rancher-charts/packages/rancher-monitoring/generated-changes/patch/templates/alertmanager/secret.yaml.patch

--- charts-original/templates/alertmanager/secret.yaml
+++ charts/templates/alertmanager/secret.yaml
@@ -1,11 +1,19 @@
 {{- if and (.Values.alertmanager.enabled) (not .Values.alertmanager.alertmanagerSpec.useExistingSecret) }}
+{{- if .Release.IsInstall }}
+{{- $secretName := (printf "alertmanager-%s-alertmanager" (include "kube-prometheus-stack.fullname" .)) }}
+{{- if (lookup "v1" "Secret" (include "kube-prometheus-stack.namespace" .) $secretName) }}
+{{- required (printf "Cannot overwrite existing secret %s in namespace %s." $secretName (include "kube-prometheus-stack.namespace" .)) "" }}
+{{- end }}{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
-{{- if .Values.alertmanager.secret.annotations }}
   annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+    "helm.sh/hook-weight": "3"
+{{- if .Values.alertmanager.secret.annotations }}
 {{ toYaml .Values.alertmanager.secret.annotations | indent 4 }}
 {{- end }}
   labels:
@@ -20,4 +28,139 @@
 {{- range $key, $val := .Values.alertmanager.templateFiles }}
   {{ $key }}: {{ $val | b64enc | quote }}
 {{- end }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+{{ include "kube-prometheus-stack.labels" . | indent 4 }}
+    app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+    "helm.sh/hook-weight": "5"
+spec:
+  template:
+    metadata:
+      name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+      labels: {{ include "kube-prometheus-stack.labels" . | nindent 8 }}
+        app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+    spec:
+      serviceAccountName: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+{{- if .Values.alertmanager.secret.securityContext }}
+      securityContext:
+{{ toYaml .Values.alertmanager.secret.securityContext | indent 8 }}
+{{- end }}
+      containers:
+        - name: copy-pre-install-secret
+          image: {{ template "system_default_registry" . }}{{ .Values.alertmanager.secret.image.repository }}:{{ .Values.alertmanager.secret.image.tag }}
+          imagePullPolicy: {{ .Values.alertmanager.secret.image.pullPolicy }}
+          command:
+          - /bin/sh
+          - -c
+          - >
+            if kubectl get secret -n {{ template "kube-prometheus-stack.namespace" . }} alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager > /dev/null 2>&1; then
+              echo "Secret already exists"
+              exit 1
+            fi;
+            kubectl patch secret -n {{ template "kube-prometheus-stack.namespace" . }} --dry-run -o yaml
+            alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+            -p '{{ printf "{\"metadata\":{\"name\": \"alertmanager-%s-alertmanager\"}}" (include "kube-prometheus-stack.fullname" .) }}'
+            | kubectl apply -f -;
+            kubectl annotate secret -n {{ template "kube-prometheus-stack.namespace" . }}
+            alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager
+            helm.sh/hook- helm.sh/hook-delete-policy- helm.sh/hook-weight-;
+      restartPolicy: OnFailure
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} 
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+    "helm.sh/hook-weight": "3"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs: ['create', 'get', 'patch']
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+    "helm.sh/hook-weight": "3"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+subjects:
+- kind: ServiceAccount
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+    "helm.sh/hook-weight": "3"
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+    "helm.sh/hook-weight": "3"
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
 {{- end }}
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`--- charts-original/templates/alertmanager/secret.yaml`
			`+++ charts/templates/alertmanager/secret.yaml`
			`@@ -1,11 +1,19 @@`
			`{{- if and (.Values.alertmanager.enabled) (not .Values.alertmanager.alertmanagerSpec.useExistingSecret) }}`
			`+{{- if .Release.IsInstall }}`
			`+{{- $secretName := (printf "alertmanager-%s-alertmanager" (include "kube-prometheus-stack.fullname" .)) }}`
			`+{{- if (lookup "v1" "Secret" (include "kube-prometheus-stack.namespace" .) $secretName) }}`
			`+{{- required (printf "Cannot overwrite existing secret %s in namespace %s." $secretName (include "kube-prometheus-stack.namespace" .)) "" }}`
			`+{{- end }}{{- end }}`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`- name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`namespace: {{ template "kube-prometheus-stack.namespace" . }}`
			`-{{- if .Values.alertmanager.secret.annotations }}`
			`annotations:`
			`+ "helm.sh/hook": pre-install`
			`+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed`
			`+ "helm.sh/hook-weight": "3"`
			`+{{- if .Values.alertmanager.secret.annotations }}`
			`{{ toYaml .Values.alertmanager.secret.annotations \| indent 4 }}`
			`{{- end }}`
			`labels:`
			`@@ -20,4 +28,139 @@`
			`{{- range $key, $val := .Values.alertmanager.templateFiles }}`
