Merge pull request #1227 from jiaqiluo/pushprox-for-ingress-nginx-dev-v2.6

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/Chart.yaml

@@ -56,6 +56,9 @@ dependencies:
 - condition: rke2Etcd.enabled
   name: rke2Etcd
   repository: file://./charts/rke2Etcd
+- condition: rke2IngressNginx.enabled
+  name: rke2IngressNginx
+  repository: file://./charts/rke2IngressNginx
 - condition: rke2Proxy.enabled
   name: rke2Proxy
   repository: file://./charts/rke2Proxy
@@ -68,6 +71,9 @@ dependencies:
 - condition: rkeEtcd.enabled
   name: rkeEtcd
   repository: file://./charts/rkeEtcd
+- condition: rkeIngressNginx.enabled
+  name: rkeIngressNginx
+  repository: file://./charts/rkeIngressNginx
 - condition: rkeProxy.enabled
   name: rkeProxy
   repository: file://./charts/rkeProxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/README.md

@@ -199,7 +199,9 @@ The following values are enabled for different distributions via [rancher-pushpr
 | `rkeControllerManager.enabled` | Create a PushProx installation for monitoring kube-controller-manager metrics in RKE clusters | `false` |
 | `rkeScheduler.enabled` | Create a PushProx installation for monitoring kube-scheduler metrics in RKE clusters | `false` |
 | `rkeProxy.enabled` | Create a PushProx installation for monitoring kube-proxy metrics in RKE clusters | `false` |
+| `rkeIngressNginx.enabled` | Create a PushProx installation for monitoring ingress-nginx metrics in RKE clusters | `false` |
 | `rkeEtcd.enabled` | Create a PushProx installation for monitoring etcd metrics in RKE clusters | `false` |
+| `rke2IngressNginx.enabled` | Create a PushProx installation for monitoring ingress-nginx metrics in RKE2 clusters | `false` |
 | `k3sServer.enabled` | Create a PushProx installation for monitoring k3s-server metrics (accounts for kube-controller-manager, kube-scheduler, and kube-proxy metrics) in k3s clusters | `false` |
 | `kubeAdmControllerManager.enabled` | Create a PushProx installation for monitoring kube-controller-manager metrics in kubeAdm clusters | `false` |
 | `kubeAdmScheduler.enabled` | Create a PushProx installation for monitoring kube-scheduler metrics in kubeAdm clusters | `false` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedKubelet/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedKubelet/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedKubelet/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedKubelet/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedKubelet/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedKubelet/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedNodeExporter/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedNodeExporter/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedNodeExporter/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedNodeExporter/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedNodeExporter/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/hardenedNodeExporter/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/k3sServer/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/k3sServer/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/k3sServer/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/k3sServer/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/k3sServer/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/k3sServer/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmControllerManager/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmControllerManager/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmControllerManager/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmControllerManager/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmControllerManager/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmControllerManager/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmEtcd/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmEtcd/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmEtcd/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmEtcd/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmEtcd/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmEtcd/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmProxy/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmProxy/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmProxy/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmProxy/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmProxy/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmProxy/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmScheduler/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmScheduler/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmScheduler/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmScheduler/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmScheduler/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/kubeAdmScheduler/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2ControllerManager/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2ControllerManager/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2ControllerManager/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2ControllerManager/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2ControllerManager/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2ControllerManager/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Etcd/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Etcd/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Etcd/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Etcd/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Etcd/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Etcd/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/Chart.yaml

@@ -0,0 +1,13 @@
+annotations:
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/os: linux
+  catalog.rancher.io/certified: rancher
+  catalog.rancher.io/namespace: cattle-monitoring-system
+  catalog.rancher.io/release-name: rancher-pushprox
+apiVersion: v1
+appVersion: 0.1.0
+description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
+  clients.
+name: rke2IngressNginx
+type: application
+version: 0.1.4

