- if .Values.hostNetwork }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: /readyz + port: {{ $telemetryPort }} + scheme: {{ upper .Values.readinessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- if .Values.containerSecurityContext }} + securityContext: +{{ toYaml .Values.containerSecurityContext | indent 10 }} +{{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy-http + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --secure-listen-address=:{{ .Values.service.port | default 8080}} + - --upstream=http://127.0.0.1:{{ $servicePort }}/ + - --proxy-endpoints-port=8888 + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.service.port | default 8080}} + name: "http" + - containerPort: 8888 + name: "http-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: 8888 + path: healthz initialDelaySeconds: 5 timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: +{{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} +{{- end }} +{{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: +{{ toYaml .Values.kubeRBACProxy.containerSecurityContext | indent 10 }} +{{- end }} + {{- if .Values.selfMonitor.enabled }} + - name: kube-rbac-proxy-telemetry + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --secure-listen-address=:{{ .Values.selfMonitor.telemetryPort | default 8081 }} + - --upstream=http://127.0.0.1:{{ $telemetryPort }}/ + - --proxy-endpoints-port=8889 + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + name: "metrics" + - containerPort: 8889 + name: "metrics-healthz" readinessProbe: httpGet: - path: / - port: {{ .Values.service.port | default 8080}} + scheme: HTTPS + port: 8889 + path: healthz initialDelaySeconds: 5 timeoutSeconds: 5 - {{- if .Values.resources }} + {{- if .Values.kubeRBACProxy.resources }} resources: -{{ toYaml .Values.resources | indent 10 }} +{{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} {{- end }} -{{- if .Values.containerSecurityContext }} +{{- if .Values.kubeRBACProxy.containerSecurityContext }} securityContext: -{{ toYaml .Values.containerSecurityContext | indent 10 }} +{{ toYaml .Values.kubeRBACProxy.containerSecurityContext | indent 10 }} {{- end }} -{{- if .Values.imagePullSecrets }} + {{- end }} + {{- end }} + {{- with .Values.containers }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.imagePullSecrets) | indent 8 }} {{- end }} {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} {{- end }} - {{- if .Values.nodeSelector }} + {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} +{{ tpl (toYaml .) $ | indent 8 }} {{- end }} - {{- if .Values.tolerations }} + {{- with .Values.tolerations }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} +{{ tpl (toYaml .) $ | indent 8 }} {{- end }} {{- if .Values.topologySpreadConstraints }} topologySpreadConstraints: {{ toYaml .Values.topologySpreadConstraints | indent 8 }} {{- end }} - {{- if or (.Values.kubeconfig.enabled) (.Values.volumes) }} + {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumes) (.Values.kubeRBACProxy.enabled) }} volumes: {{- if .Values.kubeconfig.enabled}} - name: kubeconfig secret: secretName: {{ template "kube-state-metrics.fullname" . }}-kubeconfig {{- end }} + {{- if .Values.kubeRBACProxy.enabled}} + - name: kube-rbac-proxy-config + configMap: + name: {{ template "kube-state-metrics.fullname" . }}-rbac-config + {{- end }} + {{- if .Values.customResourceState.enabled}} + - name: customresourcestate-config + configMap: + name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config + {{- end }} {{- if .Values.volumes }} {{ toYaml .Values.volumes | indent 8 }} {{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/extra-manifests.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/extra-manifests.yaml new file mode 100644 index 000000000..567f7bf32 --- /dev/null +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraManifests }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/networkpolicy.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/networkpolicy.yaml new file mode 100644 index 000000000..309b38ec5 --- /dev/null +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/networkpolicy.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "kubernetes") }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +spec: + {{- if .Values.networkPolicy.egress }} + ## Deny all egress by default + egress: + {{- toYaml .Values.networkPolicy.egress | nindent 4 }} + {{- end }} + ingress: + {{- if .Values.networkPolicy.ingress }} + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- else }} + ## Allow ingress on default ports by default + - ports: + - port: {{ .Values.service.port | default 8080 }} + protocol: TCP + {{- if .Values.selfMonitor.enabled }} + {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} + - port: {{ $telemetryPort }} + protocol: TCP + {{- end }} + {{- end }} + podSelector: + {{- if .Values.networkPolicy.podSelector }} + {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }} + {{- else }} + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + {{- end }} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/rbac-configmap.