(dev-v2.6-archive) Merge pull request #1195 from thedadams/add-gke-operator

(partially cherry picked from commit 9f439d72ae)

packages/rancher-cis-benchmark/charts/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.0.4
+appVersion: v1.0.5
 description: The cis-operator enables running CIS benchmark security scans on a kubernetes cluster
 name: rancher-cis-benchmark
-version: 1.0.4
+version: 1.0.5
 icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
 keywords:
   - security

packages/rancher-cis-benchmark/charts/values.yaml

@@ -5,7 +5,7 @@
 image:
   cisoperator:
     repository: rancher/cis-operator
-    tag: v1.0.4
+    tag: v1.0.5-rc1
   securityScan:
     repository: rancher/security-scan
     tag: v0.2.3

packages/rancher-cis-benchmark/templates/crd-template/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-version: 1.0.4
+version: 1.0.5
 description: Installs the CRDs for rancher-cis-benchmark.
 name: rancher-cis-benchmark-crd
 type: application

packages/rancher-eks-operator-crd/generated-changes/patch/Chart.yaml.patch

@@ -1,12 +0,0 @@
---- charts-original/Chart.yaml
-+++ charts/Chart.yaml
-@@ -5,7 +5,7 @@
-   catalog.cattle.io/os: linux
-   catalog.cattle.io/release-name: rancher-eks-operator-crd
- apiVersion: v2
--appVersion: 2.0.1-rc1
-+appVersion: 2.0.1
- description: EKS Operator CustomResourceDefinitions
- name: rancher-eks-operator-crd
--version: 2.0.1-rc1
-+version: 2.0.1

packages/rancher-eks-operator-crd/package.yaml

@@ -1,2 +1,2 @@
-url: https://github.com/rancher/eks-operator/releases/download/v2.0.1-rc1/rancher-eks-operator-crd-2.0.1-rc1.tgz
+url: https://github.com/rancher/eks-operator/releases/download/v1.1.1-rc1/rancher-eks-operator-crd-1.1.1-rc1.tgz
 packageVersion: 0

packages/rancher-eks-operator/generated-changes/patch/Chart.yaml.patch

@@ -1,15 +0,0 @@
---- charts-original/Chart.yaml
-+++ charts/Chart.yaml
-@@ -9,10 +9,10 @@
-   catalog.cattle.io/release-name: rancher-eks-operator
-   catalog.cattle.io/scope: management
- apiVersion: v2
--appVersion: 2.0.1-rc1
-+appVersion: 2.0.1
- description: A Helm chart for provisioning EKS clusters
- home: https://github.com/rancher/eks-operator
- name: rancher-eks-operator
- sources:
- - https://github.com/rancher/eks-operator
--version: 2.0.1-rc1
-+version: 2.0.1

packages/rancher-eks-operator/package.yaml

@@ -1,2 +1,2 @@
-url: https://github.com/rancher/eks-operator/releases/download/v2.0.1-rc1/rancher-eks-operator-2.0.1-rc1.tgz
+url: https://github.com/rancher/eks-operator/releases/download/v1.1.1-rc1/rancher-eks-operator-1.1.1-rc1.tgz
 packageVersion: 0

packages/rancher-grafana/generated-changes/patch/templates/pvc.yaml.patch

@@ -0,0 +1,18 @@
+--- charts-original/templates/pvc.yaml
++++ charts/templates/pvc.yaml
+@@ -16,12 +16,14 @@
+   {{- end }}
+ spec:
+   accessModes:
++{{- $_ := required "Must provide at least one access mode for persistent volumes used by Grafana" .Values.persistence.accessModes }}
++{{- $_ := required "Must provide at least one access mode for persistent volumes used by Grafana" (first .Values.persistence.accessModes) }}
+     {{- range .Values.persistence.accessModes }}
+     - {{ . | quote }}
+     {{- end }}
+   resources:
+     requests:
+-      storage: {{ .Values.persistence.size | quote }}
++      storage: {{ required "Must provide size for persistent volumes used by Grafana" .Values.persistence.size | quote }}
+   {{- if .Values.persistence.storageClassName }}
+   storageClassName: {{ .Values.persistence.storageClassName }}
+   {{- end -}}

packages/rancher-grafana/generated-changes/patch/templates/statefulset.yaml.patch

