From ec46bdde51f20c799ee605c4af61d319e4d94702 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Wed, 6 Mar 2024 11:23:52 +0100 Subject: [PATCH] [bitnami/kube-prometheus] feat: :sparkles: :lock: Add automatic adaptation for Openshift restricted-v2 SCC (#24106) Signed-off-by: Javier Salmeron Garcia --- bitnami/kube-prometheus/Chart.yaml | 2 +- bitnami/kube-prometheus/README.md | 11 ++++++----- .../templates/alertmanager/alertmanager.yaml | 6 +++--- .../templates/blackbox-exporter/deployment.yaml | 4 ++-- .../templates/prometheus-operator/deployment.yaml | 4 ++-- .../templates/prometheus/prometheus.yaml | 8 ++++---- bitnami/kube-prometheus/values.yaml | 9 +++++++++ 7 files changed, 27 insertions(+), 17 deletions(-) diff --git a/bitnami/kube-prometheus/Chart.yaml b/bitnami/kube-prometheus/Chart.yaml index 8f5f785da4..caa3f7b17a 100644 --- a/bitnami/kube-prometheus/Chart.yaml +++ b/bitnami/kube-prometheus/Chart.yaml @@ -46,4 +46,4 @@ maintainers: name: kube-prometheus sources: - https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus -version: 8.29.1 +version: 8.30.0 diff --git a/bitnami/kube-prometheus/README.md b/bitnami/kube-prometheus/README.md index d1aa806362..ac57daed3f 100644 --- a/bitnami/kube-prometheus/README.md +++ b/bitnami/kube-prometheus/README.md @@ -65,11 +65,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters diff --git a/bitnami/kube-prometheus/templates/alertmanager/alertmanager.yaml b/bitnami/kube-prometheus/templates/alertmanager/alertmanager.yaml index 3b390409ca..d1750c20b3 100644 --- a/bitnami/kube-prometheus/templates/alertmanager/alertmanager.yaml +++ b/bitnami/kube-prometheus/templates/alertmanager/alertmanager.yaml @@ -45,7 +45,7 @@ spec: {{- end }} routePrefix: "{{ .Values.alertmanager.routePrefix }}" {{- if .Values.alertmanager.podSecurityContext.enabled }} - securityContext: {{- omit .Values.alertmanager.podSecurityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.alertmanager.podSecurityContext "context" $) | nindent 4 }} {{- end }} {{- if .Values.alertmanager.storageSpec }} storage: {{- include "common.tplvalues.render" (dict "value" .Values.alertmanager.storageSpec "context" $) | nindent 4 }} @@ -123,7 +123,7 @@ spec: ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/strategic-merge-patch.md - name: alertmanager {{- if .Values.alertmanager.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.alertmanager.containerSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.alertmanager.containerSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.alertmanager.livenessProbe.enabled }} livenessProbe: @@ -158,7 +158,7 @@ spec: ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/strategic-merge-patch.md - name: config-reloader {{- if .Values.operator.prometheusConfigReloader.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.operator.prometheusConfigReloader.containerSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.prometheusConfigReloader.containerSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.operator.prometheusConfigReloader.livenessProbe.enabled }} livenessProbe: diff --git a/bitnami/kube-prometheus/templates/blackbox-exporter/deployment.yaml b/bitnami/kube-prometheus/templates/blackbox-exporter/deployment.yaml index 583cfd1794..c23b5e66dc 100644 --- a/bitnami/kube-prometheus/templates/blackbox-exporter/deployment.yaml +++ b/bitnami/kube-prometheus/templates/blackbox-exporter/deployment.yaml @@ -60,7 +60,7 @@ spec: schedulerName: {{ .Values.blackboxExporter.schedulerName }} {{- end }} {{- if .Values.blackboxExporter.podSecurityContext.enabled }} - securityContext: {{- omit .Values.blackboxExporter.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.blackboxExporter.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.blackboxExporter.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.blackboxExporter.terminationGracePeriodSeconds }} @@ -74,7 +74,7 @@ spec: image: {{ template "kube-prometheus.blackboxExporter.image" . }} imagePullPolicy: {{ .Values.blackboxExporter.image.pullPolicy }} {{- if .Values.blackboxExporter.