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/README.md

@@ -0,0 +1,60 @@
+# rancher-pushprox
+
+A Rancher chart based on Rancher [PushProx](https://github.com/rancher/PushProx) that sets up a Deployment of a PushProx proxy and a DaemonSet of PushProx clients on a Kubernetes cluster.
+
+Installs [rancher-pushprox](https://github.com/rancher/charts/tree/gh-pages/packages/rancher-pushprox) to create PushProx clients that can access their host's network and register with a PushProx proxy. A [Prometheus Operator](https://github.com/coreos/prometheus-operator) ServiceMonitor CR is also included that is configured to scrape the metrics from each of the clients through the proxy.
+
+Using an instance of this chart is suitable for the following scenarios:
+- You need to scrape metrics from a port that should not be accessible outside of the host (e.g. scraping `etcd` metrics in a hardened cluster)
+- You need to scrape metrics on a host that are not exposed outside of 127.0.0.1 (e.g. scraping `kube-proxy` metrics)
+- You need to scrape metrics through HTTPS using certs hosted directly on `hostPath`
+- You need to scrape metrics from Kubernetes components that require authorization via a service account (e.g. permissions to make request to `/metrics`)
+- You need to scrape metrics without access to cacerts (i.e. enable `insecureSkipVerify`)
+
+The clients and proxy are created based on a Rancher fork of the [prometheus-community/PushProx](https://github.com/prometheus-community/PushProx) project.
+
+## Configuration
+
+The following tables list the configurable parameters of the rancher-pushprox chart and their default values.
+
+### General
+
+#### Required
+| Parameter | Description | Example |
+| ----- | ----------- | ------ |
+| `component` | The component that is being monitored | `kube-etcd`
+| `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
+
+#### Optional
+| Parameter | Description | Default |
+| ----- | ----------- | ------ |
+| `serviceMonitor.enabled` | Deploys a [Prometheus Operator](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#servicemonitor) ServiceMonitor CR that is configured to scrape metrics on the hosts that the clients are deployed on via the proxy. Also deploys a Service that points to all pods with the expected client name that exposes the `metricsPort` selected | `true` |
+| `serviceMonitor.endpoints` | A list of endpoints that will be added to the ServiceMonitor based on the [Endpoint spec](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint) | `[{port: metrics}]` |
+| `clients.enabled` | Deploys a DaemonSet of clients that are each capable of scraping endpoints on the hostNetwork it is deployed on | `true` |
+| `clients.port` |  The port where the client will publish PushProx client-specific metrics. If deploying multiple clients onto the same node, the clients should not have conflicting ports | `9369` |
+| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
+| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
+| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
+| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
+| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
+| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
+| `clients.resources` | Set resource limits and requests for the client container | `{}` |
+| `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
+| `clients.tolerations` | Specify tolerations for clients | `[]` |
+| `proxy.enabled` | Deploys the proxy that each client will register with | `true` |
+| `proxy.port` | The port exposed by the proxy that each client will register with to allow metrics to be scraped from the host | `8080` |
+| `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
+| `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
+| `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+
+*Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 
+
+See [rancher-monitoring](https://github.com/rancher/charts/tree/gh-pages/packages/rancher-monitoring) for examples of how this chart can be used.

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/templates/_helpers.tpl

@@ -0,0 +1,104 @@
+# Rancher
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+# Windows Support
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+beta.kubernetes.io/os: linux
+{{- else -}}
+kubernetes.io/os: linux
+{{- end -}}
+{{- end -}}
+
+# General
+
+{{- define "pushprox.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "pushProxy.commonLabels" -}}
+release: {{ .Release.Name }}
+component: {{ .Values.component | quote }}
+provider: kubernetes
+{{- end -}}
+
+{{- define "pushProxy.proxyUrl" -}}
+{{- $_ := (required "Template requires either .Values.proxy.port or .Values.client.proxyUrl to set proxyUrl for client" (or .Values.clients.proxyUrl .Values.proxy.port)) -}}
+{{- if .Values.clients.proxyUrl -}}
+{{ printf "%s" .Values.clients.proxyUrl }}
+{{- else -}}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
+{{- end -}}{{- end -}}
+
+# Client
+
+{{- define "pushProxy.client.name" -}}
+{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
+{{- end -}}
+
+{{- define "pushProxy.client.labels" -}}
+k8s-app: {{ template "pushProxy.client.name" . }}
+{{ template "pushProxy.commonLabels" . }}
+{{- end -}}
+
+# Proxy
+
+{{- define "pushProxy.proxy.name" -}}
+{{- printf "pushprox-%s-proxy" (required ".Values.component is required" .Values.component) -}}
+{{- end -}}
+
+{{- define "pushProxy.proxy.labels" -}}
+k8s-app: {{ template "pushProxy.proxy.name" . }}
+{{ template "pushProxy.commonLabels" . }}
+{{- end -}}
+
+# ServiceMonitor
+
+{{- define "pushprox.serviceMonitor.name" -}}
+{{- printf "%s-%s" .Release.Name (required ".Values.component is required" .Values.component) -}}
+{{- end -}}
+
+{{- define "pushProxy.serviceMonitor.labels" -}}
+app: {{ template "pushprox.serviceMonitor.name" . }}
+release: {{ .Release.Name | quote }}
+{{ template "pushProxy.commonLabels" . }}
+{{- end -}}
+
+{{- define "pushProxy.serviceMonitor.endpoints" -}}
+{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
+{{- $useHTTPS := .Values.clients.https.enabled -}}
+{{- $endpoints := .Values.serviceMonitor.endpoints }}
+{{- range $endpoints }}
+{{- $_ := set . "proxyUrl" $proxyURL }}
+{{- if $useHTTPS -}}
+{{- if (hasKey . "params") }}
+{{- $_ := set (get . "params") "_scheme" (list "https") }}
+{{- else }}
+{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- toYaml $endpoints }}
+{{- end -}}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/templates/pushprox-clients-rbac.yaml