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/rbac-configmap.yaml new file mode 100644 index 000000000..671dc9d66 --- /dev/null +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/rbac-configmap.yaml @@ -0,0 +1,22 @@ +{{- if .Values.kubeRBACProxy.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-rbac-config + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} +data: + config-file.yaml: |+ + authorization: + resourceAttributes: + namespace: {{ template "kube-state-metrics.namespace" . }} + apiVersion: v1 + resource: services + subresource: {{ template "kube-state-metrics.fullname" . }} + name: {{ template "kube-state-metrics.fullname" . }} +{{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/role.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/role.yaml index 6474914fa..d33687f2d 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/role.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/role.yaml @@ -51,6 +51,12 @@ rules: - endpoints verbs: ["list", "watch"] {{ end -}} +{{ if has "endpointslices" $.Values.collectors }} +- apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: ["list", "watch"] +{{ end -}} {{ if has "horizontalpodautoscalers" $.Values.collectors }} - apiGroups: ["autoscaling"] resources: @@ -183,12 +189,22 @@ rules: - volumeattachments verbs: ["list", "watch"] {{ end -}} -{{ if has "verticalpodautoscalers" $.Values.collectors }} -- apiGroups: ["autoscaling.k8s.io"] +{{- if $.Values.kubeRBACProxy.enabled }} +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] resources: - - verticalpodautoscalers + - subjectaccessreviews + verbs: ["create"] +{{- end }} +{{- if $.Values.customResourceState.enabled }} +- apiGroups: ["apiextensions.k8s.io"] + resources: + - customresourcedefinitions verbs: ["list", "watch"] -{{ end -}} +{{- end }} {{ if $.Values.rbac.extraRules }} {{ toYaml $.Values.rbac.extraRules }} {{ end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/service.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/service.yaml index bc3e9a24d..90c235148 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/service.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/service.yaml @@ -14,6 +14,10 @@ metadata: {{- end }} spec: type: "{{ .Values.service.type }}" + {{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} + {{- end }} ports: - name: "http" protocol: TCP @@ -34,6 +38,12 @@ spec: {{- if .Values.service.loadBalancerIP }} loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" {{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} {{- if .Values.autosharding.enabled }} clusterIP: None {{- else if .Values.service.clusterIP }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/serviceaccount.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/serviceaccount.yaml index e1229eb95..c302bc7ca 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/serviceaccount.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/serviceaccount.yaml @@ -1,6 +1,7 @@ {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: labels: {{- include "kube-state-metrics.labels" . | indent 4 }} @@ -10,6 +11,8 @@ metadata: annotations: {{ toYaml .Values.serviceAccount.annotations | indent 4 }} {{- end }} +{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: -{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} + {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }} +{{- end }} {{- end -}} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/servicemonitor.yaml index e93df4c49..99d7fa924 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/servicemonitor.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -7,11 +7,30 @@ metadata: labels: {{- include "kube-state-metrics.labels" . | indent 4 }} {{- with .Values.prometheus.monitor.additionalLabels }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} + {{- with .Values.prometheus.monitor.annotations }} + annotations: + {{- tpl (toYaml . | nindent 4) $ }} {{- end }} spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- with .Values.prometheus.monitor.targetLabels }} + targetLabels: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.monitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | trim | nindent 4 }} + {{- end }} {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }} + {{- if .Values.prometheus.monitor.namespaceSelector }} + namespaceSelector: + matchNames: + {{- with .Values.prometheus.monitor.namespaceSelector }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} selector: matchLabels: {{- with .Values.prometheus.monitor.selectorOverride }} @@ -21,61 +40,81 @@ spec: {{- end }} endpoints: - port: http - {{- if .Values.prometheus.monitor.interval }} - interval: {{ .Values.prometheus.monitor.interval }} + {{- if or .Values.prometheus.monitor.http.interval .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.http.interval | default .Values.prometheus.monitor.interval }} {{- end }} - {{- if .Values.prometheus.monitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }} + {{- if or .Values.prometheus.monitor.http.scrapeTimeout .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.http.scrapeTimeout | default .Values.prometheus.monitor.scrapeTimeout }} {{- end }} - {{- if .Values.prometheus.monitor.proxyUrl }} - proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} + {{- if or .Values.prometheus.monitor.http.proxyUrl .