diff --git a/.github/workflows/gh-workflow-approve.yaml b/.github/workflows/gh-workflow-approve.yaml index c63152d1d..e0c8ae839 100644 --- a/.github/workflows/gh-workflow-approve.yaml +++ b/.github/workflows/gh-workflow-approve.yaml @@ -8,6 +8,9 @@ on: branches: - master +permissions: + contents: read + jobs: approve: name: Approve ok-to-test diff --git a/.github/workflows/lint-test-chart.yaml b/.github/workflows/lint-test-chart.yaml index 27fd2880c..fa5d3d9d3 100644 --- a/.github/workflows/lint-test-chart.yaml +++ b/.github/workflows/lint-test-chart.yaml @@ -6,6 +6,9 @@ on: - .github/workflows/lint-test-chart.yaml - "charts/metrics-server/**" +permissions: + contents: read + jobs: lint-test: name: Lint & Test diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml index 34cefd777..8097bb1b3 100644 --- a/.github/workflows/release-chart.yaml +++ b/.github/workflows/release-chart.yaml @@ -7,6 +7,9 @@ on: paths: - charts/metrics-server/Chart.yaml +permissions: + contents: read + jobs: release: name: Release @@ -15,6 +18,8 @@ jobs: defaults: run: shell: bash + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 277284bfe..cf3ba14d1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,6 +5,9 @@ on: types: - published +permissions: + contents: read + jobs: build: name: build @@ -12,6 +15,8 @@ jobs: defaults: run: shell: bash + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 diff --git a/charts/metrics-server/CHANGELOG.md b/charts/metrics-server/CHANGELOG.md index 735a0e369..bc073ebb7 100644 --- a/charts/metrics-server/CHANGELOG.md +++ b/charts/metrics-server/CHANGELOG.md @@ -14,7 +14,25 @@ ## [UNRELEASED] -## [3.12.1] - TBC +## [3.12.2] - TBC + +### Added + +- Explicitly added the app protocol to the service. ([#1540](https://github.com/kubernetes-sigs/metrics-server/pull/1540)) _@seankhliao_ + +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2). ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ +- Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). ([#1504](https://github.com/kubernetes-sigs/metrics-server/pull/1504)) _@jimmy-ungerman_ +- Changed `Deployment` templating to ignore `schedulerName` when value is empty. ([#1475](https://github.com/kubernetes-sigs/metrics-server/pull/1475)) _@senges_ + +### Fixed + +- Fixed PSPs to only be templated for supported K8s versions. ([#1471](https://github.com/kubernetes-sigs/metrics-server/pull/1471)) _@treksler_ +- Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@the-technat_ +- Fixed the `ServiceMonitor` job label. ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ + +## [3.12.1] - 2024-04-05 ### Changed @@ -134,6 +152,7 @@ RELEASE LINKS --> [UNRELEASED]: https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server +[3.12.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.2 [3.12.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.1 [3.12.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.0 [3.11.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.11.0 diff --git a/charts/metrics-server/Chart.yaml b/charts/metrics-server/Chart.yaml index eb26cc7d4..65803bf3c 100644 --- a/charts/metrics-server/Chart.yaml +++ b/charts/metrics-server/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: metrics-server description: Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. type: application -version: 3.12.1 -appVersion: 0.7.1 +version: 3.12.2 +appVersion: 0.7.2 keywords: - kubernetes - metrics-server @@ -21,5 +21,11 @@ maintainers: url: https://github.com/endrec annotations: artifacthub.io/changes: | + - kind: added + description: "Explicitly added the app protocol to the service." - kind: changed - description: "Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1)." + description: "Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2)." + - kind: changed + description: "Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21)" + - kind: fixed + description: "Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace." diff --git a/charts/metrics-server/README.md b/charts/metrics-server/README.md index 0cbffc49e..4b6ce652b 100644 --- a/charts/metrics-server/README.md +++ b/charts/metrics-server/README.md @@ -33,7 +33,7 @@ The following table lists the configurable parameters of the _Metrics Server_ ch | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | | `serviceAccount.secrets` | The list of secrets mountable by this service account. See | `[]` | | `rbac.create` | If `true`, create the RBAC resources. | `true` | -| `rbac.pspEnabled` | If `true`, create a pod security policy resource. | `false` | +| `rbac.pspEnabled` | If `true`, create a pod security policy resource, unless Kubernetes version is 1.25 or later. | `false` | | `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | | `apiService.annotations` | Annotations to add to the API service | `{}` | | `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification (NOTE: this setting is not a proxy for the `--kubelet-insecure-tls` metrics-server flag) | `true` | @@ -63,7 +63,7 @@ The following table lists the configurable parameters of the _Metrics Server_ ch | `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | | `addonResizer.securityContext` | Security context for the _metrics_server_container. | _See values.yaml | | `addonResizer.image.repository` | addon-resizer image repository | `registry.k8s.io/autoscaling/addon-resizer` | -| `addonResizer.image.tag` | addon-resizer image tag | `1.8.19` | +| `addonResizer.image.tag` | addon-resizer image tag | `1.8.21` | | `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{ requests: { cpu: 40m, memory: 25Mi }, limits: { cpu: 40m, memory: 25Mi } }` | | `addonResizer.nanny.cpu` | The base CPU requirement. | `0m` | | `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | `1m` | diff --git a/charts/metrics-server/templates/deployment.yaml b/charts/metrics-server/templates/deployment.yaml index 48cda7feb..37e7f953b 100644 --- a/charts/metrics-server/templates/deployment.yaml +++ b/charts/metrics-server/templates/deployment.yaml @@ -11,8 +11,8 @@ metadata: {{- end }} spec: replicas: {{ .Values.replicas }} - {{- if or (kindIs "float64" .Values.revisionHistoryLimit) (kindIs "int64" .Values.revisionHistoryLimit) }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit | int64 }} + {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- end }} {{- with .Values.updateStrategy }} strategy: @@ -33,7 +33,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - schedulerName: {{ .Values.schedulerName }} + {{- with .Values.schedulerName }} + schedulerName: {{ . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/metrics-server/templates/psp.yaml b/charts/metrics-server/templates/psp.yaml index bf8ace1ae..d5710de0b 100644 --- a/charts/metrics-server/templates/psp.yaml +++ b/charts/metrics-server/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.pspEnabled }} +{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/metrics-server/templates/rolebinding-nanny.yaml b/charts/metrics-server/templates/rolebinding-nanny.yaml index 73bfaaffe..228c0cfec 100644 --- a/charts/metrics-server/templates/rolebinding-nanny.yaml +++ b/charts/metrics-server/templates/rolebinding-nanny.yaml @@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ printf "%s-nanny" (include "metrics-server.fullname" .) }} - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{- include "metrics-server.labels" . | nindent 4 }} roleRef: diff --git a/charts/metrics-server/templates/service.yaml b/charts/metrics-server/templates/service.yaml index d45bcf36a..35318a48b 100644 --- a/charts/metrics-server/templates/service.yaml +++ b/charts/metrics-server/templates/service.yaml @@ -19,5 +19,6 @@ spec: port: {{ .Values.service.port }} protocol: TCP targetPort: https + appProtocol: https selector: {{- include "metrics-server.selectorLabels" . | nindent 4 }} diff --git a/charts/metrics-server/templates/servicemonitor.yaml b/charts/metrics-server/templates/servicemonitor.yaml index 5c1c5b775..079318d20 100644 --- a/charts/metrics-server/templates/servicemonitor.yaml +++ b/charts/metrics-server/templates/servicemonitor.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - jobLabel: {{ .Release.Name }} + jobLabel: app.kubernetes.io/instance namespaceSelector: matchNames: - {{ .Release.Namespace }} diff --git a/charts/metrics-server/values.yaml b/charts/metrics-server/values.yaml index 4f6b9219b..be843db41 100644 --- a/charts/metrics-server/values.yaml +++ b/charts/metrics-server/values.yaml @@ -29,6 +29,7 @@ serviceAccount: rbac: # Specifies whether RBAC resources should be created create: true + # Note: PodSecurityPolicy will not be created when Kubernetes version is 1.25 or later. pspEnabled: false apiService: @@ -129,7 +130,7 @@ addonResizer: enabled: false image: repository: registry.k8s.io/autoscaling/addon-resizer - tag: 1.8.20 + tag: 1.8.21 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/manifests/base/service.yaml b/manifests/base/service.yaml index d1785c989..79eaaef0a 100644 --- a/manifests/base/service.yaml +++ b/manifests/base/service.yaml @@ -10,3 +10,4 @@ spec: port: 443 protocol: TCP targetPort: https + appProtocol: https