@@ -0,0 +1,77 @@
+{{- if .Values.clients }}{{- if .Values.clients.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "pushProxy.client.name" . }}
+{{- if and .Values.clients.https.enabled .Values.clients.https.useServiceAccountCredentials }}
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
+{{- if .Values.clients.rbac.additionalRules }}
+{{ toYaml .Values.clients.rbac.additionalRules }}
+{{- end }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "pushProxy.client.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pushProxy.client.name" . }}
+    namespace: {{ include "pushprox.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  hostNetwork: true
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+    - 'emptyDir'
+    - 'hostPath'
+  allowedHostPaths:
+  - pathPrefix: {{ required "Need access to volume on host with the SSL cert files to use HTTPs" .Values.clients.https.certDir }}
+    readOnly: true
+{{- end }}
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/templates/pushprox-clients.yaml

@@ -0,0 +1,145 @@
+{{- if .Values.clients }}{{- if .Values.clients.enabled }}
+apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
+kind: DaemonSet
+{{- end }}
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+    pushprox-exporter: "client"
+spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
+  selector:
+    matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
+    spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.clients.nodeSelector }}
+{{ toYaml .Values.clients.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.clients.tolerations }}
+{{ toYaml .Values.clients.tolerations | indent 8 }}
+{{- end }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ template "pushProxy.client.name" . }}
+      containers:
+      - name: pushprox-client
+        image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
+        command:
+        {{- range .Values.clients.command }}
+          - {{ . | quote }}
+        {{- end }}
+        args:
+        - --fqdn=$(HOST_IP)
+        - --proxy-url=$(PROXY_URL)
+        - --metrics-addr=$(PORT)
+        - --allow-port={{ required "Need .Values.metricsPort to configure client to be allowed to scrape metrics at port" .Values.metricsPort}}
+        {{- if .Values.clients.useLocalhost }}
+        - --use-localhost
+        {{- end }}
+        {{- if .Values.clients.https.enabled }}
+        {{- if .Values.clients.https.insecureSkipVerify }}
+        - --insecure-skip-verify
+        {{- end }}
+        {{- if .Values.clients.https.useServiceAccountCredentials }}
+        - --token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
+        {{- end }}
+        {{- if .Values.clients.https.certDir }}
+        - --tls.cert=/etc/ssl/push-proxy/push-proxy.pem
+        - --tls.key=/etc/ssl/push-proxy/push-proxy-key.pem
+        - --tls.cacert=/etc/ssl/push-proxy/push-proxy-ca-cert.pem
+        {{- end }}
+        {{- end }}
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: PORT
+          value: :{{ .Values.clients.port }}
+        - name: PROXY_URL
+          value: {{ template "pushProxy.proxyUrl" . }}
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+        {{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+        volumeMounts:
+        - name: metrics-cert-dir
+          mountPath: /etc/ssl/push-proxy
+        {{- end }}
+        {{- if .Values.clients.resources }}
+        resources: {{ toYaml .Values.clients.resources | nindent 10 }}
+        {{- end }}
+      {{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+      initContainers:
+      - name: copy-certs
+        image: {{ template "system_default_registry" . }}{{ .Values.clients.copyCertsImage.repository }}:{{ .Values.clients.copyCertsImage.tag }}
+        command:
+        - sh
+        - -c
+        - |
+          echo "Searching for files to copy within the source volume"
+          echo "cert: ${CERT_FILE_NAME}"
+          echo "key: ${KEY_FILE_NAME}"
+          echo "cacert: ${CACERT_FILE_NAME}"
+
+          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
+          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
+          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
+          
+          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
+          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
+          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
+
+          echo "Copying cert file from $CERT_FILE_SOURCE to $CERT_FILE_TARGET"
+          cp $CERT_FILE_SOURCE $CERT_FILE_TARGET || exit 1
+          chmod 444 $CERT_FILE_TARGET || exit 1
+
+          echo "Copying key file from $KEY_FILE_SOURCE to $KEY_FILE_TARGET"
+          cp $KEY_FILE_SOURCE $KEY_FILE_TARGET || exit 1
+          chmod 444 $KEY_FILE_TARGET || exit 1
+
+          echo "Copying cacert file from $CACERT_FILE_SOURCE to $CACERT_FILE_TARGET"
+          cp $CACERT_FILE_SOURCE $CACERT_FILE_TARGET || exit 1
+          chmod 444 $CACERT_FILE_TARGET || exit 1
+        env:
+        - name: CERT_FILE_NAME
+          value: {{ required "Need a TLS cert file for scraping metrics endpoint over HTTPs" .Values.clients.https.certFile }}
+        - name: KEY_FILE_NAME
+          value: {{ required "Need a TLS key file for scraping metrics endpoint over HTTPs" .Values.clients.https.keyFile }}
+        - name: CACERT_FILE_NAME
+          value: {{ required "Need a TLS CA cert file for scraping metrics endpoint over HTTPs" .Values.clients.https.caCertFile }}
+        - name: CERT_FILE_TARGET
+          value: /etc/ssl/push-proxy/push-proxy.pem
+        - name: KEY_FILE_TARGET
+          value: /etc/ssl/push-proxy/push-proxy-key.pem
+        - name: CACERT_FILE_TARGET
+          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
+        securityContext:
+          runAsNonRoot: false
+        volumeMounts:
+        - name: metrics-cert-dir-source
+          mountPath: /etc/source
+          readOnly: true
+        - name: metrics-cert-dir
+          mountPath: /etc/ssl/push-proxy
+      volumes:
+      - name: metrics-cert-dir-source
+        hostPath:
+          path: {{ required "Need access to volume on host with the SSL cert files to use HTTPs" .Values.clients.https.certDir }}
+      - name: metrics-cert-dir
+        emptyDir: {}
+      {{- end }}
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/templates/pushprox-proxy-rbac.yaml

@@ -0,0 +1,63 @@
+{{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "pushProxy.proxy.name" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "pushProxy.proxy.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pushProxy.proxy.name" . }}
+    namespace: {{ include "pushprox.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/templates/pushprox-proxy.yaml

@@ -0,0 +1,52 @@
+{{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+    pushprox-exporter: "proxy"
+spec:
+  selector:
+    matchLabels: {{ include "pushProxy.proxy.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{ include "pushProxy.proxy.labels" . | nindent 8 }}
+    spec: 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.proxy.nodeSelector }}
+{{ toYaml .Values.proxy.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.proxy.tolerations }}
+{{ toYaml .Values.proxy.tolerations | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ template "pushProxy.proxy.name" . }}
+      containers:
+      - name: pushprox-proxy
+        image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
+        command:
+        {{- range .Values.proxy.command }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- if .Values.proxy.resources }}
+        resources: {{ toYaml .Values.proxy.resources | nindent 10 }}
+        {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+spec:
+  ports:
+  - name: pp-proxy
+    port: {{ required "Need .Values.proxy.port to configure proxy" .Values.proxy.port }}
+    protocol: TCP
+    targetPort: {{ .Values.proxy.port }}
+  selector: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/templates/pushprox-servicemonitor.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "pushprox.serviceMonitor.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.serviceMonitor.labels" . | nindent 4 }}
+spec:
+  endpoints: {{include "pushProxy.serviceMonitor.endpoints" . | nindent 4 }}
+  jobLabel: component
+  podTargetLabels:
+  - component
+  - pushprox-exporter
+  namespaceSelector:
+    matchNames:
+    - {{ template "pushprox.namespace" . }}
+  selector:
+    matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+spec:
+  ports:
+  - name: metrics
+    port: {{ required "Need .Values.metricsPort to configure client to listen to metrics at port" .Values.metricsPort}}
+    protocol: TCP
+    targetPort: {{ .Values.metricsPort }}
+  selector: {{ include "pushProxy.client.labels" . | nindent 4 }}
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2IngressNginx/values.yaml

@@ -0,0 +1,111 @@
+# Default values for rancher-pushprox.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# Default image containing both the proxy and the client was generated from the following Dockerfile
+# https://github.com/prometheus-community/PushProx/blob/eeadbe766641699129920ccfaaaa30a85c67fe81/Dockerfile#L1-L15
+
+# Note: if using a cloud provider, the nodes that contain the PushProxy client must allow the node(s) that contain(s)
+# the PushProxy proxy to communicate with it on port {{ .Values.clients.port }}. If you have special restrictions,
+# (i.e. client should only run on etcd nodes and only control plane should have access to the port on the etcd node),
+# you will need to set the clients / proxy nodeSelector and tolerations accordingly
+
+# Configuration
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+
+namespaceOverride: ""
+
+# The component that is being monitored (i.e. etcd)
+component: "component"
+
+# The port containing the metrics that need to be scraped
+metricsPort: 2739
+
+# Configure ServiceMonitor that monitors metrics from the metricsPort endpoint
+serviceMonitor:
+  enabled: true
+  # A list of endpoints that will be added to the ServiceMonitor based on the Endpoint spec
+  # Source: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  # By default, proxyUrl and params._scheme will be overridden based on other values
+  endpoints:
+  - port: metrics
+
+clients:
+  enabled: true
+  # The port which the PushProx client will post PushProx metrics to
+  port: 9369
+  # If unset, this will default to the URL for the proxy service: http://pushprox-{{component}}-proxy.{{namepsace}}.svc.cluster.local:{{proxy.port}}
+  # Should be modified if the clients are being deployed outside the cluster where the proxy rests, otherwise leave it null
+  proxyUrl: ""
+  # If set to true, the client will forward any requests from the host IP to 127.0.0.1
+  # It will only allow proxy requests to the metricsPort specified
+  useLocalhost: false
+  # Configuration for accessing metrics via HTTPS
+  https:
+    # Does the client require https to access the metrics?
+    enabled: false
+    # If set to true, the client will create a service account with adequate permissions and set a flag
+    # on the client to use the service account token provided by it to make authorized scrape requests
+    useServiceAccountCredentials: false
+    # If set to true, the client will disable SSL security checks
+    insecureSkipVerify: false
+    # Directory on host where necessary TLS cert and key to scrape metrics can be found
+    certDir: ""
+    # Filenames for files located in .Values.clients.https.certDir that correspond to TLS settings
+    certFile: ""
+    keyFile: ""
+    caCertFile: ""
+
+  rbac:
+    # Additional permissions to provide to the ServiceAccount bound to the client
+    # This can be used to provide additional permissions for the client to scrape metrics from the k8s API
+    # Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true
+    additionalRules: []
+
+  # Resource limits
+  resources: {}
+
+  # Options to select all nodes to deploy client DaemonSet on
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+  image:
+    repository: rancher/pushprox-client
+    tag: v0.1.0-rancher2-client
+  command: ["pushprox-client"]
+
+  copyCertsImage:
+    repository: rancher/mirrored-library-busybox
+    tag: 1.31.1
+
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
+proxy:
+  enabled: true
+  # The port through which PushProx clients will communicate to the proxy
+  port: 8080
+  
+  # Resource limits
+  resources: {}
+  
+  # Options to select a node to run a single proxy deployment on
+  nodeSelector: {}
+  tolerations: []
+
+  image:
+    repository: rancher/pushprox-proxy
+    tag: v0.1.0-rancher2-proxy
+  command: ["pushprox-proxy"]

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Proxy/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Proxy/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Proxy/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Proxy/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Proxy/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Proxy/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Scheduler/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Scheduler/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Scheduler/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Scheduler/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Scheduler/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rke2Scheduler/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeControllerManager/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeControllerManager/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeControllerManager/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeControllerManager/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeControllerManager/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeControllerManager/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeEtcd/README.md

@@ -24,6 +24,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | ----- | ----------- | ------ |
 | `component` | The component that is being monitored | `kube-etcd`
 | `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
 
 #### Optional
 | Parameter | Description | Default |
@@ -42,6 +43,9 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
 | `clients.resources` | Set resource limits and requests for the client container | `{}` |
 | `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
 | `clients.tolerations` | Specify tolerations for clients | `[]` |

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeEtcd/templates/_helpers.tpl

@@ -49,7 +49,7 @@ provider: kubernetes
 {{- if .Values.clients.proxyUrl -}}
 {{ printf "%s" .Values.clients.proxyUrl }}
 {{- else -}}
-{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) .Release.Namespace (int .Values.proxy.port) }}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
 {{- end -}}{{- end -}}
 
 # Client

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeEtcd/templates/pushprox-clients-rbac.yaml

@@ -30,20 +30,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.client.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.client.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeEtcd/templates/pushprox-clients.yaml

@@ -1,18 +1,28 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
 kind: DaemonSet
+{{- end }}
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ template "pushprox.namespace" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
     pushprox-exporter: "client"
 spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
   selector:
     matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
     spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.clients.nodeSelector }}
 {{ toYaml .Values.clients.nodeSelector | indent 8 }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeEtcd/templates/pushprox-proxy-rbac.yaml

@@ -23,20 +23,20 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "pushProxy.proxy.name" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "pushprox.namespace" . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "pushProxy.proxy.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "pushprox.namespace" . }}
   labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
 spec:
   privileged: false

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeEtcd/values.yaml

@@ -16,6 +16,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
 
+namespaceOverride: ""
+
 # The component that is being monitored (i.e. etcd)
 component: "component"
 
@@ -69,6 +71,7 @@ clients:
   # Options to select all nodes to deploy client DaemonSet on
   nodeSelector: {}
   tolerations: []
+  affinity: {}
 
   image:
     repository: rancher/pushprox-client
@@ -79,6 +82,17 @@ clients:
     repository: rancher/mirrored-library-busybox
     tag: 1.31.1
 
+  # The default intention of rancher-pushprox clients is to scrape hostNetwork metrics across all nodes.
+  # This can be used to scrape internal Kubernetes components or DaemonSets of hostNetwork Pods in
+  # situations where a cloud provider firewall prevents Pod-To-Host communication but not Pod-To-Pod.
+  # However, if the underlying hostNetwork Pod that is being scraped is managed by a Deployment,
+  # this advanced option enables users to deploy the client as a Deployment instead of a DaemonSet.
+  # If a user deploys this feature and the underlying Deployment's number of replicas changes, the user will
+  # be responsible for upgrading this chart accordingly to the right number of replicas.
+  deployment:
+    enabled: false
+    replicas: 0
+
 proxy:
   enabled: true
   # The port through which PushProx clients will communicate to the proxy

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/Chart.yaml

@@ -0,0 +1,13 @@
+annotations:
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/os: linux
+  catalog.rancher.io/certified: rancher
+  catalog.rancher.io/namespace: cattle-monitoring-system
+  catalog.rancher.io/release-name: rancher-pushprox
+apiVersion: v1
+appVersion: 0.1.0
+description: Sets up a deployment of the PushProx proxy and a DaemonSet of PushProx
+  clients.
+name: rkeIngressNginx
+type: application
+version: 0.1.4

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/README.md

@@ -0,0 +1,60 @@
+# rancher-pushprox
+
+A Rancher chart based on Rancher [PushProx](https://github.com/rancher/PushProx) that sets up a Deployment of a PushProx proxy and a DaemonSet of PushProx clients on a Kubernetes cluster.
+
+Installs [rancher-pushprox](https://github.com/rancher/charts/tree/gh-pages/packages/rancher-pushprox) to create PushProx clients that can access their host's network and register with a PushProx proxy. A [Prometheus Operator](https://github.com/coreos/prometheus-operator) ServiceMonitor CR is also included that is configured to scrape the metrics from each of the clients through the proxy.
+
+Using an instance of this chart is suitable for the following scenarios:
+- You need to scrape metrics from a port that should not be accessible outside of the host (e.g. scraping `etcd` metrics in a hardened cluster)
+- You need to scrape metrics on a host that are not exposed outside of 127.0.0.1 (e.g. scraping `kube-proxy` metrics)
+- You need to scrape metrics through HTTPS using certs hosted directly on `hostPath`
+- You need to scrape metrics from Kubernetes components that require authorization via a service account (e.g. permissions to make request to `/metrics`)
+- You need to scrape metrics without access to cacerts (i.e. enable `insecureSkipVerify`)
+
+The clients and proxy are created based on a Rancher fork of the [prometheus-community/PushProx](https://github.com/prometheus-community/PushProx) project.
+
+## Configuration
+
+The following tables list the configurable parameters of the rancher-pushprox chart and their default values.
+
+### General
+
+#### Required
+| Parameter | Description | Example |
+| ----- | ----------- | ------ |
+| `component` | The component that is being monitored | `kube-etcd`
+| `metricsPort` | The port on the host that contains the metrics you want to scrape (e.g. `http://<HOST_IP>:<metricsPort>/metrics`) | `2379` |
+| `namespaceOverride` | The namespace to install the chart | `""`
+
+#### Optional
+| Parameter | Description | Default |
+| ----- | ----------- | ------ |
+| `serviceMonitor.enabled` | Deploys a [Prometheus Operator](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#servicemonitor) ServiceMonitor CR that is configured to scrape metrics on the hosts that the clients are deployed on via the proxy. Also deploys a Service that points to all pods with the expected client name that exposes the `metricsPort` selected | `true` |
+| `serviceMonitor.endpoints` | A list of endpoints that will be added to the ServiceMonitor based on the [Endpoint spec](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint) | `[{port: metrics}]` |
+| `clients.enabled` | Deploys a DaemonSet of clients that are each capable of scraping endpoints on the hostNetwork it is deployed on | `true` |
+| `clients.port` |  The port where the client will publish PushProx client-specific metrics. If deploying multiple clients onto the same node, the clients should not have conflicting ports | `9369` |
+| `clients.proxyUrl` | Overrides the default proxyUrl setting of `http://pushprox-{{ .Values.component }}-proxy.{{ . Release.Namespace }}.svc.cluster.local:{{ .Values.proxy.port }}"` with the `proxyUrl` specified | `""` |
+| `clients.useLocalhost` | Sets a flag on each client deployment to redirect scrapes directed to `HOST_IP` to `127.0.0.1` | `false` |
+| `clients.https.enabled` | Enables scraping metrics via HTTPS using the provided TLS certs that exist on each host | `false` |
+| `clients.https.useServiceAccountCredentials` | If set to true, the client will create a service account with permissions to scrape `/metrics` endpoint of Kubernetes components. The client will use the service account token provided to make authorized scrape requests to the Kubernetes API | `false` |
+| `clients.https.insecureSkipVerify` | If set to true, the client will disable SSL security checks | `false` |
+| `clients.https.certDir` | A `hostPath` where TLS certs can be found. This path is mounted as a volume on an `initContainer` which copies only the necessary files over to an EmptyDir volume used by each client. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
+| `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
+| `clients.deployment.replicas` | The number of pods the Deployment has, it should match the number of pod the hostNetwork Deployment has. Required and only used if `client.deployment.enable` is set | `0` |
+| `clients.deployment.affinity` | The affinity rules that allocate the pod to the node in which the hostNetwork Deployment's pods run. Required and only used if `client.deployment.enable` is set | `{}` |
+| `clients.resources` | Set resource limits and requests for the client container | `{}` |
+| `clients.nodeSelector` | Select which nodes to deploy the clients on | `{}` |
+| `clients.tolerations` | Specify tolerations for clients | `[]` |
+| `proxy.enabled` | Deploys the proxy that each client will register with | `true` |
+| `proxy.port` | The port exposed by the proxy that each client will register with to allow metrics to be scraped from the host | `8080` |
+| `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
+| `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
+| `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+
+*Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 
+
+See [rancher-monitoring](https://github.com/rancher/charts/tree/gh-pages/packages/rancher-monitoring) for examples of how this chart can be used.