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.http.proxyUrl | default .Values.prometheus.monitor.proxyUrl }} {{- end }} - {{- if .Values.prometheus.monitor.honorLabels }} + {{- if or .Values.prometheus.monitor.http.enableHttp2 .Values.prometheus.monitor.enableHttp2 }} + enableHttp2: {{ .Values.prometheus.monitor.http.enableHttp2 | default .Values.prometheus.monitor.enableHttp2 }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.honorLabels .Values.prometheus.monitor.honorLabels }} honorLabels: true {{- end }} - {{- if .Values.prometheus.monitor.metricRelabelings }} + {{- if or .Values.prometheus.monitor.http.metricRelabelings .Values.prometheus.monitor.metricRelabelings }} metricRelabelings: - {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }} + {{- toYaml (.Values.prometheus.monitor.http.metricRelabelings | default .Values.prometheus.monitor.metricRelabelings) | nindent 8 }} {{- end }} - {{- if .Values.prometheus.monitor.relabelings }} + {{- if or .Values.prometheus.monitor.http.relabelings .Values.prometheus.monitor.relabelings }} relabelings: - {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }} + {{- toYaml (.Values.prometheus.monitor.http.relabelings | default .Values.prometheus.monitor.relabelings) | nindent 8 }} {{- end }} - {{- if .Values.prometheus.monitor.scheme }} - scheme: {{ .Values.prometheus.monitor.scheme }} + {{- if or .Values.prometheus.monitor.http.scheme .Values.prometheus.monitor.scheme }} + scheme: {{ .Values.prometheus.monitor.http.scheme | default .Values.prometheus.monitor.scheme }} {{- end }} - {{- if .Values.prometheus.monitor.tlsConfig }} + {{- if or .Values.prometheus.monitor.http.tlsConfig .Values.prometheus.monitor.tlsConfig }} tlsConfig: - {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} + {{- toYaml (.Values.prometheus.monitor.http.tlsConfig | default .Values.prometheus.monitor.tlsConfig) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.bearerTokenFile .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.http.bearerTokenFile | default .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with (.Values.prometheus.monitor.http.bearerTokenSecret | default .Values.prometheus.monitor.bearerTokenSecret) }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.selfMonitor.enabled }} - port: metrics - {{- if .Values.prometheus.monitor.interval }} - interval: {{ .Values.prometheus.monitor.interval }} + {{- if or .Values.prometheus.monitor.metrics.interval .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.metrics.interval | default .Values.prometheus.monitor.interval }} {{- end }} - {{- if .Values.prometheus.monitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }} + {{- if or .Values.prometheus.monitor.metrics.scrapeTimeout .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.metrics.scrapeTimeout | default .Values.prometheus.monitor.scrapeTimeout }} {{- end }} - {{- if .Values.prometheus.monitor.proxyUrl }} - proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} + {{- if or .Values.prometheus.monitor.metrics.proxyUrl .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.metrics.proxyUrl | default .Values.prometheus.monitor.proxyUrl }} {{- end }} - {{- if .Values.prometheus.monitor.honorLabels }} + {{- if or .Values.prometheus.monitor.metrics.enableHttp2 .Values.prometheus.monitor.enableHttp2 }} + enableHttp2: {{ .Values.prometheus.monitor.metrics.enableHttp2 | default .Values.prometheus.monitor.enableHttp2 }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.honorLabels .Values.prometheus.monitor.honorLabels }} honorLabels: true {{- end }} - {{- if .Values.prometheus.monitor.metricRelabelings }} + {{- if or .Values.prometheus.monitor.metrics.metricRelabelings .Values.prometheus.monitor.metricRelabelings }} metricRelabelings: - {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }} + {{- toYaml (.Values.prometheus.monitor.metrics.metricRelabelings | default .Values.prometheus.monitor.metricRelabelings) | nindent 8 }} {{- end }} - {{- if .Values.prometheus.monitor.relabelings }} + {{- if or .Values.prometheus.monitor.metrics.relabelings .Values.prometheus.monitor.relabelings }} relabelings: - {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }} + {{- toYaml (.Values.prometheus.monitor.metrics.relabelings | default .Values.prometheus.monitor.relabelings) | nindent 8 }} {{- end }} - {{- if .Values.prometheus.monitor.scheme }} - scheme: {{ .Values.prometheus.monitor.scheme }} + {{- if or .Values.prometheus.monitor.metrics.scheme .Values.prometheus.monitor.scheme }} + scheme: {{ .Values.prometheus.monitor.metrics.scheme | default .Values.prometheus.monitor.scheme }} {{- end }} - {{- if .Values.prometheus.monitor.tlsConfig }} + {{- if or .Values.prometheus.monitor.metrics.tlsConfig .Values.prometheus.monitor.tlsConfig }} tlsConfig: - {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} + {{- toYaml (.Values.prometheus.monitor.metrics.tlsConfig | default .Values.prometheus.monitor.tlsConfig) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.bearerTokenFile .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.metrics.bearerTokenFile | default .