From 7000e7cac16a46eba00c17c34d1b86a5c4888a23 Mon Sep 17 00:00:00 2001 From: robot Date: Sun, 8 Dec 2024 20:10:13 +0000 Subject: [PATCH] robot: project prometheus-node-exporter chart upgrades from 4.6.0 to 4.42.0 Signed-off-by: robot --- charts/prometheus-node-exporter/config | 2 +- .../prometheus-node-exporter/Chart.yaml | 13 +- .../prometheus-node-exporter/README.md | 31 +- .../prometheus-node-exporter/Chart.yaml | 11 +- .../charts/prometheus-node-exporter/README.md | 31 +- .../ci/common-labels-values.yaml | 4 + .../ci/default-values.yaml | 1 + .../ci/kube-rbac-proxy-tlssecret-values.yaml | 25 ++ .../ci/networkpolicy-values.yaml | 5 + .../ci/pod-labels-values.yaml | 4 + .../ci/service-labels-values.yaml | 5 + .../ci/serviceport-values.yaml | 3 + .../templates/NOTES.txt | 14 + .../templates/_helpers.tpl | 82 +++- .../templates/clusterrole.yaml | 19 + .../templates/clusterrolebinding.yaml | 20 + .../templates/daemonset.yaml | 173 +++++++-- .../templates/extra-manifests.yaml | 4 + .../templates/networkpolicy.yaml | 27 ++ .../templates/podmonitor.yaml | 91 +++++ .../templates/rbac-configmap.yaml | 16 + .../templates/service.yaml | 17 +- .../templates/serviceaccount.yaml | 5 +- .../templates/servicemonitor.yaml | 12 + .../templates/verticalpodautoscaler.yaml | 20 +- .../prometheus-node-exporter/values.yaml | 354 +++++++++++++++++- 26 files changed, 919 insertions(+), 70 deletions(-) create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/common-labels-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/default-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/kube-rbac-proxy-tlssecret-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/pod-labels-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/service-labels-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/serviceport-values.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrole.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/extra-manifests.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/networkpolicy.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/podmonitor.yaml create mode 100644 charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/rbac-configmap.yaml diff --git a/charts/prometheus-node-exporter/config b/charts/prometheus-node-exporter/config index 2d5316902..92899b4d8 100644 --- a/charts/prometheus-node-exporter/config +++ b/charts/prometheus-node-exporter/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://prometheus-community.github.io/helm-charts export REPO_NAME=prometheus-node-exporter export CHART_NAME=prometheus-node-exporter -export VERSION=4.6.0 +export VERSION=4.42.0 # pr, issue, none export UPGRADE_METHOD=pr diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/Chart.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/Chart.yaml index 25f424bea..352fadd2f 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/Chart.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/Chart.yaml @@ -1,5 +1,10 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: 1.3.1 +appVersion: 1.8.2 description: A Helm chart for prometheus node-exporter home: https://github.com/prometheus/node_exporter/ keywords: @@ -11,12 +16,14 @@ maintainers: name: gianrubio - email: zanhsieh@gmail.com name: zanhsieh + - email: rootsandtrees@posteo.de + name: zeritti name: prometheus-node-exporter sources: - https://github.com/prometheus/node_exporter/ type: application -version: 4.6.0 +version: 4.42.0 dependencies: - name: prometheus-node-exporter - version: "4.6.0" + version: "4.42.0" repository: "https://prometheus-community.github.io/helm-charts" diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/README.md b/charts/prometheus-node-exporter/prometheus-node-exporter/README.md index 02de7b14c..ef8384410 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/README.md +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/README.md @@ -1,18 +1,18 @@ -# Prometheus `Node Exporter` +# Prometheus Node Exporter Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. -This chart bootstraps a prometheus [`Node Exporter`](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps a Prometheus [Node Exporter](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. ## Get Repository Info - + ```console helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update ``` -_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + ## Install Chart ```console @@ -36,7 +36,7 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc ## Upgrading Chart ```console -helm upgrade [RELEASE_NAME] [CHART] --install +helm upgrade [RELEASE_NAME] prometheus-community/prometheus-node-exporter --install ``` _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ @@ -75,3 +75,22 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h ```console helm show values prometheus-community/prometheus-node-exporter ``` + +### kube-rbac-proxy + +You can enable `prometheus-node-exporter` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy a RBAC proxy container protecting the node-exporter endpoint. +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-node-exporter-read +rules: + - apiGroups: [ "" ] + resources: ["services/node-exporter-prometheus-node-exporter"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/Chart.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/Chart.yaml index 1851d4612..148a77366 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/Chart.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/Chart.yaml @@ -1,5 +1,10 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: 1.3.1 +appVersion: 1.8.2 description: A Helm chart for prometheus node-exporter home: https://github.com/prometheus/node_exporter/ keywords: @@ -11,8 +16,10 @@ maintainers: name: gianrubio - email: zanhsieh@gmail.com name: zanhsieh +- email: rootsandtrees@posteo.de + name: zeritti name: prometheus-node-exporter sources: - https://github.com/prometheus/node_exporter/ type: application -version: 4.6.0 +version: 4.42.0 diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/README.md b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/README.md index 02de7b14c..ef8384410 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/README.md +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/README.md @@ -1,18 +1,18 @@ -# Prometheus `Node Exporter` +# Prometheus Node Exporter Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. -This chart bootstraps a prometheus [`Node Exporter`](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps a Prometheus [Node Exporter](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. ## Get Repository Info - + ```console helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update ``` -_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + ## Install Chart ```console @@ -36,7 +36,7 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc ## Upgrading Chart ```console -helm upgrade [RELEASE_NAME] [CHART] --install +helm upgrade [RELEASE_NAME] prometheus-community/prometheus-node-exporter --install ``` _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ @@ -75,3 +75,22 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h ```console helm show values prometheus-community/prometheus-node-exporter ``` + +### kube-rbac-proxy + +You can enable `prometheus-node-exporter` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy a RBAC proxy container protecting the node-exporter endpoint. +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-node-exporter-read +rules: + - apiGroups: [ "" ] + resources: ["services/node-exporter-prometheus-node-exporter"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/common-labels-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/common-labels-values.yaml new file mode 100644 index 000000000..719e9356e --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/common-labels-values.yaml @@ -0,0 +1,4 @@ +--- +commonLabels: + foo: bar + baz: '{{ include "prometheus-node-exporter.fullname" . }}' diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/default-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/default-values.yaml new file mode 100644 index 000000000..39d98f716 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/default-values.yaml @@ -0,0 +1 @@ +## Default values test case diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/kube-rbac-proxy-tlssecret-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/kube-rbac-proxy-tlssecret-values.yaml new file mode 100644 index 000000000..a4b042ccd --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/kube-rbac-proxy-tlssecret-values.yaml @@ -0,0 +1,25 @@ +--- +fullnameOverride: prometheus-node-exporter + +kubeRBACProxy: + enabled: true + tls: + enabled: true + tlsClientAuth: true + +tlsSecret: + enabled: true + caItem: client-ca.crt + secretName: '{{ include "prometheus-node-exporter.fullname" . }}-tls' + volumeName: '{{ include "prometheus-node-exporter.fullname" . }}-tls' + +extraManifests: + - | + apiVersion: v1 + data: + client-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTekNDQWpPZ0F3SUJBZ0lJY3hXZmlGVnp1WUl3RFFZSktvWklodmNOQVFFTEJRQXdJREVlTUJ3R0ExVUUKQXhNVmJXbHVhV05oSUhKdmIzUWdZMkVnTnpNeE5UbG1NQ0FYRFRJME1EZ3lNekl3TURjMU1Wb1lEekl4TWpRdwpPREl6TWpBd056VXhXakFnTVI0d0hBWURWUVFERXhWdGFXNXBZMkVnY205dmRDQmpZU0EzTXpFMU9XWXdnZ0VpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQy84Q2Y0VVFVaGc3NkpXSGV4c21pc3hYdWQKd2g0UmlJaUJXdFRIdkt0UElTVzdLUEhzRy9pYUppR2VFZ01uZzlCRHBlWmJzbVBzOXBFUkxwRU82bzFRTUYzYwowUnErM1ZIdWN5TWcrVFZ2czB0T1VFYmF3VldNRjdCTjBlbVNBUzBSaFpPaWQ2aEtrRHdiN2JDN3N6U1lwdlZ4Ckk1WGJxZHYrNWdKeEsrSThLRmNkTXJUUmQyUlpQbGlwYmpIbWJQNjhuSHVVbm5rS1kyTDFOR3UwR0xmS2JqRnIKT3hKU1ZMZ29idXZCcW1LTFFQZHZNdkpUTHZYdjBYWFVlRlk3VkVMTVFVSjVwbjU3dlRwU1I4Vzc4MTZnTHQyeApUVWFQcXI1ekpiakQzQllZK3FXQ0JZekNKNkxtbjREUzlJU1FINXlvbjdkREhpcWZKWVZlUy94UUI5cEJBZ01CCkFBR2pnWVl3Z1lNd0RnWURWUjBQQVFIL0JBUURBZ0tFTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3IKQmdFRkJRY0RBakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC9BZ0VBTUIwR0ExVWREZ1FXQkJUN25vTjF6a0R1UFJoOQpWeWtOdlBLeHFRVms4akFmQmdOVkhTTUVHREFXZ0JUN25vTjF6a0R1UFJoOVZ5a052UEt4cVFWazhqQU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBUUVBWFdla3FVcll4Y0h5TWU0ZmUyOXliTDE4cDlqeVB1RDE4Q2x4aXI4V3AzV3UKQm1RUG5qMEdldEo0QnBTazBUOTlVbFZOdUlrT29RcnFBb21VTnpvZWhKcmMrL0dKaHNYTEVKcnZhMFp6TnpiLwpnVHpLSHgxc3YrNnJ4UlJ4ZVlqbVpLZ25kWUgvY1BSVWpvSkJ3azE0Tk5mbG9aN21Id2krN3U3dkM2cW9VMkQ3CjZQemdYSmsvVmNZaHVGMngydFZ2TG1sL05GNlIremxzemJMYXZlMUh2K0ZqbXFMcW0vU2lsdmszdUtWVzlJbGEKTDVJRUVyVkFmVzdXTkdLWWZRZkFVblZ0UTFZTkZoUXNFL3lUQ3JrNXFUZmZuY1VvMmtMNjhOSXB1ZmRMU01zSQpqZUVZdjhEQWJBK2daNEZ2cGt6UjZLZytxcFJvM0JDRmQwbkQ4bDVTUnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhRENDQWxDZ0F3SUJBZ0lSQUxFTnU3Wit1dC9LZ1NabCs4SjB5ZTB3RFFZSktvWklodmNOQVFFTEJRQXcKSURFZU1Cd0dBMVVFQXhNVmJXbHVhV05oSUhKdmIzUWdZMkVnTnpNeE5UbG1NQ0FYRFRJME1EZ3lOVEV5TlRjMApObG9ZRHpJd056UXdPREV6TVRJMU56UTFXakFqTVNFd0h3WURWUVFERXhod2NtOXRaWFJvWlhWekxXNXZaR1V0ClpYaHdiM0owWlhJd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURNb1pWL2I3NEEKZURBQ2dCZEdpK29tb1Y5VWxyTG12RHdhOE85TGNRNzVIMURDeHpQbFRpdXA3SDNyMXdSSXlWSmduQTRPdmdVdwpHZ1F4UXUwcTdOcSs5YjJLY3lvZ0xLUEo1aWxTb3JPN3QxSm9SMzN0Q281R28zc0tUdEl5cmwvR3NPQndmb1BjCk9ONkhHMWdRZkNpSFNEQnkyRVZvZkoycytKZWN6N2JEQ2Vvb05ZVms4Wm50cGl6ZGg3elloK291VUZJcStuVjUKN01WN05wd1Jhak9qQ2p4RERseHIyWmVvMXpZRGhaTWNxbFd4RmN6YitTUkw4bFJzNVVoOTF5RWMyWENJUnROWgpnR3MvTmpzVXdNQU9jYTVFLzdFRyt6NHFTeTNOV2ZPTnpoWGQ0VTRDRm1EaHJNdzRZZVlEM25iQXpEMTg5bkdxCkl2Z000RTczUGMzSEFnTUJBQUdqZ1pjd2daUXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUcKQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBZEJnTlZIUTRFRmdRVXJ3SUtRM0IydW1lQndTWnBEZmhMYnZobgpDOU13SHdZRFZSMGpCQmd3Rm9BVSs1NkRkYzVBN2owWWZWY3BEYnp5c2FrRlpQSXdJd1lEVlIwUkJCd3dHb0lZCmNISnZiV1YwYUdWMWN5MXViMlJsTFdWNGNHOXlkR1Z5TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOVpFQmkKVFVrZWNuTElab2hteXNqQVU0WTUxV2VyUm90TTNBTFdNZWlENlpadG16Ym9BVkRDQ0FNaWRqZm1zR2xQelhFRgpxU09vZGMwRjl4QURRcWF3K0ZsVmZwcnJ4b1Juc2NGUDBtS08xTFNlaHp6WVZHTUdjL0ZaOXhJTzE5cjdBY2lICkJCdTVSaHljVmkvdlBVbHpGZVZuaEZWcEYwWk1xd0NUK2hXd29KbWVzYzJHaVh3ZEtrNEVCYWptVFVKdUhUbVUKaDc3YWhTQWp5SWNDdWlVcDFrdVk4cllwbHpWdTJWMnFtTEs1Nm9qN2U0T01nYlR4cmwwOVcwOW5UbmMzL3F3dwovR3V2SmhybFhrOFlzOU5tdEdCVnRkSEVhaXhFKzdTSEdTTCszYnIzZjBPSGdNWk5WT0tTTVYzQXFZdUpOWmhSCkM2VVVyRUl3ZkxRNUtXVmQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBektHVmYyKytBSGd3QW9BWFJvdnFKcUZmVkpheTVydzhHdkR2UzNFTytSOVF3c2N6CjVVNHJxZXg5NjljRVNNbFNZSndPRHI0Rk1Cb0VNVUx0S3V6YXZ2Vzlpbk1xSUN5anllWXBVcUt6dTdkU2FFZDkKN1FxT1JxTjdDazdTTXE1ZnhyRGdjSDZEM0RqZWh4dFlFSHdvaDBnd2N0aEZhSHlkclBpWG5NKzJ3d25xS0RXRgpaUEdaN2FZczNZZTgySWZxTGxCU0t2cDFlZXpGZXphY0VXb3pvd284UXc1Y2E5bVhxTmMyQTRXVEhLcFZzUlhNCjIva2tTL0pVYk9WSWZkY2hITmx3aUViVFdZQnJQelk3Rk1EQURuR3VSUCt4QnZzK0trc3R6Vm56amM0VjNlRk8KQWhaZzRhek1PR0htQTk1MndNdzlmUFp4cWlMNERPQk85ejNOeHdJREFRQUJBb0lCQUJWNmxIV1c1Z3Vva2VtQgpSbkFxT1g2cWk1WVdaMXJld1RSV3U5ZGdXNkQ4ajM2U2FEa1dkbkRVbVBjTFQ3RFFLT3hwRlBTcEwyUTRKdDZBCjF1SWRrR3hnNE85S1hVNlpRT3Z0VThNUHZ1dmlOeTBvNitmWXBzeDFWbkhqaWg2MXZPbmZJUC9OMTh0aTBNQy8KdHdPcjlKa1drN2RLU2liSWhjaGxJNHpiSktUZUVuMFhVZWVPdGZFRXNSd0dESmI4aG9ZaHRPSzJDZ3hhWGw2MwpNMUFnMnl6RHFaUERlS0VYSEJ5SU5UTzNNS05RYUdIUWZSbkxBbE51R1FPb0lsMk9RZzl1enArWGsrTFhXN2hsCkdtSXBkZ2VDVXNFOGo5WjJnTmxZRlFiUW9UbkJIaGFqT2pQSWdIUG44QnRjWHlLcVVSeWZ2TlRKWXk3MExTNy8KUlh5ejhZa0NnWUVBMzRoQnBYVXNZVHJrOUFIUE9mYUx2SVAxRm9yRXo5MkFYQVZaLzF4OGc0Q3lIMUkybFlUYgpaMzhnN1IxVXdaWjV1YStYVlhBcVhKY0J6WUhVVlhIUkZ1TkNBT1VuUmFaeTVRVU5uVFJhZXBScjc0UHlPK2JYCmhPWTk5NjVQQlB6WVFxZTgvQWIvTUNQSEZocmxOMDY4ejVkdW9FdEI2YWUxTFBTYmIwcGFSeDBDZ1lFQTZscUUKWVRBWGZCRWxHZ1NUbTlDMmtXQmRiWTFyUHJ3bThVRDFXOTNTTmxnekx1L1dGbkpNRzdWSzVKdS9KczB4b0NEZQo3aUFsYVZubGlEclpXWXcrQm5ESk1LZXhkR0M1akFxM2F2VDhLa1lZUkt0Rktra3N0OUgwTUhmc21iUFJVc0ZqCk9CUTR0a3BMTzQ1WGFYeWZhT2RRcndBZ2g0emFyYkJQdU8rUHZ6TUNnWUJHLzdCYUxXMTdOSW1rTnk3cTZqUlkKSEZHc1owYzcvczdXYTV5NlQxWDlMdE5rdjJnMjlZdjZ3NVpodWY5QnZkbkw4TW5RaVYvcktNdVp5ckwyc01BSQoxUVlSNHJjbW1FZkdGbVRNbWVSakt1RmRvanMrYTRQbzRuaXNRdUUyWkZrTVV0cmo4aFQ3NVdGRzFDUVovUmhiCmwyMjczQ3VEVzVGZ1JoRll0L1VVd1FLQmdHb1dEYVQ5SXpScmduTVRyVW8wb2VDUFVkdTh6OVozVDkyWVBUbVgKNFlmdVIwVXhGcVhVbWJWVlRSRE5uQ3RSYWV5RjFNVFEwbjZ0VGlWc0ZtWGVBVm5qQm9BNitTNm9kblg1aCt3bgorRnFlbm0rL1pERHZMUW9OUmRBSENaak9lS3hRbEx5WEV0RWFNcEpFTGplM1RXWXNpQzZnRFJtdlhuS1B4SmNBCkF2OVhBb0dBREx1YUtJZEhTY1BQVWludDlYSnJLbC9RQktHajZYWDVkVU5mT04xWG1CSWFEZmRQcGdRTWhXdUgKd3pVVURqNk9YYVo0WHBDQW9lcE50YzFhYU5pd0hWQXJOR1ZwcllEL2E5WXBxNWNkY3laTzBQYXJmSk53MkJ0Sgp1ZHIxY1B4SE04VW40REZnNzBiRnpXQVJwZEVwSnk0TjMwWExyUTZJcWlpdHZwaGQ3QTg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + kind: Secret + metadata: + name: '{{ include "prometheus-node-exporter.fullname" . }}-tls' diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml new file mode 100644 index 000000000..bcea8de49 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml @@ -0,0 +1,5 @@ +networkPolicy: + enabled: true + ingress: + - ports: + - port: 9100 diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/pod-labels-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/pod-labels-values.yaml new file mode 100644 index 000000000..7de36a6ab --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/pod-labels-values.yaml @@ -0,0 +1,4 @@ +--- +podLabels: + foo: bar + baz: '{{ .Chart.AppVersion }}' diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/service-labels-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/service-labels-values.yaml new file mode 100644 index 000000000..9c5e36506 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/service-labels-values.yaml @@ -0,0 +1,5 @@ +--- +service: + labels: + foo: bar + baz: quux diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/serviceport-values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/serviceport-values.yaml new file mode 100644 index 000000000..b0b7be656 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/serviceport-values.yaml @@ -0,0 +1,3 @@ +--- +service: + servicePort: 80 diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/NOTES.txt b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/NOTES.txt index df05e3fbd..db8584def 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/NOTES.txt +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/NOTES.txt @@ -13,3 +13,17 @@ echo "Visit http://127.0.0.1:9100 to use your application" kubectl port-forward --namespace {{ template "prometheus-node-exporter.namespace" . }} $POD_NAME 9100 {{- end }} + +{{- if .Values.kubeRBACProxy.enabled}} + +kube-rbac-proxy endpoint protections is enabled: +- Metrics endpoints is now HTTPS +- Ensure that the client authenticates the requests (e.g. via service account) with the following role permissions: +``` +rules: + - apiGroups: [ "" ] + resources: ["services/{{ template "prometheus-node-exporter.fullname" . }}"] + verbs: + - get +``` +{{- end }} \ No newline at end of file diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/_helpers.tpl b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/_helpers.tpl index 491f571c6..6f6518b71 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/_helpers.tpl +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/_helpers.tpl @@ -43,8 +43,8 @@ app.kubernetes.io/part-of: {{ include "prometheus-node-exporter.name" . }} {{- with .Chart.AppVersion }} app.kubernetes.io/version: {{ . | quote }} {{- end }} -{{- with .Values.podLabels }} -{{ toYaml . }} +{{- with .Values.commonLabels }} +{{ tpl (toYaml .) $ }} {{- end }} {{- if .Values.releaseLabel }} release: {{ .Release.Name }} @@ -76,9 +76,19 @@ The image to use */}} {{- define "prometheus-node-exporter.image" -}} {{- if .Values.image.sha }} -{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- fail "image.sha forbidden. Use image.digest instead" }} +{{- else if .Values.image.digest }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }} {{- else }} -{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} {{- end }} {{- end }} @@ -126,3 +136,67 @@ labelNameLengthLimit: {{ . }} labelValueLengthLimit: {{ . }} {{- end }} {{- end }} + +{{/* +Formats imagePullSecrets. Input is (dict "Values" .Values "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "prometheus-node-exporter.imagePullSecrets" -}} +{{- range (concat .Values.global.imagePullSecrets .imagePullSecrets) }} + {{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml . | trim }} + {{- else }} +- name: {{ . }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Create the namespace name of the pod monitor +*/}} +{{- define "prometheus-node-exporter.podmonitor-namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- if .Values.prometheus.podMonitor.namespace }} +{{- .Values.prometheus.podMonitor.namespace }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Sets default scrape limits for podmonitor */}} +{{- define "podmonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end }} + +{{/* Sets sidecar volumeMounts */}} +{{- define "prometheus-node-exporter.sidecarVolumeMounts" -}} +{{- range $_, $mount := $.Values.sidecarVolumeMount }} +- name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + readOnly: {{ $mount.readOnly }} +{{- end }} +{{- range $_, $mount := $.Values.sidecarHostVolumeMounts }} +- name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + readOnly: {{ $mount.readOnly }} +{{- if $mount.mountPropagation }} + mountPropagation: {{ $mount.mountPropagation }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrole.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrole.yaml new file mode 100644 index 000000000..c256dba73 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.kubeRBACProxy.enabled true) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +rules: + {{- if $.Values.kubeRBACProxy.enabled }} + - apiGroups: [ "authentication.k8s.io" ] + resources: + - tokenreviews + verbs: [ "create" ] + - apiGroups: [ "authorization.k8s.io" ] + resources: + - subjectaccessreviews + verbs: [ "create" ] + {{- end }} +{{- end -}} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..653305ad9 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.kubeRBACProxy.enabled true) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + name: {{ template "prometheus-node-exporter.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if .Values.rbac.useExistingRole }} + name: {{ .Values.rbac.useExistingRole }} +{{- else }} + name: {{ template "prometheus-node-exporter.fullname" . }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "prometheus-node-exporter.serviceAccountName" . }} + namespace: {{ template "prometheus-node-exporter.namespace" . }} +{{- end -}} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/daemonset.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/daemonset.yaml index d0c5cf60d..14030b041 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/daemonset.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/daemonset.yaml @@ -13,6 +13,7 @@ spec: selector: matchLabels: {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- with .Values.updateStrategy }} updateStrategy: {{- toYaml . | nindent 4 }} @@ -25,8 +26,11 @@ spec: {{- end }} labels: {{- include "prometheus-node-exporter.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} spec: - automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} + automountServiceAccountToken: {{ ternary true false (or .Values.serviceAccount.automountServiceAccountToken .Values.kubeRBACProxy.enabled) }} {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -39,7 +43,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }} + {{- with .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ . }} + {{- end }} containers: + {{- $servicePort := ternary .Values.kubeRBACProxy.port .Values.service.port .Values.kubeRBACProxy.enabled }} - name: node-exporter image: {{ include "prometheus-node-exporter.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -48,8 +56,11 @@ spec: - --path.sysfs=/host/sys {{- if .Values.hostRootFsMount.enabled }} - --path.rootfs=/host/root + {{- if semverCompare ">=1.4.0-0" (coalesce .Values.version .Values.image.tag .Chart.AppVersion) }} + - --path.udev.data=/host/root/run/udev/data {{- end }} - - --web.listen-address=[$(HOST_IP)]:{{ .Values.service.port }} + {{- end }} + - --web.listen-address=[$(HOST_IP)]:{{ $servicePort }} {{- with .Values.extraArgs }} {{- toYaml . | nindent 12 }} {{- end }} @@ -59,7 +70,9 @@ spec: {{- end }} env: - name: HOST_IP - {{- if .Values.service.listenOnAllInterfaces }} + {{- if .Values.kubeRBACProxy.enabled }} + value: 127.0.0.1 + {{- else if .Values.service.listenOnAllInterfaces }} value: 0.0.0.0 {{- else }} valueFrom: @@ -67,24 +80,29 @@ spec: apiVersion: v1 fieldPath: status.hostIP {{- end }} - {{- range $key, $value := .Values.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- if eq .Values.kubeRBACProxy.enabled false }} ports: - name: {{ .Values.service.portName }} containerPort: {{ .Values.service.port }} protocol: TCP + {{- end }} livenessProbe: failureThreshold: {{ .Values.livenessProbe.failureThreshold }} httpGet: + {{- if .Values.kubeRBACProxy.enabled }} + host: 127.0.0.1 + {{- end }} httpHeaders: {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }} - name: {{ $header.name }} value: {{ $header.value }} {{- end }} path: / - port: {{ .Values.service.port }} + port: {{ $servicePort }} scheme: {{ upper .Values.livenessProbe.httpGet.scheme }} initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} @@ -93,13 +111,16 @@ spec: readinessProbe: failureThreshold: {{ .Values.readinessProbe.failureThreshold }} httpGet: + {{- if .Values.kubeRBACProxy.enabled }} + host: 127.0.0.1 + {{- end }} httpHeaders: {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }} - name: {{ $header.name }} value: {{ $header.value }} {{- end }} path: / - port: {{ .Values.service.port }} + port: {{ $servicePort }} scheme: {{ upper .Values.readinessProbe.httpGet.scheme }} initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} @@ -109,12 +130,24 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.terminationMessageParams.enabled }} + {{- with .Values.terminationMessageParams }} + terminationMessagePath: {{ .terminationMessagePath }} + terminationMessagePolicy: {{ .terminationMessagePolicy }} + {{- end }} + {{- end }} volumeMounts: - name: proc mountPath: /host/proc + {{- with .Values.hostProcFsMount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} readOnly: true - name: sys mountPath: /host/sys + {{- with .Values.hostSysFsMount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} readOnly: true {{- if .Values.hostRootFsMount.enabled }} - name: root @@ -145,31 +178,95 @@ spec: - name: {{ .name }} mountPath: {{ .mountPath }} {{- end }} - {{- with .Values.sidecars }} - {{- toYaml . | nindent 8 }} - {{- if or .Values.sidecarVolumeMount .Values.sidecarHostVolumeMounts }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- range .Values.sidecars }} + {{- $overwrites := dict "volumeMounts" (concat (include "prometheus-node-exporter.sidecarVolumeMounts" $ | fromYamlArray) (.volumeMounts | default list) | default list) }} + {{- $defaults := dict "image" (include "prometheus-node-exporter.image" $) "securityContext" $.Values.containerSecurityContext "imagePullPolicy" $.Values.image.pullPolicy }} + - {{- toYaml (merge $overwrites . $defaults) | nindent 10 }} + {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 12 }} + {{- end }} + - --secure-listen-address=:{{ .Values.service.port}} + - --upstream=http://127.0.0.1:{{ $servicePort }}/ + - --proxy-endpoints-port={{ .Values.kubeRBACProxy.proxyEndpointsPort }} + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + {{- if and .Values.kubeRBACProxy.tls.enabled .Values.tlsSecret.enabled }} + - --tls-cert-file=/tls/private/{{ .Values.tlsSecret.certItem }} + - --tls-private-key-file=/tls/private/{{ .Values.tlsSecret.keyItem }} + {{- if and .Values.kubeRBACProxy.tls.tlsClientAuth .Values.tlsSecret.caItem }} + - --client-ca-file=/tls/private/{{ .Values.tlsSecret.caItem }} + {{- end }} + {{- end }} volumeMounts: - {{- range $_, $mount := .Values.sidecarVolumeMount }} - - name: {{ $mount.name }} - mountPath: {{ $mount.mountPath }} - readOnly: {{ $mount.readOnly }} + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- if and .Values.kubeRBACProxy.tls.enabled .Values.tlsSecret.enabled }} + - name: {{ tpl .Values.tlsSecret.volumeName . | quote }} + mountPath: /tls/private + readOnly: true {{- end }} - {{- range $_, $mount := .Values.sidecarHostVolumeMounts }} - - name: {{ $mount.name }} - mountPath: {{ $mount.mountPath }} - readOnly: {{ $mount.readOnly }} - {{- if $mount.mountPropagation }} - mountPropagation: {{ $mount.mountPropagation }} + {{- with .Values.kubeRBACProxy.