@@ -0,0 +1,17 @@
+--- charts-original/templates/statefulset.yaml
++++ charts/templates/statefulset.yaml
+@@ -39,11 +39,13 @@
+   - metadata:
+       name: storage
+     spec:
++{{- $_ := required "Must provide at least one access mode for persistent volumes used by Grafana" .Values.persistence.accessModes }}
++{{- $_ := required "Must provide at least one access mode for persistent volumes used by Grafana" (first .Values.persistence.accessModes) }}
+       accessModes: {{ .Values.persistence.accessModes }}
+       storageClassName: {{ .Values.persistence.storageClassName }}
+       resources:
+         requests:
+-          storage: {{ .Values.persistence.size }}
++          storage: {{ required "Must provide size for persistent volumes used by Grafana" .Values.persistence.size }}
+       {{- with .Values.persistence.selectorLabels }}
+       selector:
+         matchLabels:

packages/rancher-grafana/package.yaml

@@ -1,4 +1,4 @@
 url: https://github.com/grafana/helm-charts.git
 subdirectory: charts/grafana
 commit: 837b4ace32278eee14310f1d654d651d0898bb19
-packageVersion: 1
+packageVersion: 2

packages/rancher-logging/generated-changes/overlay/templates/loggings/kube-audit/logging.yaml

@@ -0,0 +1,98 @@
+{{- if .Values.additionalLoggingSources.kubeAudit.enabled }}
+apiVersion: logging.banzaicloud.io/v1beta1
+kind: Logging
+metadata:
+  name: {{ .Release.Name }}-kube-audit
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "logging-operator.labels" . | indent 4 }}
+spec:
+  controlNamespace: {{ .Release.Namespace }}
+  {{- if .Values.additionalLoggingSources.kubeAudit.loggingRef }}
+  loggingRef: {{ .Values.additionalLoggingSources.kubeAudit.loggingRef }}
+  {{- end }}
+  fluentbit:
+    disableKubernetesFilter: true
+    image:
+      repository: {{ template "system_default_registry" . }}{{ .Values.images.fluentbit.repository }}
+      tag: {{ .Values.images.fluentbit.tag }}
+    inputTail:
+      Tag: {{ .Values.additionalLoggingSources.kubeAudit.fluentbit.logTag }}
+      Path: /kube-audit-logs/{{ template "kubeAuditFilename" . }}
+      Parser: json
+      {{- if .Values.fluentbit.inputTail.Buffer_Chunk_Size }}
+      Buffer_Chunk_Size: {{ .Values.fluentbit.inputTail.Buffer_Chunk_Size }}
+      {{- end }}
+      {{- if .Values.fluentbit.inputTail.Buffer_Max_Size }}
+      Buffer_Max_Size: {{ .Values.fluentbit.inputTail.Buffer_Max_Size }}
+      {{- end }}
+      {{- if .Values.fluentbit.inputTail.Mem_Buf_Limit }}
+      Mem_Buf_Limit: {{ .Values.fluentbit.inputTail.Mem_Buf_Limit }}
+      {{- end }}
+      {{- if .Values.fluentbit.inputTail.Multiline_Flush }}
+      Multiline_Flush: {{ .Values.fluentbit.inputTail.Multiline_Flush }}
+      {{- end }}
+      {{- if .Values.fluentbit.inputTail.Skip_Long_Lines }}
+      Skip_Long_Lines: {{ .Values.fluentbit.inputTail.Skip_Long_Lines }}
+      {{- end }}
+    extraVolumeMounts:
+    - source: {{ template "kubeAuditPathPrefix" . }}
+      destination: "/kube-audit-logs"
+      readOnly: true
+    {{- if not .Values.disablePvc }}
+    {{- with .Values.fluentbit.bufferStorage }}
+    bufferStorage: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.fluentbit.bufferStorageVolume }}
+    bufferStorageVolume: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    {{- if .Values.global.psp.enabled }}
+    security:
+      podSecurityPolicyCreate: true
+      roleBasedAccessControlCreate: true
+    {{- end }}
+    {{- with (concat (.Values.tolerations) (.Values.additionalLoggingSources.kubeAudit.fluentbit.tolerations)) }}
+    tolerations: 
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    nodeSelector:
+      {{- include "controlplaneSelector" . | nindent 6 }}
+    {{- with .Values.fluentbit.resources }}
+    resources: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  fluentd:
+    image:
+      repository: {{ template "system_default_registry" . }}{{ .Values.images.fluentd.repository }}
+      tag: {{ .Values.images.fluentd.tag }}
+    configReloaderImage:
+      repository: {{ template "system_default_registry" . }}{{ .Values.images.config_reloader.repository }}
+      tag: {{ .Values.images.config_reloader.tag }}
+    {{- if not .Values.disablePvc }}
+    {{- with .Values.fluentd.bufferStorageVolume }}
+    bufferStorageVolume: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    disablePvc: {{ .Values.disablePvc }}
+    {{- if .Values.fluentd.replicas }}
+    scaling:
+      replicas: {{ .Values.fluentd.replicas }}
+    {{- end }}
+    {{- if .Values.global.psp.enabled }}
+    security:
+      podSecurityPolicyCreate: true
+      roleBasedAccessControlCreate: true
+    {{- end }}
+    {{- with (default .Values.tolerations .Values.fluentd.tolerations) }}
+    tolerations: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with (default .Values.nodeSelector .Values.fluentd.nodeSelector) }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.fluentd.resources }}
+    resources: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.fluentd.livenessProbe }}
+    livenessProbe: {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end }}