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/templates/_helpers.tpl

@@ -0,0 +1,104 @@
+# Rancher
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+# Windows Support
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+beta.kubernetes.io/os: linux
+{{- else -}}
+kubernetes.io/os: linux
+{{- end -}}
+{{- end -}}
+
+# General
+
+{{- define "pushprox.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "pushProxy.commonLabels" -}}
+release: {{ .Release.Name }}
+component: {{ .Values.component | quote }}
+provider: kubernetes
+{{- end -}}
+
+{{- define "pushProxy.proxyUrl" -}}
+{{- $_ := (required "Template requires either .Values.proxy.port or .Values.client.proxyUrl to set proxyUrl for client" (or .Values.clients.proxyUrl .Values.proxy.port)) -}}
+{{- if .Values.clients.proxyUrl -}}
+{{ printf "%s" .Values.clients.proxyUrl }}
+{{- else -}}
+{{ printf "http://%s.%s.svc:%d" (include "pushProxy.proxy.name" .) (include "pushprox.namespace" .) (int .Values.proxy.port) }}
+{{- end -}}{{- end -}}
+
+# Client
+
+{{- define "pushProxy.client.name" -}}
+{{- printf "pushprox-%s-client" (required ".Values.component is required" .Values.component) -}}
+{{- end -}}
+
+{{- define "pushProxy.client.labels" -}}
+k8s-app: {{ template "pushProxy.client.name" . }}
+{{ template "pushProxy.commonLabels" . }}
+{{- end -}}
+
+# Proxy
+
+{{- define "pushProxy.proxy.name" -}}
+{{- printf "pushprox-%s-proxy" (required ".Values.component is required" .Values.component) -}}
+{{- end -}}
+
+{{- define "pushProxy.proxy.labels" -}}
+k8s-app: {{ template "pushProxy.proxy.name" . }}
+{{ template "pushProxy.commonLabels" . }}
+{{- end -}}
+
+# ServiceMonitor
+
+{{- define "pushprox.serviceMonitor.name" -}}
+{{- printf "%s-%s" .Release.Name (required ".Values.component is required" .Values.component) -}}
+{{- end -}}
+
+{{- define "pushProxy.serviceMonitor.labels" -}}
+app: {{ template "pushprox.serviceMonitor.name" . }}
+release: {{ .Release.Name | quote }}
+{{ template "pushProxy.commonLabels" . }}
+{{- end -}}
+
+{{- define "pushProxy.serviceMonitor.endpoints" -}}
+{{- $proxyURL := (include "pushProxy.proxyUrl" .) -}}
+{{- $useHTTPS := .Values.clients.https.enabled -}}
+{{- $endpoints := .Values.serviceMonitor.endpoints }}
+{{- range $endpoints }}
+{{- $_ := set . "proxyUrl" $proxyURL }}
+{{- if $useHTTPS -}}
+{{- if (hasKey . "params") }}
+{{- $_ := set (get . "params") "_scheme" (list "https") }}
+{{- else }}
+{{- $_ := set . "params" (dict "_scheme" (list "https")) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- toYaml $endpoints }}
+{{- end -}}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/templates/pushprox-clients-rbac.yaml

@@ -0,0 +1,77 @@
+{{- if .Values.clients }}{{- if .Values.clients.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "pushProxy.client.name" . }}
+{{- if and .Values.clients.https.enabled .Values.clients.https.useServiceAccountCredentials }}
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
+{{- if .Values.clients.rbac.additionalRules }}
+{{ toYaml .Values.clients.rbac.additionalRules }}
+{{- end }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "pushProxy.client.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pushProxy.client.name" . }}
+    namespace: {{ include "pushprox.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  hostNetwork: true
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+    - 'emptyDir'
+    - 'hostPath'
+  allowedHostPaths:
+  - pathPrefix: {{ required "Need access to volume on host with the SSL cert files to use HTTPs" .Values.clients.https.certDir }}
+    readOnly: true
+{{- end }}
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/templates/pushprox-clients.yaml