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + {{- if .Values.kubeRBACProxy.image.sha }} + image: "{{ .Values.global.imageRegistry | default .Values.kubeRBACProxy.image.registry}}/{{ .Values.kubeRBACProxy.image.repository }}:{{ .Values.kubeRBACProxy.image.tag }}@sha256:{{ .Values.kubeRBACProxy.image.sha }}" + {{- else }} + image: "{{ .Values.global.imageRegistry | default .Values.kubeRBACProxy.image.registry}}/{{ .Values.kubeRBACProxy.image.repository }}:{{ .Values.kubeRBACProxy.image.tag }}" + {{- end }} + ports: + - containerPort: {{ .Values.service.port}} + name: {{ .Values.kubeRBACProxy.portName }} + {{- if .Values.kubeRBACProxy.enableHostPort }} + hostPort: {{ .Values.service.port }} + {{- end }} + - containerPort: {{ .Values.kubeRBACProxy.proxyEndpointsPort }} + {{- if .Values.kubeRBACProxy.enableProxyEndpointsHostPort }} + hostPort: {{ .Values.kubeRBACProxy.proxyEndpointsPort }} + {{- end }} + name: "http-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: {{ .Values.kubeRBACProxy.proxyEndpointsPort }} + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: + {{- toYaml .Values.kubeRBACProxy.resources | nindent 12 }} + {{- end }} + {{- if .Values.terminationMessageParams.enabled }} + {{- with .Values.terminationMessageParams }} + terminationMessagePath: {{ .terminationMessagePath }} + terminationMessagePolicy: {{ .terminationMessagePolicy }} + {{- end }} + {{- end }} + {{- with .Values.kubeRBACProxy.env }} + env: + {{- range $key, $value := $.Values.kubeRBACProxy.env }} + - name: {{ $key }} + value: {{ $value | quote }} {{- end }} {{- end }} + {{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: + {{ toYaml .Values.kubeRBACProxy.containerSecurityContext | nindent 12 }} + {{- end }} {{- end }} - {{- with .Values.imagePullSecrets }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: - {{ toYaml . | nindent 8 }} + {{- include "prometheus-node-exporter.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.imagePullSecrets) | indent 8 }} {{- end }} hostNetwork: {{ .Values.hostNetwork }} hostPID: {{ .Values.hostPID }} + hostIPC: {{ .Values.hostIPC }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -182,6 +279,9 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.restartPolicy }} + restartPolicy: {{ . }} + {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} @@ -202,6 +302,9 @@ spec: - name: {{ $mount.name }} hostPath: path: {{ $mount.hostPath }} + {{- with $mount.type }} + type: {{ . }} + {{- end }} {{- end }} {{- range $_, $mount := .Values.sidecarVolumeMount }} - name: {{ $mount.name }} @@ -223,3 +326,25 @@ spec: secret: secretName: {{ $mount.name }} {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy-config + configMap: + name: {{ template "prometheus-node-exporter.fullname" . }}-rbac-config + {{- end }} + {{- if .Values.tlsSecret.enabled }} + - name: {{ tpl .Values.tlsSecret.volumeName . | quote }} + secret: + secretName: {{ tpl .Values.tlsSecret.secretName . | quote }} + items: + - key: {{ required "Value tlsSecret.certItem must be set." .Values.tlsSecret.certItem | quote }} + path: {{ .Values.tlsSecret.certItem | quote }} + - key: {{ required "Value tlsSecret.keyItem must be set." .Values.tlsSecret.keyItem | quote }} + path: {{ .Values.tlsSecret.keyItem | quote }} + {{- if .Values.tlsSecret.caItem }} + - key: {{ .Values.tlsSecret.caItem | quote }} + path: {{ .Values.tlsSecret.caItem | quote }} + {{- end }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/extra-manifests.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/extra-manifests.yaml new file mode 100644 index 000000000..2b21b7106 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraManifests }} +--- +{{ tpl . $ }} +{{ end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/networkpolicy.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/networkpolicy.yaml new file mode 100644 index 000000000..ee4090210 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" $ | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingress: + {{- if .Values.networkPolicy.ingress }} + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- else }} + - ports: + - port: {{ .Values.service.port }} + {{- end }} + policyTypes: + - Egress + - Ingress + podSelector: + matchLabels: + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/podmonitor.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/podmonitor.yaml new file mode 100644 index 000000000..f88da6a34 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/podmonitor.yaml @@ -0,0 +1,91 @@ +{{- if .Values.prometheus.podMonitor.enabled }} +apiVersion: {{ .Values.prometheus.podMonitor.apiVersion | default "monitoring.coreos.com/v1" }} +kind: PodMonitor +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.podmonitor-namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.prometheus.podMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.podMonitor.jobLabel }} + {{- include "podmonitor.scrapeLimits" .Values.prometheus.podMonitor | nindent 2 }} + selector: + matchLabels: + {{- with .Values.prometheus.podMonitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "prometheus-node-exporter.namespace" . }} + {{- with .Values.prometheus.podMonitor.attachMetadata }} + attachMetadata: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + podMetricsEndpoints: + - port: {{ .Values.service.portName }} + {{- with .Values.prometheus.podMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.path }} + path: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.basicAuth }} + basicAuth: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.bearerTokenSecret }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.authorization }} + authorization: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.oauth2 }} + oauth2: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.proxyUrl }} + proxyUrl: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.honorTimestamps }} + honorTimestamps: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.honorLabels }} + honorLabels: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + enableHttp2: {{ default false .Values.prometheus.podMonitor.enableHttp2 }} + filterRunning: {{ default true .Values.prometheus.podMonitor.filterRunning }} + followRedirects: {{ default false .Values.prometheus.podMonitor.followRedirects }} + {{- with .Values.prometheus.podMonitor.params }} + params: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/rbac-configmap.