merge upstream

Signed-off-by: Markus Lippert <markuslippert@outlook.com>
prometheus-community · Mar 6, 2023 · d09268d · d09268d
1 parent 3408202
commit d09268d
Show file tree

Hide file tree

Showing 17 changed files with 120 additions and 17 deletions.
diff --git a/.github/workflows/sync-readme.yaml b/.github/workflows/sync-readme.yaml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v3
       - run: |
           cp -f README.md ${{ runner.temp }}/README.md
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: gh-pages
       - run: |

diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml
@@ -21,7 +21,7 @@ name: kube-prometheus-stack
 sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
-version: 45.5.0
+version: 45.7.0
 appVersion: v0.63.0
 kubeVersion: ">=1.16.0-0"
 home: https://github.com/prometheus-operator/kube-prometheus
@@ -48,6 +48,6 @@ dependencies:
     repository: https://prometheus-community.github.io/helm-charts
     condition: nodeExporter.enabled
   - name: grafana
-    version: "6.50.*"
+    version: "6.51.*"
     repository: https://grafana.github.io/helm-charts
     condition: grafana.enabled
diff --git a/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml b/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml
@@ -18,7 +18,7 @@ spec:
     interval: {{ .Values.kubeApiServer.serviceMonitor.interval }}
     {{- end }}
     {{- if .Values.kubeApiServer.serviceMonitor.proxyUrl }}
-    proxyUrl: {{ .Values.kubeApiServer.serviceMonitor.proxyUrl}}
+    proxyUrl: {{ .Values.kubeApiServer.serviceMonitor.proxyUrl }}
     {{- end }}
     port: https
     scheme: https

diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml
@@ -6,6 +6,7 @@ metadata:
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
 spec:
   egress: 
     - {}

diff --git a/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml b/charts/kube-prometheus-stack/templates/prometheus/networkpolicy.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.prometheus.networkPolicy.enabled }}
+apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-prometheus
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+spec:
+  {{- if .Values.prometheus.networkPolicy.egress }}
+  ## Deny all egress by default
+  egress:
+    {{- toYaml .Values.prometheus.networkPolicy.egress | nindent 4 }}
+  {{- end }}
+  {{- if .Values.prometheus.networkPolicy.ingress }}
+  # Deny all ingress by default (prometheus scrapes itself using localhost)
+  ingress:
+    {{- toYaml .Values.prometheus.networkPolicy.ingress | nindent 4 }}
+  {{- end }}
+  policyTypes:
+    - Egress
+    - Ingress
+  podSelector:
+    {{- if .Values.prometheus.networkPolicy.podSelector }}
+    {{- toYaml .Values.prometheus.networkPolicy.podSelector | nindent 4 }}
+    {{- else }}
+    matchExpressions:
+      - {key: app.kubernetes.io/name, operator: In, values: [prometheus]}
+      - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.prometheus.crname" . }}]}
+    {{- end }}
+{{- end }}
diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml
@@ -2230,13 +2230,23 @@ prometheusOperator:
 ## Deploy a Prometheus instance
 ##
 prometheus:
-
   enabled: true
 
   ## Annotations for Prometheus
   ##
   annotations: {}
 
+  ## Configure network policy for the prometheus
+  networkPolicy:
+    enabled: false
+    # egress:
+    # - {}
+    # ingress:
+    # - {}
+    # podSelector:
+    #   matchLabels:
+    #     app: prometheus
+
   ## Service account for Prometheuses to use.
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   ##

diff --git a/charts/kube-state-metrics/Chart.yaml b/charts/kube-state-metrics/Chart.yaml
@@ -7,8 +7,8 @@ keywords:
 - prometheus
 - kubernetes
 type: application
-version: 4.31.0
-appVersion: 2.8.0
+version: 4.32.0
+appVersion: 2.8.1
 home: https://github.com/kubernetes/kube-state-metrics/
 sources:
 - https://github.com/kubernetes/kube-state-metrics/