			`{{ $key }}: {{ $val \| b64enc \| quote }}`
			`{{- end }}`
			`+---`
			`+apiVersion: batch/v1`
			`+kind: Job`
			`+metadata:`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ namespace: {{ template "kube-prometheus-stack.namespace" . }}`
			`+ labels:`
			`+{{ include "kube-prometheus-stack.labels" . \| indent 4 }}`
			`+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager`
			`+ annotations:`
			`+ "helm.sh/hook": pre-install`
			`+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed`
			`+ "helm.sh/hook-weight": "5"`
			`+spec:`
			`+ template:`
			`+ metadata:`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ labels: {{ include "kube-prometheus-stack.labels" . \| nindent 8 }}`
			`+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager`
			`+ spec:`
			`+ serviceAccountName: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+{{- if .Values.alertmanager.secret.securityContext }}`
			`+ securityContext:`
			`+{{ toYaml .Values.alertmanager.secret.securityContext \| indent 8 }}`
			`+{{- end }}`
			`+ containers:`
			`+ - name: copy-pre-install-secret`
			`+ image: {{ template "system_default_registry" . }}{{ .Values.alertmanager.secret.image.repository }}:{{ .Values.alertmanager.secret.image.tag }}`
			`+ imagePullPolicy: {{ .Values.alertmanager.secret.image.pullPolicy }}`
			`+ command:`
			`+ - /bin/sh`
			`+ - -c`
			`+ - >`
			`+ if kubectl get secret -n {{ template "kube-prometheus-stack.namespace" . }} alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager > /dev/null 2>&1; then`
			`+ echo "Secret already exists"`
			`+ exit 1`
			`+ fi;`
			`+ kubectl patch secret -n {{ template "kube-prometheus-stack.namespace" . }} --dry-run -o yaml`
			`+ alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ -p '{{ printf "{\"metadata\":{\"name\": \"alertmanager-%s-alertmanager\"}}" (include "kube-prometheus-stack.fullname" .) }}'`
			`+ \| kubectl apply -f -;`
			`+ kubectl annotate secret -n {{ template "kube-prometheus-stack.namespace" . }}`
			`+ alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager`
			`+ helm.sh/hook- helm.sh/hook-delete-policy- helm.sh/hook-weight-;`
			`+ restartPolicy: OnFailure`
			`+ nodeSelector: {{ include "linux-node-selector" . \| nindent 8 }}`
			`+ tolerations: {{ include "linux-node-tolerations" . \| nindent 8 }}`
			`+---`
			`+apiVersion: rbac.authorization.k8s.io/v1`
			`+kind: ClusterRole`
			`+metadata:`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ labels:`
			`+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager`
			`+ annotations:`
			`+ "helm.sh/hook": pre-install`
			`+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed`
			`+ "helm.sh/hook-weight": "3"`
			`+rules:`
			`+- apiGroups:`
			`+ - ""`
			`+ resources:`
			`+ - secrets`
			`+ verbs: ['create', 'get', 'patch']`
			`+- apiGroups: ['policy']`
			`+ resources: ['podsecuritypolicies']`
			`+ verbs: ['use']`
			`+ resourceNames:`
			`+ - alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+---`
			`+apiVersion: rbac.authorization.k8s.io/v1`
			`+kind: ClusterRoleBinding`
			`+metadata:`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ labels:`
			`+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager`
			`+ annotations:`
			`+ "helm.sh/hook": pre-install`
			`+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed`
			`+ "helm.sh/hook-weight": "3"`
			`+roleRef:`
			`+ apiGroup: rbac.authorization.k8s.io`
			`+ kind: ClusterRole`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+subjects:`
			`+- kind: ServiceAccount`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ namespace: {{ template "kube-prometheus-stack.namespace" . }}`
			`+---`
			`+apiVersion: v1`
			`+kind: ServiceAccount`
			`+metadata:`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ namespace: {{ template "kube-prometheus-stack.namespace" . }}`
			`+ labels:`
			`+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager`
			`+ annotations:`
			`+ "helm.sh/hook": pre-install`
			`+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed`
			`+ "helm.sh/hook-weight": "3"`
			`+---`
			`+apiVersion: policy/v1beta1`
			`+kind: PodSecurityPolicy`
			`+metadata:`
			`+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install`
			`+ namespace: {{ template "kube-prometheus-stack.namespace" . }}`
			`+ labels:`
			`+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager`
			`+ annotations:`
			`+ "helm.sh/hook": pre-install`
			`+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed`
			`+ "helm.sh/hook-weight": "3"`
			`+spec:`
			`+ privileged: false`
			`+ allowPrivilegeEscalation: false`
			`+ hostNetwork: false`
			`+ hostIPC: false`
			`+ hostPID: false`
			`+ runAsUser:`
			`+ rule: 'MustRunAsNonRoot'`
			`+ seLinux:`
			`+ rule: 'RunAsAny'`
			`+ supplementalGroups:`
			`+ rule: 'MustRunAs'`
			`+ ranges:`
			`+ - min: 1`
			`+ max: 65535`
			`+ fsGroup:`
			`+ rule: 'MustRunAs'`
			`+ ranges:`
			`+ - min: 1`
			`+ max: 65535`
			`+ readOnlyRootFilesystem: false`
			`+ volumes:`
			`+ - 'secret'`
			`{{- end }}`