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/rbac-configmap.yaml new file mode 100644 index 000000000..814e11033 --- /dev/null +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/rbac-configmap.yaml @@ -0,0 +1,16 @@ +{{- if .Values.kubeRBACProxy.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "prometheus-node-exporter.fullname" . }}-rbac-config + namespace: {{ include "prometheus-node-exporter.namespace" . }} +data: + config-file.yaml: |+ + authorization: + resourceAttributes: + namespace: {{ template "prometheus-node-exporter.namespace" . }} + apiVersion: v1 + resource: services + subresource: {{ template "prometheus-node-exporter.fullname" . }} + name: {{ template "prometheus-node-exporter.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/service.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/service.yaml index c0129dbdc..abaa31b7f 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/service.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.service.enabled }} apiVersion: v1 kind: Service metadata: @@ -5,14 +6,27 @@ metadata: namespace: {{ include "prometheus-node-exporter.namespace" . }} labels: {{- include "prometheus-node-exporter.labels" $ | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.service.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: +{{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} type: {{ .Values.service.type }} +{{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: "{{ .Values.service.clusterIP }}" +{{- end }} ports: - - port: {{ .Values.service.port }} + - port: {{ .Values.service.servicePort | default .Values.service.port }} {{- if ( and (eq .Values.service.type "NodePort" ) (not (empty .Values.service.nodePort)) ) }} nodePort: {{ .Values.service.nodePort }} {{- end }} @@ -21,3 +35,4 @@ spec: name: {{ .Values.service.portName }} selector: {{- include "prometheus-node-exporter.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/serviceaccount.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/serviceaccount.yaml index b82630ca6..462b0cda4 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/serviceaccount.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/serviceaccount.yaml @@ -10,8 +10,9 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} -{{- with .Values.serviceAccount.imagePullSecrets }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 2 }} + {{- include "prometheus-node-exporter.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }} {{- end }} {{- end -}} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/servicemonitor.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/servicemonitor.yaml index 073ce57a4..96ec1af5a 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/servicemonitor.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/servicemonitor.yaml @@ -12,6 +12,14 @@ metadata: spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | nindent 2 }} + {{- with .Values.prometheus.monitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.monitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} selector: matchLabels: {{- with .Values.prometheus.monitor.selectorOverride }} @@ -19,6 +27,10 @@ spec: {{- else }} {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} {{- end }} + {{- with .Values.prometheus.monitor.attachMetadata }} + attachMetadata: + {{- toYaml . | nindent 4 }} + {{- end }} endpoints: - port: {{ .Values.service.portName }} scheme: {{ .Values.prometheus.monitor.scheme }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml index ae8295d90..2c2705f87 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml @@ -7,11 +7,19 @@ metadata: labels: {{- include "prometheus-node-exporter.labels" . | nindent 4 }} spec: + {{- with .Values.verticalPodAutoscaler.recommenders }} + recommenders: + {{- toYaml . | nindent 4 }} + {{- end }} resourcePolicy: containerPolicies: - - containerName: {{ include "prometheus-node-exporter.name" . }} + - containerName: node-exporter {{- with .Values.verticalPodAutoscaler.controlledResources }} - controlledResources: {{ . }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.verticalPodAutoscaler.controlledValues }} + controlledValues: {{ . }} {{- end }} {{- with .Values.verticalPodAutoscaler.maxAllowed }} maxAllowed: @@ -24,11 +32,9 @@ spec: targetRef: apiVersion: apps/v1 kind: DaemonSet - name: {{ include "prometheus-node-exporter.fullname" . }} - {{- if .Values.verticalPodAutoscaler.updatePolicy }} + name: {{ include "prometheus-node-exporter.fullname" . }} + {{- with .Values.verticalPodAutoscaler.updatePolicy }} updatePolicy: - {{- with .Values.verticalPodAutoscaler.updatePolicy.updateMode }} - updateMode: {{ . }} - {{- end }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/values.yaml b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/values.yaml index f491bdfa1..8951327e3 100644 --- a/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/values.yaml +++ b/charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/values.yaml @@ -2,24 +2,168 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. image: - repository: quay.io/prometheus/node-exporter + registry: quay.io + repository: prometheus/node-exporter # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }} tag: "" pullPolicy: IfNotPresent - sha: "" + digest: "" imagePullSecrets: [] # - name: "image-pull-secret" +nameOverride: "" +fullnameOverride: "" + +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + +global: + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + # + # Allow parent charts to override registry hostname + imageRegistry: "" + +# Configure kube-rbac-proxy. When enabled, creates a kube-rbac-proxy to protect the node-exporter http endpoint. +# The requests are served through the same service but requests are HTTPS. +kubeRBACProxy: + enabled: false + ## Set environment variables as name/value pairs + env: {} + # VARIABLE: value + image: + registry: quay.io + repository: brancz/kube-rbac-proxy + tag: v0.18.1 + sha: "" + pullPolicy: IfNotPresent + + # List of additional cli arguments to configure kube-rbac-proxy + # for example: --tls-cipher-suites, --log-file, etc. + # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage + extraArgs: [] + + ## Specify security settings for a Container + ## Allows