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with (.Values.prometheus.monitor.metrics.bearerTokenSecret | default .Values.prometheus.monitor.bearerTokenSecret) }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml index e825e5c86..f46305b51 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml @@ -7,11 +7,19 @@ metadata: labels: {{- include "kube-state-metrics.labels" . | indent 4 }} spec: + {{- with .Values.verticalPodAutoscaler.recommenders }} + recommenders: + {{- toYaml . | nindent 4 }} + {{- end }} resourcePolicy: containerPolicies: - containerName: {{ template "kube-state-metrics.name" . }} - {{- if .Values.verticalPodAutoscaler.controlledResources }} - controlledResources: {{ .Values.verticalPodAutoscaler.controlledResources }} + {{- with .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.controlledValues }} + controlledValues: {{ .Values.verticalPodAutoscaler.controlledValues }} {{- end }} {{- if .Values.verticalPodAutoscaler.maxAllowed }} maxAllowed: @@ -23,12 +31,14 @@ spec: {{- end }} targetRef: apiVersion: apps/v1 + {{- if .Values.autosharding.enabled }} + kind: StatefulSet + {{- else }} kind: Deployment + {{- end }} name: {{ template "kube-state-metrics.fullname" . }} - {{- if .Values.verticalPodAutoscaler.updatePolicy }} + {{- with .Values.verticalPodAutoscaler.updatePolicy }} updatePolicy: - {{- if .Values.verticalPodAutoscaler.updatePolicy.updateMode }} - updateMode: {{ .Values.verticalPodAutoscaler.updatePolicy.updateMode }} - {{- end }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/values.yaml b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/values.yaml index 67e8bca6b..a7b2bdad6 100644 --- a/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/values.yaml +++ b/charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/values.yaml @@ -1,14 +1,33 @@ # Default values for kube-state-metrics. prometheusScrape: true image: - repository: registry.k8s.io/kube-state-metrics/kube-state-metrics - tag: v2.6.0 + registry: registry.k8s.io + repository: kube-state-metrics/kube-state-metrics + # If unset use v + .Charts.appVersion + tag: "" sha: "" pullPolicy: IfNotPresent imagePullSecrets: [] # - name: "image-pull-secret" +global: + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + # + # Allow parent charts to override registry hostname + imageRegistry: "" + # If set to true, this will deploy kube-state-metrics as a StatefulSet and the data # will be automatically sharded across <.Values.replicas> pods using the built-in # autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding @@ -18,17 +37,36 @@ autosharding: replicas: 1 +# Change the deployment strategy when autosharding is disabled. +# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +# The default is "RollingUpdate" as per Kubernetes defaults. +# During a release, 'RollingUpdate' can lead to two running instances for a short period of time while 'Recreate' can create a small gap in data. +# updateStrategy: Recreate + +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + # List of additional cli arguments to configure kube-state-metrics # for example: --enable-gzip-encoding, --log-file, etc. # all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md extraArgs: [] +# If false then the user will opt out of automounting API credentials. +automountServiceAccountToken: true + service: port: 8080 # Default to clusterIP for backward compatibility type: ClusterIP + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" nodePort: 0 loadBalancerIP: "" + # Only allow access to the loadBalancerIP from these IPs + loadBalancerSourceRanges: [] clusterIP: "" annotations: {} @@ -36,6 +74,9 @@ service: customLabels: {} # app: kube-state-metrics +## Override selector labels +selectorOverride: {} + ## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box releaseLabel: false @@ -58,6 +99,51 @@ rbac: # verbs: ["list", "watch"] extraRules: [] +# Configure kube-rbac-proxy. When enabled, creates one kube-rbac-proxy container per exposed HTTP endpoint (metrics and telemetry if enabled). +# The requests are served through the same service but requests are then HTTPS. +kubeRBACProxy: + enabled: false + image: + registry: quay.io + repository: brancz/kube-rbac-proxy + tag: v0.18.0 + sha: "" + pullPolicy: IfNotPresent + + # List of additional cli arguments to configure kube-rbac-prxy + # for example: --tls-cipher-suites, --log-file, etc. + # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage + extraArgs: [] + + ## Specify security settings for a Container + ## Allows overrides and additional options compared to (Pod) securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## volumeMounts enables mounting custom volumes in rbac-proxy containers + ## Useful for TLS certificates and keys + volumeMounts: [] + # - mountPath: /etc/tls + # name: kube-rbac-proxy-tls + # readOnly: true + serviceAccount: # Specifies whether a ServiceAccount should be created, require rbac true create: true @@ -71,14 +157,19 @@ serviceAccount: # Use case: AWS EKS IAM roles for service accounts # ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html annotations: {} + # If false then the user will opt out of automounting API credentials. + automountServiceAccountToken: true prometheus: monitor: enabled: false + annotations: {} additionalLabels: {} namespace: "" + namespaceSelector: [] jobLabel: "" - interval: "" + targetLabels: [] + podTargetLabels: [] ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. ## sampleLimit: 0 @@ -98,14 +189,49 @@ prometheus: ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. ## labelValueLengthLimit: 0 - scrapeTimeout: "" - proxyUrl: "" selectorOverride: {} - honorLabels: false - metricRelabelings: [] - relabelings: [] - scheme: "" - tlsConfig: {} + + ## kube-state-metrics endpoint + http: + interval: "" + scrapeTimeout: "" + proxyUrl: "" + ## Whether to enable HTTP2 for servicemonitor + enableHttp2: false + honorLabels: false + metricRelabelings: [] + relabelings: [] + scheme: "" + ## File to read bearer token for scraping targets + bearerTokenFile: "" + ## Secret to mount to read bearer token for scraping targets. The secret needs + ## to be in the same namespace as the service monitor and accessible by the + ## Prometheus Operator + bearerTokenSecret: {} + # name: secret-name + # key: key-name + tlsConfig: {} + + ## selfMonitor endpoint + metrics: + interval: "" + scrapeTimeout: "" + proxyUrl: "" + ## Whether to enable HTTP2 for servicemonitor + enableHttp2: false + honorLabels: false + metricRelabelings: [] + relabelings: [] + scheme: "" + ## File to read bearer token for scraping targets + bearerTokenFile: "" + ## Secret to mount to read bearer token for scraping targets. The secret needs + ## to be in the same namespace as the service monitor and accessible by the + ## Prometheus Operator + bearerTokenSecret: {} + # name: secret-name + # key: key-name + tlsConfig: {} ## Specify if a Pod Security Policy for kube-state-metrics must be created ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ @@ -124,16 +250,47 @@ podSecurityPolicy: additionalVolumes: [] +## Configure network policy for kube-state-metrics +networkPolicy: + enabled: false + # networkPolicy.flavor -- Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + ## Configure the cilium network policy kube-apiserver selector + # cilium: + # kubeApiServerSelector: + # - toEntities: + # - kube-apiserver + + # egress: + # - {} + # ingress: + # - {} + # podSelector: + # matchLabels: + # app.kubernetes.io/name: kube-state-metrics + securityContext: enabled: true runAsGroup: 65534 runAsUser: 65534 fsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ## Specify security settings for a Container ## Allows overrides and additional options compared to (Pod) securityContext ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -containerSecurityContext: {} +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ @@ -157,6 +314,9 @@ annotations: {} # Annotations to be added to the pod podAnnotations: {} +# Labels to be added to the pod +podLabels: {} + ## Assign a PriorityClassName to pods if set # priorityClassName: "" @@ -222,7 +382,6 @@ collectors: - storageclasses - validatingwebhookconfigurations - volumeattachments - # - verticalpodautoscalers # not a default resource, see also: https://github.com/kubernetes/kube-state-metrics#enabling-verticalpodautoscalers # Enabling kubeconfig will pass the --kubeconfig argument to the container kubeconfig: @@ -230,6 +389,12 @@ kubeconfig: # base64 encoded kube-config file secret: +# Enabling support for customResourceState, will create a configMap including your config that will be read from kube-state-metrics +customResourceState: + enabled: false + # Add (Cluster)Role permissions to list/watch the customResources defined in the config to rbac.extraRules + config: {} + # Enable only the release namespace for collecting resources. By default all namespaces are collected. # If releaseNamespace and namespaces are both set a merged list will be collected. releaseNamespace: false @@ -274,8 +439,17 @@ selfMonitor: # Enable vertical pod autoscaler support for kube-state-metrics verticalPodAutoscaler: enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: [] + # - name: custom-recommender-performance + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits # Define the max allowed resources for the pod maxAllowed: {} @@ -287,6 +461,8 @@ verticalPodAutoscaler: # memory: 100Mi # updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". # updateMode: Auto @@ -303,3 +479,64 @@ volumes: [] # - configMap: # name: cm-for-volume # name: config-volume + +# Extra manifests to deploy as an array +extraManifests: [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # labels: + # name: prometheus-extra + # data: + # extra-data: "value" + +## Containers allows injecting additional containers. +containers: [] + # - name: crd-init + # image: kiwigrid/k8s-sidecar:latest + +## InitContainers allows injecting additional initContainers. +initContainers: [] + # - name: crd-sidecar + # image: kiwigrid/k8s-sidecar:latest + +## Settings for startup, liveness and readiness probes +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +## + +## Startup probe can optionally be enabled. +## +startupProbe: + enabled: false + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + +## Liveness probe +## +livenessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + +## Readiness probe +## +readinessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5