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.blackboxExporter.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.blackboxExporter.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.blackboxExporter.command }} command: {{- include "common.tplvalues.render" (dict "value" .Values.blackboxExporter.command "context" $) | nindent 12 }} diff --git a/bitnami/kube-prometheus/templates/prometheus-operator/deployment.yaml b/bitnami/kube-prometheus/templates/prometheus-operator/deployment.yaml index 7dbca1bdac..c2b29a1be3 100644 --- a/bitnami/kube-prometheus/templates/prometheus-operator/deployment.yaml +++ b/bitnami/kube-prometheus/templates/prometheus-operator/deployment.yaml @@ -30,7 +30,7 @@ spec: schedulerName: {{ .Values.operator.schedulerName | quote }} {{- end }} {{- if .Values.operator.podSecurityContext.enabled }} - securityContext: {{- omit .Values.operator.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.operator.priorityClassName }} priorityClassName: {{ .Values.operator.priorityClassName }} @@ -68,7 +68,7 @@ spec: image: {{ template "kube-prometheus.image" . }} imagePullPolicy: {{ .Values.operator.image.pullPolicy }} {{- if .Values.operator.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.operator.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.operator.command }} command: {{- include "common.tplvalues.render" (dict "value" .Values.operator.command "context" $) | nindent 12 }} diff --git a/bitnami/kube-prometheus/templates/prometheus/prometheus.yaml b/bitnami/kube-prometheus/templates/prometheus/prometheus.yaml index aea2f1ae2a..c2461ac0ce 100644 --- a/bitnami/kube-prometheus/templates/prometheus/prometheus.yaml +++ b/bitnami/kube-prometheus/templates/prometheus/prometheus.yaml @@ -152,7 +152,7 @@ spec: remoteWrite: {{- include "common.tplvalues.render" (dict "value" .Values.prometheus.remoteWrite "context" $) | nindent 4 }} {{- end }} {{- if .Values.prometheus.podSecurityContext.enabled }} - securityContext: {{- omit .Values.prometheus.podSecurityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.prometheus.podSecurityContext "context" $) | nindent 4 }} {{- end }} {{- if .Values.prometheus.ruleNamespaceSelector }} ruleNamespaceSelector: {{- include "common.tplvalues.render" (dict "value" .Values.prometheus.ruleNamespaceSelector "context" $) | nindent 4 }} @@ -310,7 +310,7 @@ spec: {{- end }} {{- if .Values.prometheus.thanos.containerSecurityContext.enabled }} # yamllint disable rule:indentation - securityContext: {{- omit .Values.prometheus.thanos.containerSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.prometheus.thanos.containerSecurityContext "context" $) | nindent 8 }} # yamllint enable rule:indentation {{- end }} {{- if .Values.prometheus.thanos.livenessProbe.enabled }} @@ -346,7 +346,7 @@ spec: ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/strategic-merge-patch.md - name: prometheus {{- if .Values.prometheus.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.prometheus.containerSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.prometheus.containerSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.prometheus.livenessProbe.enabled }} livenessProbe: @@ -393,7 +393,7 @@ spec: ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/strategic-merge-patch.md - name: config-reloader {{- if .Values.operator.prometheusConfigReloader.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.operator.prometheusConfigReloader.containerSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.prometheusConfigReloader.containerSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.operator.prometheusConfigReloader.livenessProbe.enabled }} livenessProbe: diff --git a/bitnami/kube-prometheus/values.yaml b/bitnami/kube-prometheus/values.yaml index 8bf0817722..550c51cecd 100644 --- a/bitnami/kube-prometheus/values.yaml +++ b/bitnami/kube-prometheus/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ##