diff --git a/charts/kube-prometheus-stack/.editorconfig b/charts/kube-prometheus-stack/.editorconfig index f5ee2f461039..feb4a55c73fa 100644 --- a/charts/kube-prometheus-stack/.editorconfig +++ b/charts/kube-prometheus-stack/.editorconfig @@ -1,5 +1,3 @@ -root = true - [files/dashboards/*.json] indent_size = 2 -indent_style = space \ No newline at end of file +indent_style = space diff --git a/charts/kube-prometheus-stack/.helmignore b/charts/kube-prometheus-stack/.helmignore index 9bdbec92b403..13a8a2ca7e09 100644 --- a/charts/kube-prometheus-stack/.helmignore +++ b/charts/kube-prometheus-stack/.helmignore @@ -27,3 +27,7 @@ kube-prometheus-*.tgz unittests/ files/dashboards/ + +README.md +CONTRIBUTING.md +.editorconfig diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml index e8dab2e81979..2f9055107bbd 100644 --- a/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kube-prometheus-stack/Chart.yaml @@ -15,7 +15,7 @@ maintainers: - name: GMartinez-Sisti email: kube-prometheus-stack@sisti.pt url: https://github.com/GMartinez-Sisti - - name: Jan-Otto Kröpke + - name: jkroepke email: github@jkroepke.de url: https://github.com/jkroepke - name: scottrigby @@ -31,8 +31,7 @@ name: kube-prometheus-stack sources: - https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-operator/kube-prometheus -# in case of changes within CRDs, a major version bump is mandatory. See: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#upgrading-chart -version: 68.3.3 +version: 68.4.0 appVersion: v0.79.2 kubeVersion: ">=1.19.0-0" home: https://github.com/prometheus-operator/kube-prometheus diff --git a/charts/kube-prometheus-stack/charts/crds/files/crds.bz2 b/charts/kube-prometheus-stack/charts/crds/files/crds.bz2 new file mode 100644 index 000000000000..d545fdd9b867 Binary files /dev/null and b/charts/kube-prometheus-stack/charts/crds/files/crds.bz2 differ diff --git a/charts/kube-prometheus-stack/charts/crds/templates/_helpers.tpl b/charts/kube-prometheus-stack/charts/crds/templates/_helpers.tpl new file mode 100644 index 000000000000..0a7b7957cb43 --- /dev/null +++ b/charts/kube-prometheus-stack/charts/crds/templates/_helpers.tpl @@ -0,0 +1,20 @@ +{{/* Shortened name suffixed with upgrade-crd */}} +{{- define "kube-prometheus-stack.crd.upgradeJob.name" -}} +{{- print (include "kube-prometheus-stack.fullname" .) "-upgrade" -}} +{{- end -}} + +{{- define "kube-prometheus-stack.crd.upgradeJob.labels" -}} +{{- include "kube-prometheus-stack.labels" . }} +app: {{ template "kube-prometheus-stack.name" . }}-operator +app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator +app.kubernetes.io/component: crds-upgrade +{{- end -}} + +{{/* Create the name of crd.upgradeJob service account to use */}} +{{- define "kube-prometheus-stack.crd.upgradeJob.serviceAccountName" -}} +{{- if .Values.upgradeJob.serviceAccount.create -}} + {{ default (include "kube-prometheus-stack.crd.upgradeJob.name" .) .Values.upgradeJob.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.upgradeJob.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/kube-prometheus-stack/charts/crds/templates/upgrade/clusterrole.yaml b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/clusterrole.yaml new file mode 100644 index 000000000000..b83e84e9508a --- /dev/null +++ b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/clusterrole.yaml @@ -0,0 +1,28 @@ +{{- if .Values.upgradeJob.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kube-prometheus-stack.crd.upgradeJob.name" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "kube-prometheus-stack.crd.upgradeJob.labels" . | nindent 4 }} +rules: + - apiGroups: + - "apiextensions.k8s.io" + resources: + - "customresourcedefinitions" + verbs: + - create + - patch + - update + - get + - list + resourceNames: + {{- range $path, $_ := $.Files.Glob "crds/*.yaml" }} + - {{ ($.Files.Get $path | fromYaml ).metadata.name }} + {{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/charts/crds/templates/upgrade/clusterrolebinding.yaml b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/clusterrolebinding.yaml new file mode 100644 index 000000000000..1e8cd8377ad0 --- /dev/null +++ b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.upgradeJob.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kube-prometheus-stack.crd.upgradeJob.name" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "kube-prometheus-stack.crd.upgradeJob.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + namespace: {{ template "kube-prometheus-stack.namespace" . }} + name: {{ template "kube-prometheus-stack.crd.upgradeJob.serviceAccountName" . }} +roleRef: + kind: ClusterRole + name: {{ template "kube-prometheus-stack.crd.upgradeJob.name" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/kube-prometheus-stack/charts/crds/templates/upgrade/crds.yaml b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/crds.yaml new file mode 100644 index 000000000000..ca951f331df0 --- /dev/null +++ b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/crds.yaml @@ -0,0 +1,15 @@ +{{- if .Values.upgradeJob.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kube-prometheus-stack.crd.upgradeJob.serviceAccountName" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "kube-prometheus-stack.crd.upgradeJob.labels" . | nindent 4 }} +binaryData: + crds.bz2: {{ .Files.Get "files/crds.bz2" | b64enc }} +{{- end }} diff --git a/charts/kube-prometheus-stack/charts/crds/templates/upgrade/job.yaml b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/job.yaml new file mode 100644 index 000000000000..53231be7d72f --- /dev/null +++ b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/job.yaml @@ -0,0 +1,142 @@ +{{- if .Values.upgradeJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kube-prometheus-stack.crd.upgradeJob.name" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- with .Values.upgradeJob.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "kube-prometheus-stack.crd.upgradeJob.labels" . | nindent 4 }} + {{- with .Values.upgradeJob.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + backoffLimit: 3 + template: + metadata: + {{- with .Values.upgradeJob.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.upgradeJob.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- include "kube-prometheus-stack.imagePullSecrets" . | indent 8 }} + {{- end }} + serviceAccountName: {{ include "kube-prometheus-stack.crd.upgradeJob.serviceAccountName" . }} + initContainers: + - name: busybox + {{- $busyboxRegistry := .Values.global.imageRegistry | default .Values.upgradeJob.image.busybox.registry -}} + {{- if .Values.upgradeJob.image.sha }} + image: "{{ $busyboxRegistry }}/{{ .Values.upgradeJob.image.busybox.repository }}:{{ .Values.upgradeJob.image.busybox.tag }}@sha256:{{ .Values.upgradeJob.image.busybox.sha }}" + {{- else }} + image: "{{ $busyboxRegistry }}/{{ .Values.upgradeJob.image.busybox.repository }}:{{ .Values.upgradeJob.image.busybox.tag }}" + {{- end }} + imagePullPolicy: "{{ .Values.upgradeJob.image.busybox.pullPolicy }}" + workingDir: /tmp/ + command: + - sh + args: + - -c + - bzcat /crds/crds.bz2 > /tmp/crds.yaml + {{- with .Values.upgradeJob.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.upgradeJob.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /crds/ + name: crds + - mountPath: /tmp/ + name: tmp + {{- with .Values.upgradeJob.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.upgradeJob.env }} + env: + {{- range $key, $value := . }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + containers: + - name: kubectl + {{- $kubectlRegistry := .Values.global.imageRegistry | default .Values.upgradeJob.image.kubectl.registry -}} + {{- if .Values.upgradeJob.image.kubectl.sha }} + image: "{{ $kubectlRegistry }}/{{ .Values.upgradeJob.image.kubectl.repository }}:{{ .Values.upgradeJob.image.kubectl.tag | default .Capabilities.KubeVersion.Version }}@sha256:{{ .Values.upgradeJob.image.kubectl.sha }}" + {{- else }} + image: "{{ $kubectlRegistry }}/{{ .Values.upgradeJob.image.kubectl.repository }}:{{ .Values.upgradeJob.image.kubectl.tag | default .Capabilities.KubeVersion.Version }}" + {{- end }} + imagePullPolicy: "{{ .Values.upgradeJob.image.kubectl.pullPolicy }}" + command: + - kubectl + args: + - apply + - --server-side + - --filename + - /tmp/crds.yaml + {{- with .Values.upgradeJob.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.upgradeJob.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /tmp/ + name: tmp + {{- with .Values.upgradeJob.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.upgradeJob.env }} + env: + {{- range $key, $value := . }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + volumes: + - name: tmp + emptyDir: {} + - name: crds + configMap: + name: {{ template "kube-prometheus-stack.crd.upgradeJob.name" . }} + {{- with .Values.upgradeJob.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + {{- with .Values.upgradeJob.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.upgradeJob.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.upgradeJob.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.upgradeJob.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.upgradeJob.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/charts/crds/templates/upgrade/serviceaccount.yaml b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/serviceaccount.yaml new file mode 100644 index 000000000000..30810d559c0a --- /dev/null +++ b/charts/kube-prometheus-stack/charts/crds/templates/upgrade/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.upgradeJob.enabled .Values.upgradeJob.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.upgradeJob.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ include "kube-prometheus-stack.crd.upgradeJob.serviceAccountName" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- with .Values.upgradeJob.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "kube-prometheus-stack.crd.upgradeJob.labels" . | nindent 4 }} + {{- with .Values.upgradeJob.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/ci/06-upgrade-crds-values.yaml b/charts/kube-prometheus-stack/ci/06-upgrade-crds-values.yaml new file mode 100644 index 000000000000..97a1d39ab2f0 --- /dev/null +++ b/charts/kube-prometheus-stack/ci/06-upgrade-crds-values.yaml @@ -0,0 +1,3 @@ +crds: + upgradeJob: + enabled: true diff --git a/charts/kube-prometheus-stack/ci/lint.sh b/charts/kube-prometheus-stack/ci/lint.sh old mode 100644 new mode 100755 index f1704f76ab6e..2bca830885df --- a/charts/kube-prometheus-stack/ci/lint.sh +++ b/charts/kube-prometheus-stack/ci/lint.sh @@ -3,43 +3,44 @@ set -euo pipefail { - SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) + SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) - cd "${SCRIPT_DIR}/../" + cd "${SCRIPT_DIR}/../" - ./hack/update_crds.sh - if ! git diff "$GITHUB_SHA" --color=always --exit-code; then - echo "Please run ./hack/update_crds.sh" - exit 1 - fi + ./hack/update_crds.sh + if ! git diff "$GITHUB_SHA" --color=always --exit-code; then + echo "Please run ./hack/update_crds.sh" - cd hack + exit 1 + fi - export PIP_DISABLE_PIP_VERSION_CHECK=1 + cd hack - python3 -m venv venv - # shellcheck disable=SC1091 - source venv/bin/activate + export PIP_DISABLE_PIP_VERSION_CHECK=1 - pip3 install -r requirements.txt + python3 -m venv venv + # shellcheck disable=SC1091 + source venv/bin/activate - go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@latest - PATH="$(go env GOPATH)/bin:$PATH" - export PATH + pip3 install -r requirements.txt - ./sync_prometheus_rules.py - if ! git diff "$GITHUB_SHA" --color=always --exit-code; then - echo "Changes inside rules are not supported!" - echo "Please go into the ./hack/ directory and run ./sync_prometheus_rules.py" - exit 1 - fi + go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@latest + PATH="$(go env GOPATH)/bin:$PATH" + export PATH - ./sync_grafana_dashboards.py - if ! git diff "$GITHUB_SHA" --color=always --exit-code; then - echo "Changes inside dashboards are not supported!" - echo "Please go into the ./hack/ directory and run ./sync_grafana_dashboards.py" - exit 1 - fi + ./sync_prometheus_rules.py + if ! git diff "$GITHUB_SHA" --color=always --exit-code; then + echo "Changes inside rules are not supported!" + echo "Please go into the ./hack/ directory and run ./sync_prometheus_rules.py" + exit 1 + fi - rm -rf ./venv ./*.git + ./sync_grafana_dashboards.py + if ! git diff "$GITHUB_SHA" --color=always --exit-code; then + echo "Changes inside dashboards are not supported!" + echo "Please go into the ./hack/ directory and run ./sync_grafana_dashboards.py" + exit 1 + fi + + rm -rf ./venv ./*.git } 2>&1 diff --git a/charts/kube-prometheus-stack/hack/update_crds.sh b/charts/kube-prometheus-stack/hack/update_crds.sh index 22d7124516c7..42abb3a3912a 100755 --- a/charts/kube-prometheus-stack/hack/update_crds.sh +++ b/charts/kube-prometheus-stack/hack/update_crds.sh @@ -1,11 +1,13 @@ #!/bin/bash -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +set -e + +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) if [[ $(uname -s) = "Darwin" ]]; then - VERSION="$(grep ^appVersion "${SCRIPT_DIR}/../Chart.yaml" | sed 's/appVersion: //g')" + VERSION="$(grep ^appVersion "${SCRIPT_DIR}/../Chart.yaml" | sed 's/appVersion: //g')" else - VERSION="$(grep ^appVersion "${SCRIPT_DIR}/../Chart.yaml" | sed 's/appVersion:\s//g')" + VERSION="$(grep ^appVersion "${SCRIPT_DIR}/../Chart.yaml" | sed 's/appVersion:\s//g')" fi FILES=( @@ -22,17 +24,24 @@ FILES=( ) for line in "${FILES[@]}"; do - DESTINATION=$(echo "${line%%:*}" | xargs) - SOURCE=$(echo "${line##*:}" | xargs) + DESTINATION=$(echo "${line%%:*}" | xargs) + SOURCE=$(echo "${line##*:}" | xargs) - URL="https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/$VERSION/example/prometheus-operator-crd/$SOURCE" + URL="https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/$VERSION/example/prometheus-operator-crd/$SOURCE" - echo -e "Downloading Prometheus Operator CRD with Version ${VERSION}:\n${URL}\n" + echo -e "Downloading Prometheus Operator CRD with Version ${VERSION}:\n${URL}\n" - echo "# ${URL}" > "${SCRIPT_DIR}/../charts/crds/crds/${DESTINATION}" + echo "# ${URL}" >"${SCRIPT_DIR}/../charts/crds/crds/${DESTINATION}" - if ! curl --silent --retry-all-errors --fail --location "${URL}" >> "${SCRIPT_DIR}/../charts/crds/crds/${DESTINATION}"; then - echo -e "Failed to download ${URL}!" - exit 1 - fi + if ! curl --silent --retry-all-errors --fail --location "${URL}" >>"${SCRIPT_DIR}/../charts/crds/crds/${DESTINATION}"; then + echo -e "Failed to download ${URL}!" + exit 1 + fi done + +{ + for file in "${SCRIPT_DIR}/../charts/crds/crds/"crd*.yaml; do + cat "${file}" + echo "---" + done +} | bzip2 --best --compress --keep --stdout - >"${SCRIPT_DIR}/../charts/crds/files/crds.bz2" diff --git a/charts/kube-prometheus-stack/hack/update_mixins.sh b/charts/kube-prometheus-stack/hack/update_mixins.sh index ba53d6b5aa5b..44d29b675807 100755 --- a/charts/kube-prometheus-stack/hack/update_mixins.sh +++ b/charts/kube-prometheus-stack/hack/update_mixins.sh @@ -7,7 +7,7 @@ case $(sed --help 2>&1) in *) _sed_i() { sed -i '' "$@"; } ;; esac -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) trap 'rm -rf "${SCRIPT_DIR}/tmp"' EXIT diff --git a/charts/kube-prometheus-stack/templates/_helpers.tpl b/charts/kube-prometheus-stack/templates/_helpers.tpl index b3a5af703dc2..b6d2e512075a 100644 --- a/charts/kube-prometheus-stack/templates/_helpers.tpl +++ b/charts/kube-prometheus-stack/templates/_helpers.tpl @@ -72,7 +72,6 @@ The longest name that gets created adds and extra 37 characters, so truncation s {{- default (printf "%s-thanos-ruler" (include "kube-prometheus-stack.name" .)) .Values.thanosRuler.name -}} {{- end }} - {{/* Create chart name and version as used by the chart label. */}} {{- define "kube-prometheus-stack.chartref" -}} {{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}} @@ -126,6 +125,7 @@ heritage: {{ $.Release.Service | quote }} {{- else -}} {{ default "default" .Values.alertmanager.serviceAccount.name }} {{- end -}} + {{- end -}} {{/* Create the name of thanosRuler service account to use */}} diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index 21877ca5f6a1..e2335c9fc53f 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -32,6 +32,126 @@ commonLabels: {} ## crds: enabled: true + ## The CRD upgrade job mitigates the limitation of helm not being able to upgrade CRDs. + ## The job will apply the CRDs to the cluster before the operator is deployed, using helm hooks. + ## It deploy a corresponding clusterrole, clusterrolebinding and serviceaccount to apply the CRDs. + ## This feature is in preview, off by default and may change in the future. + upgradeJob: + enabled: false + image: + busybox: + registry: docker.io + repository: busybox + tag: "latest" + sha: "" + pullPolicy: IfNotPresent + kubectl: + registry: registry.k8s.io + repository: kubectl + tag: "" # defaults to the Kubernetes version + sha: "" + pullPolicy: IfNotPresent + + env: {} + ## Define resources requests and limits for single Pods. + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + ## Additional volumes + ## + extraVolumes: [] + + ## Additional volume mounts + ## + extraVolumeMounts: [] + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Assign custom affinity rules to the upgrade-crd job + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + + ## If specified, the pod's tolerations. + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## If specified, the pod's topology spread constraints. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: alertmanager + + # ## Labels to add to the upgrade-crd job + # ## + labels: {} + + ## Annotations to add to the upgrade-crd job + ## + annotations: {} + + ## Labels to add to the upgrade-crd pod + ## + podLabels: {} + + ## Annotations to add to the upgrade-crd pod + ## + podAnnotations: {} + + ## Service account for upgrade crd job to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + create: true + name: "" + annotations: {} + labels: {} + automountServiceAccountToken: true + + ## Container-specific security context configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + ## SecurityContext holds pod-level security attributes and common container settings. + ## This defaults to non root user with uid 1000 and gid 2000. *v1.PodSecurityContext false + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault ## custom Rules to override "for" and "severity" in defaultRules ##