packages/rancher-logging/generated-changes/patch/templates/_helpers.tpl.patch

@@ -1,6 +1,6 @@
 --- charts-original/templates/_helpers.tpl
 +++ charts/templates/_helpers.tpl
-@@ -56,3 +56,33 @@
+@@ -56,3 +56,68 @@
  {{- end }}
  app.kubernetes.io/managed-by: {{ .Release.Service }}
  {{- end -}}
@@ -34,3 +34,39 @@
 +{{- define "windowsInputTailMount" -}}
 +{{- (include "windowsPathPrefix" .) | replace "C:" "" -}}
 +{{- end -}}
++
++{{/*
++Set the controlplane selector based on kubernetes distribution
++*/}}
++{{- define "controlplaneSelector" -}}
++{{- $master := or .Values.additionalLoggingSources.rke2.enabled .Values.additionalLoggingSources.k3s.enabled -}}
++{{- $defaultSelector := $master | ternary (dict "node-role.kubernetes.io/master" "true") (dict "node-role.kubernetes.io/controlplane" "true") -}}
++{{ default $defaultSelector .Values.additionalLoggingSources.kubeAudit.nodeSelector | toYaml }}
++{{- end -}}
++
++{{/*
++Set kube-audit file path prefix based on distribution
++*/}}
++{{- define "kubeAuditPathPrefix" -}}
++{{- if .Values.additionalLoggingSources.rke.enabled -}}
++{{ default "/var/log/kube-audit" .Values.additionalLoggingSources.kubeAudit.pathPrefix }}
++{{- else if .Values.additionalLoggingSources.rke2.enabled -}}
++{{ default "/var/lib/rancher/rke2/server/logs" .Values.additionalLoggingSources.kubeAudit.pathPrefix }}
++{{- else -}}
++{{ required "Directory PathPrefix of the kube-audit location is required" .Values.additionalLoggingSources.kubeAudit.pathPrefix }}
++{{- end -}}
++{{- end -}}
++
++{{/*
++Set kube-audit file name based on distribution
++*/}}
++{{- define "kubeAuditFilename" -}}
++{{- if .Values.additionalLoggingSources.rke.enabled -}}
++{{ default "audit-log.json" .Values.additionalLoggingSources.kubeAudit.auditFilename }}
++{{- else if .Values.additionalLoggingSources.rke2.enabled -}}
++{{ default "audit.log" .Values.additionalLoggingSources.kubeAudit.auditFilename }}
++{{- else -}}
++{{ required "Filename of the kube-audit log is required" .Values.additionalLoggingSources.kubeAudit.auditFilename }}
++{{- end -}}
++{{- end -}}
+\ No newline at end of file