@@ -0,0 +1,145 @@
+{{- if .Values.clients }}{{- if .Values.clients.enabled }}
+apiVersion: apps/v1
+{{- if .Values.clients.deployment.enabled }}
+kind: Deployment
+{{- else }}
+kind: DaemonSet
+{{- end }}
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+    pushprox-exporter: "client"
+spec:
+  {{- if .Values.clients.deployment.enabled }}
+  replicas: {{ .Values.clients.deployment.replicas }}
+  {{- end }}
+  selector:
+    matchLabels: {{ include "pushProxy.client.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
+    spec:
+      {{- if .Values.clients.affinity }}
+      affinity: {{ toYaml .Values.clients.affinity | nindent 8 }}
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.clients.nodeSelector }}
+{{ toYaml .Values.clients.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.clients.tolerations }}
+{{ toYaml .Values.clients.tolerations | indent 8 }}
+{{- end }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ template "pushProxy.client.name" . }}
+      containers:
+      - name: pushprox-client
+        image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
+        command:
+        {{- range .Values.clients.command }}
+          - {{ . | quote }}
+        {{- end }}
+        args:
+        - --fqdn=$(HOST_IP)
+        - --proxy-url=$(PROXY_URL)
+        - --metrics-addr=$(PORT)
+        - --allow-port={{ required "Need .Values.metricsPort to configure client to be allowed to scrape metrics at port" .Values.metricsPort}}
+        {{- if .Values.clients.useLocalhost }}
+        - --use-localhost
+        {{- end }}
+        {{- if .Values.clients.https.enabled }}
+        {{- if .Values.clients.https.insecureSkipVerify }}
+        - --insecure-skip-verify
+        {{- end }}
+        {{- if .Values.clients.https.useServiceAccountCredentials }}
+        - --token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
+        {{- end }}
+        {{- if .Values.clients.https.certDir }}
+        - --tls.cert=/etc/ssl/push-proxy/push-proxy.pem
+        - --tls.key=/etc/ssl/push-proxy/push-proxy-key.pem
+        - --tls.cacert=/etc/ssl/push-proxy/push-proxy-ca-cert.pem
+        {{- end }}
+        {{- end }}
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: PORT
+          value: :{{ .Values.clients.port }}
+        - name: PROXY_URL
+          value: {{ template "pushProxy.proxyUrl" . }}
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+        {{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+        volumeMounts:
+        - name: metrics-cert-dir
+          mountPath: /etc/ssl/push-proxy
+        {{- end }}
+        {{- if .Values.clients.resources }}
+        resources: {{ toYaml .Values.clients.resources | nindent 10 }}
+        {{- end }}
+      {{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+      initContainers:
+      - name: copy-certs
+        image: {{ template "system_default_registry" . }}{{ .Values.clients.copyCertsImage.repository }}:{{ .Values.clients.copyCertsImage.tag }}
+        command:
+        - sh
+        - -c
+        - |
+          echo "Searching for files to copy within the source volume"
+          echo "cert: ${CERT_FILE_NAME}"
+          echo "key: ${KEY_FILE_NAME}"
+          echo "cacert: ${CACERT_FILE_NAME}"
+
+          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
+          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
+          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
+          
+          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
+          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
+          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
+
+          echo "Copying cert file from $CERT_FILE_SOURCE to $CERT_FILE_TARGET"
+          cp $CERT_FILE_SOURCE $CERT_FILE_TARGET || exit 1
+          chmod 444 $CERT_FILE_TARGET || exit 1
+
+          echo "Copying key file from $KEY_FILE_SOURCE to $KEY_FILE_TARGET"
+          cp $KEY_FILE_SOURCE $KEY_FILE_TARGET || exit 1
+          chmod 444 $KEY_FILE_TARGET || exit 1
+
+          echo "Copying cacert file from $CACERT_FILE_SOURCE to $CACERT_FILE_TARGET"
+          cp $CACERT_FILE_SOURCE $CACERT_FILE_TARGET || exit 1
+          chmod 444 $CACERT_FILE_TARGET || exit 1
+        env:
+        - name: CERT_FILE_NAME
+          value: {{ required "Need a TLS cert file for scraping metrics endpoint over HTTPs" .Values.clients.https.certFile }}
+        - name: KEY_FILE_NAME
+          value: {{ required "Need a TLS key file for scraping metrics endpoint over HTTPs" .Values.clients.https.keyFile }}
+        - name: CACERT_FILE_NAME
+          value: {{ required "Need a TLS CA cert file for scraping metrics endpoint over HTTPs" .Values.clients.https.caCertFile }}
+        - name: CERT_FILE_TARGET
+          value: /etc/ssl/push-proxy/push-proxy.pem
+        - name: KEY_FILE_TARGET
+          value: /etc/ssl/push-proxy/push-proxy-key.pem
+        - name: CACERT_FILE_TARGET
+          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
+        securityContext:
+          runAsNonRoot: false
+        volumeMounts:
+        - name: metrics-cert-dir-source
+          mountPath: /etc/source
+          readOnly: true
+        - name: metrics-cert-dir
+          mountPath: /etc/ssl/push-proxy
+      volumes:
+      - name: metrics-cert-dir-source
+        hostPath:
+          path: {{ required "Need access to volume on host with the SSL cert files to use HTTPs" .Values.clients.https.certDir }}
+      - name: metrics-cert-dir
+        emptyDir: {}
+      {{- end }}
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/templates/pushprox-proxy-rbac.yaml

@@ -0,0 +1,63 @@
+{{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "pushProxy.proxy.name" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "pushProxy.proxy.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pushProxy.proxy.name" . }}
+    namespace: {{ include "pushprox.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ include "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- end }}{{- end }}

charts/rancher-monitoring/rancher-monitoring/14.5.101+up14.5.0/charts/rkeIngressNginx/templates/pushprox-proxy.yaml

@@ -0,0 +1,52 @@
+{{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+    pushprox-exporter: "proxy"
+spec:
+  selector:
+    matchLabels: {{ include "pushProxy.proxy.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{ include "pushProxy.proxy.labels" . | nindent 8 }}
+    spec: 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.proxy.nodeSelector }}
+{{ toYaml .Values.proxy.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.proxy.tolerations }}
+{{ toYaml .Values.proxy.tolerations | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ template "pushProxy.proxy.name" . }}
+      containers:
+      - name: pushprox-proxy
+        image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
+        command:
+        {{- range .Values.proxy.command }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- if .Values.proxy.resources }}
+        resources: {{ toYaml .Values.proxy.resources | nindent 10 }}
+        {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pushProxy.proxy.name" . }}
+  namespace: {{ template "pushprox.namespace" . }}
+  labels: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+spec:
+  ports:
+  - name: pp-proxy
+    port: {{ required "Need .Values.proxy.port to configure proxy" .Values.proxy.port }}
+    protocol: TCP
+    targetPort: {{ .Values.proxy.port }}
+  selector: {{ include "pushProxy.proxy.labels" . | nindent 4 }}
+{{- end }}{{- end }}