overrides and additional options compared to (Pod) securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + + # Specify the port used for the Node exporter container (upstream port) + port: 8100 + # Specify the name of the container port + portName: http + # Configure a hostPort. If true, hostPort will be enabled in the container and set to service.port. + enableHostPort: false + + # Configure Proxy Endpoints Port + # This is the port being probed for readiness + proxyEndpointsPort: 8888 + # Configure a hostPort. If true, hostPort will be enabled in the container and set to proxyEndpointsPort. + enableProxyEndpointsHostPort: false + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## Additional volume mounts in the kube-rbac-proxy container + ## See extraVolumes below + extraVolumeMounts: [] + # - name: extra-volume + # mountPath: /extra + # readOnly: true + + ## tls enables using TLS resources from a volume on secret referred to in tlsSecret below. + ## When enabling tlsClientAuth, client CA certificate must be set in tlsSecret.caItem. + ## Ref. https://github.com/brancz/kube-rbac-proxy/issues/187 + tls: + enabled: false + tlsClientAuth: false +## tlsSecret refers to an existing secret holding TLS items: client CA certificate, private key and certificate. +## secretName and volumeName can be templated. +## If enabled, volume volumeName gets created on secret secretName. +## The volume's resources will be used by kube-rbac-proxy if kubeRBACProxy.tls.enabled is set. +tlsSecret: + enabled: false + ## Key with client CA certificate (optional) + caItem: "" + ## Key with certificate + certItem: tls.crt + ## Key with private key + keyItem: tls.key + ## Name of an existing secret + secretName: prometheus-node-exporter-tls + ## Name of the volume to be created + volumeName: prometheus-node-exporter-tls + +## Service configuration service: + ## Creating a service is enabled by default + enabled: true + + ## Service type type: ClusterIP + ## IP address for type ClusterIP + clusterIP: "" + ## Default service port. Sets the port of the exposed container as well (NE or kubeRBACProxy). + ## Use "servicePort" below if changing the service port only is desired. port: 9100 + ## Service port. Use this field if you wish to set a different service port + ## without changing the container port ("port" above). + servicePort: "" + ## Targeted port in the pod. Must refer to an open container port ("port" or "portName"). + ## (IntOrString) targetPort: 9100 - nodePort: + ## Name of the service port. Sets the port name of the main container (NE) as well. portName: metrics + ## Port number for service type NodePort + nodePort: null + + ## If true, node exporter will listen on all interfaces listenOnAllInterfaces: true + + ## Additional annotations and labels for the service annotations: prometheus.io/scrape: "true" + labels: {} + + ## Dual stack settings for the service + ## https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## External traffic policy setting (Cluster, Local) + externalTrafficPolicy: "" + +# Set a NetworkPolicy with: +# ingress only on service.port or custom policy +# no egress permitted +networkPolicy: + enabled: false + + # ingress: + # - {} # Additional environment variables that will be passed to the daemonset env: {} @@ -34,6 +178,14 @@ prometheus: jobLabel: "" + # List of pod labels to add to node exporter metrics + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + podTargetLabels: [] + + # List of target labels to add to node exporter metrics + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + scheme: http basicAuth: {} bearerTokenFile: @@ -47,6 +199,11 @@ prometheus: ## selectorOverride: {} + ## Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above. + ## + attachMetadata: + node: false + relabelings: [] metricRelabelings: [] interval: "" @@ -74,6 +231,96 @@ prometheus: ## labelValueLengthLimit: 0 + # PodMonitor defines monitoring for a set of pods. + # ref. https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor + # Using a PodMonitor may be preferred in some environments where there is very large number + # of Node Exporter endpoints (1000+) behind a single service. + # The PodMonitor is disabled by default. When switching from ServiceMonitor to PodMonitor, + # the time series resulting from the configuration through PodMonitor may have different labels. + # For instance, there will not be the service label any longer which might + # affect PromQL queries selecting that label. + podMonitor: + enabled: false + # Namespace in which to deploy the pod monitor. Defaults to the release namespace. + namespace: "" + # Additional labels, e.g. setting a label for pod monitor selector as set in prometheus + additionalLabels: {} + # release: kube-prometheus-stack + # PodTargetLabels transfers labels of the Kubernetes Pod onto the target. + podTargetLabels: [] + # apiVersion defaults to monitoring.coreos.com/v1. + apiVersion: "" + # Override pod selector to select pod objects. + selectorOverride: {} + # Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above. + attachMetadata: + node: false + # The label to use to retrieve the job name from. Defaults to label app.kubernetes.io/name. + jobLabel: "" + + # Scheme/protocol to use for scraping. + scheme: "http" + # Path to scrape metrics at. + path: "/metrics" + + # BasicAuth allow an endpoint to authenticate over basic authentication. + # More info: https://prometheus.io/docs/operating/configuration/#endpoint + basicAuth: {} + # Secret to mount to read bearer token for scraping targets. + # The secret needs to be in the same namespace as the pod monitor and accessible by the Prometheus Operator. + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secretkeyselector-v1-core + bearerTokenSecret: {} + # TLS configuration to use when scraping the endpoint. + tlsConfig: {} + # Authorization section for this endpoint. + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.SafeAuthorization + authorization: {} + # OAuth2 for the URL. Only valid in Prometheus versions 2.27.0 and newer. + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.OAuth2 + oauth2: {} + + # ProxyURL eg http://proxyserver:2195. Directs scrapes through proxy to this endpoint. + proxyUrl: "" + # Interval at which endpoints should be scraped. If not specified Prometheus’ global scrape interval is used. + interval: "" + # Timeout after which the scrape is ended. If not specified, the Prometheus global scrape interval is used. + scrapeTimeout: "" + # HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. + honorTimestamps: true + # HonorLabels chooses the metric’s labels on collisions with target labels. + honorLabels: true + # Whether to enable HTTP2. Default false. + enableHttp2: "" + # Drop pods that are not running. (Failed, Succeeded). + # Enabled by default. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase + filterRunning: "" + # FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. Default false. + followRedirects: "" + # Optional HTTP URL parameters + params: {} + + # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds + # relabelings for a few standard Kubernetes fields. The original scrape job’s name + # is available via the __tmp_prometheus_job_name label. + # More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + relabelings: [] + # MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + # SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + sampleLimit: 0 + # TargetLimit defines a limit on the number of scraped targets that will be accepted. + targetLimit: 0 + # Per-scrape limit on number of labels that will be accepted for a sample. + # Only valid in Prometheus versions 2.27.0 and newer. + labelLimit: 0 + # Per-scrape limit on length of labels name that will be accepted for a sample. + # Only valid in Prometheus versions 2.27.0 and newer. + labelNameLengthLimit: 0 + # Per-scrape limit on length of labels value that will be accepted for a sample. + # Only valid in Prometheus versions 2.27.0 and newer. + labelValueLengthLimit: 0 + ## Customize the updateStrategy if set updateStrategy: type: RollingUpdate @@ -92,6 +339,10 @@ resources: {} # cpu: 100m # memory: 30Mi +# Specify the container restart policy passed to the Node Export container +# Possible Values: Always (default)|OnFailure|Never +restartPolicy: null + serviceAccount: # Specifies whether a ServiceAccount should be created create: true @@ -108,7 +359,8 @@ securityContext: runAsNonRoot: true runAsUser: 65534 -containerSecurityContext: {} +containerSecurityContext: + readOnlyRootFilesystem: true # capabilities: # add: # - SYS_TIME @@ -132,6 +384,9 @@ hostNetwork: true # Share the host process ID namespace hostPID: true +# Share the host ipc namespace +hostIPC: false + # Mount the node's root file system (/) at /host/root in the container hostRootFsMount: enabled: true @@ -142,6 +397,16 @@ hostRootFsMount: # https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation mountPropagation: HostToContainer +# Mount the node's proc file system (/proc) at /host/proc in the container +hostProcFsMount: + # Possible values are None, HostToContainer, and Bidirectional + mountPropagation: "" + +# Mount the node's sys file system (/sys) at /host/sys in the container +hostSysFsMount: + # Possible values are None, HostToContainer, and Bidirectional + mountPropagation: "" + ## Assign a group of affinity scheduling rules ## affinity: {} @@ -159,9 +424,12 @@ podAnnotations: # Fix for very slow GKE cluster upgrades cluster-autoscaler.kubernetes.io/safe-to-evict: "true" -# Extra labels to be added to node exporter pods +# Extra labels to add to node exporter pods (can be templated) podLabels: {} +## Extra labels to attach to all resources (can be templated) +commonLabels: {} + # Annotations to be added to node exporter daemonset daemonsetAnnotations: {} @@ -182,14 +450,27 @@ dnsConfig: {} ## Assign a nodeSelector if operating a hybrid cluster ## -nodeSelector: {} -# beta.kubernetes.io/arch: amd64 -# beta.kubernetes.io/os: linux +nodeSelector: + kubernetes.io/os: linux + # kubernetes.io/arch: amd64 + +# Specify grace period for graceful termination of pods. Defaults to 30 if null or not specified +terminationGracePeriodSeconds: null tolerations: - effect: NoSchedule operator: Exists +# Enable or disable container termination message settings +# https://kubernetes.io/docs/tasks/debug/debug-application/determine-reason-pod-failure/ +terminationMessageParams: + enabled: false + # If enabled, specify the path for termination messages + terminationMessagePath: /dev/termination-log + # If enabled, specify the policy for termination messages + terminationMessagePolicy: File + + ## Assign a PriorityClassName to pods if set # priorityClassName: "" @@ -204,6 +485,8 @@ extraArgs: [] extraHostVolumeMounts: [] # - name: # hostPath: +# https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types +# type: "" (Default)|DirectoryOrCreate|Directory|FileOrCreate|File|Socket|CharDevice|BlockDevice # mountPath: # readOnly: true|false # mountPropagation: None|HostToContainer|Bidirectional @@ -213,25 +496,30 @@ extraHostVolumeMounts: [] configmaps: [] # - name: # mountPath: + secrets: [] # - name: # mountPath: + ## Override the deployment namespace ## namespaceOverride: "" -## Additional containers for export metrics to text file +## Additional containers for export metrics to text file; fields image,imagePullPolicy,securityContext take default value from main container ## sidecars: [] -## - name: nvidia-dcgm-exporter -## image: nvidia/dcgm-exporter:1.4.3 +# - name: nvidia-dcgm-exporter +# image: nvidia/dcgm-exporter:1.4.3 +# volumeMounts: +# - name: tmp +# mountPath: /tmp ## Volume for sidecar containers ## sidecarVolumeMount: [] -## - name: collector-textfiles -## mountPath: /run/prometheus -## readOnly: false +# - name: collector-textfiles +# mountPath: /run/prometheus +# readOnly: false ## Additional mounts from the host to sidecar containers ## @@ -273,8 +561,17 @@ readinessProbe: # Enable vertical pod autoscaler support for prometheus-node-exporter verticalPodAutoscaler: enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: + # - name: custom-recommender-performance + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits # Define the max allowed resources for the pod maxAllowed: {} @@ -286,6 +583,35 @@ verticalPodAutoscaler: # memory: 100Mi # updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". # updateMode: Auto + +# Extra manifests to deploy as an array +extraManifests: [] + # - | + # apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: prometheus-extra + # data: + # extra-data: "value" + +## Extra volumes to become available in the pod +extraVolumes: [] + # - name: extra-volume + # secret: + # defaultMode: 420 + # optional: false + # secretName: node-exporter-secret + +## Extra volume mounts in the node-exporter container +extraVolumeMounts: [] + # - name: extra-volume + # mountPath: /extra + # readOnly: true + +# Override version of app, required if image.tag is defined and does not follow semver +version: ""