packages/rancher-logging/generated-changes/patch/values.yaml.patch

@@ -36,7 +36,7 @@
  rbac:
    enabled: true
    psp:
-@@ -85,3 +93,94 @@
+@@ -85,3 +93,107 @@
      additionalLabels: {}
      metricRelabelings: []
      relabelings: []
@@ -62,6 +62,19 @@
 +    enabled: false
 +  gke:
 +    enabled: false
++  kubeAudit:
++    auditFilename: ""
++    enabled: false
++    pathPrefix: ""
++    fluentbit:
++      logTag: kube-audit
++      tolerations:
++      - key: node-role.kubernetes.io/controlplane
++        value: "true"
++        effect: NoSchedule
++      - key: node-role.kubernetes.io/etcd
++        value: "true"
++        effect: NoExecute
 +
 +images:
 +  config_reloader:

packages/rancher-monitoring/generated-changes/patch/values.yaml.patch

@@ -1,6 +1,6 @@
 --- charts-original/values.yaml
 +++ charts/values.yaml
-@@ -2,13 +2,278 @@
+@@ -2,13 +2,279 @@
  # This is a YAML-formatted file.
  # Declare variables to be passed into your templates.
  
@@ -225,9 +225,10 @@
 +    nodeSelector:
 +      node-role.kubernetes.io/etcd: "true"
 +    tolerations:
++      - effect: "NoExecute"
++        operator: "Exists"
 +      - effect: "NoSchedule"
-+        key: node-role.kubernetes.io/master
++        operator: "Exists"
-+        operator: "Equal"
 +
 +## Component scraping nginx-ingress-controller
 +##
@@ -281,7 +282,7 @@
  
  ## Provide a k8s version to auto dashboard import script example: kubeTargetVersionOverride: 1.16.6
  ##
-@@ -89,8 +354,32 @@
+@@ -89,8 +355,32 @@
  
  ##
  global:
@@ -314,7 +315,7 @@
      pspEnabled: true
      pspAnnotations: {}
        ## Specify pod annotations
-@@ -143,6 +432,22 @@
+@@ -143,6 +433,22 @@
    ## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file
    ##      https://prometheus.io/webtools/alerting/routing-tree-editor/
    ##
@@ -337,7 +338,7 @@
    config:
      global:
        resolve_timeout: 5m
-@@ -179,25 +484,76 @@
+@@ -179,25 +485,76 @@
    ## ref: https://prometheus.io/docs/alerting/notifications/
    ##      https://prometheus.io/docs/alerting/notification_examples/
    ##
@@ -433,7 +434,7 @@
  
    ingress:
      enabled: false
-@@ -235,6 +591,25 @@
+@@ -235,6 +592,25 @@
    ## Configuration for Alertmanager secret
    ##
    secret:
@@ -459,7 +460,7 @@
      annotations: {}
  
    ## Configuration for creating an Ingress that will map to each Alertmanager replica service
-@@ -352,7 +727,7 @@
+@@ -352,7 +728,7 @@
      ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
      tlsConfig: {}
  
@@ -468,7 +469,7 @@
  
      ## 	metric relabel configs to apply to samples before ingestion.
      ##
-@@ -383,7 +758,7 @@
+@@ -383,7 +759,7 @@
      ## Image of Alertmanager
      ##
      image:
@@ -477,7 +478,7 @@
        tag: v0.21.0
        sha: ""
  
-@@ -495,9 +870,13 @@
+@@ -495,9 +871,13 @@
      ## Define resources requests and limits for single Pods.
      ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
      ##
@@ -494,7 +495,7 @@
  