diff --git a/charts/kube-state-metrics/templates/networkpolicy.yaml b/charts/kube-state-metrics/templates/networkpolicy.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  labels:
+    {{- include "kube-state-metrics.labels" . | indent 4 }}
+  name: {{ template "kube-state-metrics.fullname" . }}
+  namespace: {{ template "kube-state-metrics.namespace" . }}
+  {{- if .Values.annotations }}
+  annotations:
+    {{ toYaml .Values.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.networkPolicy.egress }}
+  ## Deny all egress by default
+  egress:
+    {{- toYaml .Values.networkPolicy.egress | nindent 4 }}
+  {{- end }}
+  ingress:
+  {{- if .Values.networkPolicy.ingress }}
+    {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
+  {{- else }}
+    ## Allow ingress on default ports by default
+  - ports:
+    - port: {{ .Values.service.port | default 8080 }}
+      protocol: TCP
+    {{- if .Values.selfMonitor.enabled }}
+    {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}}
+    - port: {{ $telemetryPort }}
+      protocol: TCP
+    {{- end }}
+  {{- end }}
+  podSelector:
+    {{- if .Values.networkPolicy.podSelector }}
+    {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }}
+    {{- else }}
+    matchLabels:
+      {{- include "kube-state-metrics.selectorLabels" . | indent 6 }}
+    {{- end }}
+  policyTypes:
+    - Ingress
+    - Egress
+{{- end }}
diff --git a/charts/kube-state-metrics/values.yaml b/charts/kube-state-metrics/values.yaml
@@ -181,6 +181,17 @@ podSecurityPolicy:
 
   additionalVolumes: []
 
+## Configure network policy for kube-state-metrics
+networkPolicy:
+  enabled: false
+  # egress:
+  # - {}
+  # ingress:
+  # - {}
+  # podSelector:
+  #   matchLabels:
+  #     app.kubernetes.io/name: kube-state-metrics
+
 securityContext:
   enabled: true
   runAsGroup: 65534

diff --git a/charts/prometheus-blackbox-exporter/Chart.yaml b/charts/prometheus-blackbox-exporter/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Prometheus Blackbox Exporter
 name: prometheus-blackbox-exporter
-version: 7.5.0
+version: 7.6.1
 appVersion: 0.23.0
 home: https://github.com/prometheus/blackbox_exporter
 sources:

diff --git a/charts/prometheus-blackbox-exporter/templates/daemonset.yaml b/charts/prometheus-blackbox-exporter/templates/daemonset.yaml
@@ -65,12 +65,10 @@ spec:
         - name: blackbox-exporter
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.securityContext }}
           securityContext:
-            readOnlyRootFilesystem: {{ .Values.readOnlyRootFilesystem }}
-            runAsNonRoot: {{ .Values.runAsNonRoot  }}
-            {{- if .Values.runAsUser }}
-            runAsUser: {{ .Values.runAsUser }}
-            {{- end }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
           {{- range $key, $value := .Values.extraEnv }}
             - name: {{ $key }}

diff --git a/charts/prometheus-blackbox-exporter/templates/deployment.yaml b/charts/prometheus-blackbox-exporter/templates/deployment.yaml
@@ -74,8 +74,10 @@ spec:
         - name: blackbox-exporter
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.securityContext }}
           securityContext:
-{{ toYaml .Values.securityContext | indent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
           {{- range $key, $value := .Values.extraEnv }}
             - name: {{ $key }}

diff --git a/charts/prometheus-blackbox-exporter/templates/role.yaml b/charts/prometheus-blackbox-exporter/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.pspEnabled }}
+{{- if and .Values.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: {{ template "rbac.apiVersion" . }}
 kind: Role
 metadata:

diff --git a/charts/prometheus-blackbox-exporter/templates/rolebinding.yaml b/charts/prometheus-blackbox-exporter/templates/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.pspEnabled }}
+{{- if and .Values.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: {{ template "rbac.apiVersion" . }}
 kind: RoleBinding
 metadata:

diff --git a/charts/prometheus-postgres-exporter/Chart.yaml b/charts/prometheus-postgres-exporter/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "0.11.1"
 description: A Helm chart for prometheus postgres-exporter
 name: prometheus-postgres-exporter
-version: 4.2.1
+version: 4.3.0
 home: https://github.com/prometheus-community/postgres_exporter
 sources:
 - https://github.com/prometheus-community/postgres_exporter

diff --git a/charts/prometheus-postgres-exporter/templates/deployment.yaml b/charts/prometheus-postgres-exporter/templates/deployment.yaml
@@ -134,6 +134,10 @@ spec:
           {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.command }}
+          command:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.targetPort }}

diff --git a/charts/prometheus-postgres-exporter/values.yaml b/charts/prometheus-postgres-exporter/values.yaml
@@ -16,6 +16,8 @@ image:
   # pullSecrets:
   #   - myRegistrKeySecretName
 
+command: []
+
 service:
   type: ClusterIP
   port: 80