      ## Pod anti-affinity can prevent the scheduler from placing Prometheus replicas on the same node.
      ## The default value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided.
-@@ -601,10 +980,46 @@
+@@ -601,10 +981,46 @@
    enabled: true
    namespaceOverride: ""
  
@@ -541,7 +542,7 @@
    adminPassword: prom-operator
  
    ingress:
-@@ -644,6 +1059,7 @@
+@@ -644,6 +1060,7 @@
      dashboards:
        enabled: true
        label: grafana_dashboard
@@ -549,7 +550,7 @@
  
        ## Annotations for Grafana dashboard configmaps
        ##
-@@ -692,7 +1108,60 @@
+@@ -692,7 +1109,60 @@
    ## Passed to grafana subchart and used by servicemonitor below
    ##
    service:
@@ -572,7 +573,7 @@
 +  proxy:
 +    image:
 +      repository: rancher/mirrored-library-nginx
-+      tag: 1.19.2-alpine
++      tag: 1.19.9-alpine
 +  
 +  ## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
 +  extraContainers: |
@@ -611,7 +612,7 @@
  
    ## If true, create a serviceMonitor for grafana
    ##
-@@ -722,6 +1191,14 @@
+@@ -722,6 +1192,14 @@
      #   targetLabel: nodename
      #   replacement: $1
      #   action: replace
@@ -626,7 +627,7 @@
  
  ## Component scraping the kube api server
  ##
-@@ -879,7 +1356,7 @@
+@@ -879,7 +1357,7 @@
  ## Component scraping the kube controller manager
  ##
  kubeControllerManager:
@@ -635,7 +636,7 @@
  
    ## If your kube controller manager is not deployed as a pod, specify IPs it can be found on
    ##
-@@ -1014,7 +1491,7 @@
+@@ -1014,7 +1492,7 @@
  ## Component scraping etcd
  ##
  kubeEtcd:
@@ -644,7 +645,7 @@
  
    ## If your etcd is not deployed as a pod, specify IPs it can be found on
    ##
-@@ -1076,7 +1553,7 @@
+@@ -1076,7 +1554,7 @@
  ## Component scraping kube scheduler
  ##
  kubeScheduler:
@@ -653,7 +654,7 @@
  
    ## If your kube scheduler is not deployed as a pod, specify IPs it can be found on
    ##
-@@ -1131,7 +1608,7 @@
+@@ -1131,7 +1609,7 @@
  ## Component scraping kube proxy
  ##
  kubeProxy:
@@ -662,7 +663,7 @@
  
    ## If your kube proxy is not deployed as a pod, specify IPs it can be found on
    ##
-@@ -1210,6 +1687,13 @@
+@@ -1210,6 +1688,13 @@
      create: true
    podSecurityPolicy:
      enabled: true
@@ -676,7 +677,7 @@
  
  ## Deploy node exporter as a daemonset to all nodes
  ##
-@@ -1259,6 +1743,16 @@
+@@ -1259,6 +1744,16 @@
    extraArgs:
      - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
      - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
@@ -693,7 +694,7 @@
  
  ## Manages Prometheus and Alertmanager components
  ##
-@@ -1271,8 +1765,8 @@
+@@ -1271,8 +1766,8 @@
      enabled: true
      # Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants
      tlsMinVersion: VersionTLS13
@@ -704,7 +705,7 @@
  
    ## Admission webhook support for PrometheusRules resources added in Prometheus Operator 0.30 can be enabled to prevent incorrectly formatted
    ## rules from making their way into prometheus and potentially preventing the container from starting
-@@ -1289,7 +1783,7 @@
+@@ -1289,7 +1784,7 @@
      patch:
        enabled: true
        image:
@@ -713,7 +714,7 @@
          tag: v1.5.0
          sha: ""
          pullPolicy: IfNotPresent
-@@ -1428,13 +1922,13 @@
+@@ -1428,13 +1923,13 @@
  
    ## Resource limits & requests
    ##
@@ -734,7 +735,7 @@
  
    # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico),
    # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
-@@ -1487,7 +1981,7 @@
+@@ -1487,7 +1982,7 @@
    ## Prometheus-operator image
    ##
    image:
@@ -743,7 +744,7 @@
      tag: v0.46.0
      sha: ""
      pullPolicy: IfNotPresent
-@@ -1503,7 +1997,7 @@
+@@ -1503,7 +1998,7 @@
    ## Prometheus-config-reloader image to use for config and rule reloading
    ##
    prometheusConfigReloaderImage:
@@ -752,7 +753,7 @@
      tag: v0.46.0
      sha: ""
  
-@@ -1558,6 +2052,14 @@
+@@ -1558,6 +2053,14 @@
      ##
      nodePort: 30901
  
@@ -767,7 +768,7 @@
    ## Configuration for Prometheus service
    ##
    service:
-@@ -1570,7 +2072,7 @@
+@@ -1570,7 +2073,7 @@
      port: 9090
  
      ## To be used with a proxy extraContainer port
@@ -776,7 +777,7 @@
  
      ## List of IP addresses at which the Prometheus server service is available
      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
-@@ -1822,7 +2324,7 @@
+@@ -1822,7 +2325,7 @@
      ## Image of Prometheus.
      ##
      image:
@@ -785,7 +786,7 @@
        tag: v2.24.0
        sha: ""
  
-@@ -1885,6 +2387,11 @@
+@@ -1885,6 +2388,11 @@
      ##
      externalUrl: ""
  
@@ -797,7 +798,7 @@
      ## Define which Nodes the Pods are scheduled on.
      ## ref: https://kubernetes.io/docs/user-guide/node-selection/
      ##
-@@ -1917,7 +2424,7 @@
+@@ -1917,7 +2425,7 @@
      ## prometheus resource to be created with selectors based on values in the helm deployment,
      ## which will also match the PrometheusRule resources created
      ##
@@ -806,7 +807,7 @@
  
      ## PrometheusRules to be selected for target discovery.
      ## If {}, select all PrometheusRules
-@@ -1942,7 +2449,7 @@
+@@ -1942,7 +2450,7 @@
      ## prometheus resource to be created with selectors based on values in the helm deployment,
      ## which will also match the servicemonitors created
      ##
@@ -815,7 +816,7 @@
  
      ## ServiceMonitors to be selected for target discovery.
      ## If {}, select all ServiceMonitors
-@@ -1965,7 +2472,7 @@
+@@ -1965,7 +2473,7 @@
      ## prometheus resource to be created with selectors based on values in the helm deployment,
      ## which will also match the podmonitors created
      ##
@@ -824,7 +825,7 @@
  
      ## PodMonitors to be selected for target discovery.
      ## If {}, select all PodMonitors
-@@ -2092,9 +2599,13 @@
+@@ -2092,9 +2600,13 @@
  
      ## Resource limits & requests
      ##
@@ -841,7 +842,7 @@
  
      ## Prometheus StorageSpec for persistent data
      ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/storage.md
-@@ -2117,7 +2628,13 @@
+@@ -2117,7 +2629,13 @@
      #    medium: Memory
  
      # Additional volumes on the output StatefulSet definition.
@@ -856,14 +857,14 @@
  
      # Additional VolumeMounts on the output StatefulSet definition.
      volumeMounts: []
-@@ -2224,9 +2741,34 @@
+@@ -2224,9 +2742,34 @@
      ##
      thanos: {}
  
 +    proxy:
 +      image:
 +        repository: rancher/mirrored-library-nginx
-+        tag: 1.19.2-alpine
++        tag: 1.19.9-alpine
 +
      ## Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to a Prometheus pod.
      ##  if using proxy extraContainer  update targetPort with proxy container port
@@ -892,7 +893,7 @@
  
      ## InitContainers allows injecting additional initContainers. This is meant to allow doing some changes
      ## (permissions, dir tree) on mounted volumes before starting prometheus
-@@ -2234,7 +2776,7 @@
+@@ -2234,7 +2777,7 @@
  
      ## PortName to use for Prometheus.
      ##