mirror of https://git.rancher.io/charts
Generated changes
parent
5c4f18e1ed
commit
cd1edf4097
|
@ -812,7 +812,7 @@ entries:
|
|||
catalog.cattle.io/ui-component: monitoring
|
||||
apiVersion: v1
|
||||
appVersion: 0.38.1
|
||||
created: "2020-10-12T22:25:01.32011898Z"
|
||||
created: "2020-10-13T02:35:33.467832582Z"
|
||||
dependencies:
|
||||
- condition: kubeStateMetrics.enabled
|
||||
name: kube-state-metrics
|
||||
|
@ -908,7 +908,7 @@ entries:
|
|||
description: Collects several related Helm charts, Grafana dashboards, and Prometheus
|
||||
rules combined with documentation and scripts to provide easy to operate end-to-end
|
||||
Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
|
||||
digest: b10f0c697c62187084882f2fb3842ba4db66cf52a89f284ce8698ced0d129a72
|
||||
digest: 8899b5ec82b4155a3ac33ccccce425baf72dfcea841f0af3f453878345f82e73
|
||||
home: https://github.com/prometheus-operator/kube-prometheus
|
||||
icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
|
||||
keywords:
|
||||
|
@ -1078,9 +1078,9 @@ entries:
|
|||
catalog.cattle.io/namespace: cattle-monitoring-system
|
||||
catalog.cattle.io/release-name: rancher-monitoring-crd
|
||||
apiVersion: v1
|
||||
created: "2020-10-12T22:25:01.326842648Z"
|
||||
created: "2020-10-13T02:35:33.474117471Z"
|
||||
description: Installs the CRDs for rancher-monitoring.
|
||||
digest: 60ac396d93049e577906ea3dca75fee5eeec556c45915da8d04edc5d2129cdca
|
||||
digest: d33479a7f57f59db8bbf808bdc99d70318bb82900a186a95e3018a55f46b1a8b
|
||||
name: rancher-monitoring-crd
|
||||
type: application
|
||||
urls:
|
||||
|
@ -1228,4 +1228,4 @@ entries:
|
|||
urls:
|
||||
- assets/rio/rio-0.8.000.tgz
|
||||
version: 0.8.000
|
||||
generated: "2020-10-12T22:53:17.316876871Z"
|
||||
generated: "2020-10-13T02:35:33.438687468Z"
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -19,6 +19,7 @@ All notable changes from the upstream Prometheus Operator chart will be added to
|
|||
- Added support for private registries via introducing a new field for `global.cattle.systemDefaultRegistry` that, if supplied, will automatically be prepended onto every image used by the chart.
|
||||
- Added a default `nginx` proxy container deployed with Grafana whose config is set in the `ConfigMap` located in `charts/grafana/templates/nginx-config.yaml`. The purpose of this container is to make it possible to view Grafana's UI through a proxy that has a subpath (e.g. Rancher's proxy). This proxy container is set to listen on port `8080` (with a `portName` of `nginx-http` instead of the default `service`), which is also where the Grafana service will now point to, and will forward all requests to the Grafana container listening on the default port `3000`.
|
||||
- Added a default `nginx` proxy container deployed with Prometheus whose config is set in the `ConfigMap` located in `templates/prometheus/nginx-config.yaml`. The purpose of this container is to make it possible to view Prometheus's UI through a proxy that has a subpath (e.g. Rancher's proxy). This proxy container is set to listen on port `8080` (with a `portName` of `nginx-http` instead of the default `web`), which is also where the Prometheus service will now point to, and will forward all requests to the Prometheus container listening on the default port `9090`.
|
||||
- Added support for passing CIS Scans in a hardened cluster by introducing a Job that patches the default service account within the `cattle-monitoring-system` and `cattle-dashboards` namespaces on install or upgrade and adding a default allow all `NetworkPolicy` to the `cattle-monitoring-system` and `cattle-dashboards` namespaces.
|
||||
### Modified
|
||||
- Updated the chart name from `prometheus-operator` to `rancher-monitoring` and added the `io.rancher.certified: rancher` annotation to `Chart.yaml`
|
||||
- Modified the default `node-exporter` port from `9100` to `9796`
|
||||
|
@ -40,7 +41,7 @@ All notable changes from the upstream Prometheus Operator chart will be added to
|
|||
- Modified the default `<serviceMonitor|podMonitor|rule>SelectorNilUsesHelmValues` to default to `false`. As a result, we look for all CRs with any labels in all namespaces by default rather than just the ones tagged with the label `release: rancher-monitoring`.
|
||||
- Modified the default images used by the `rancher-monitoring` chart to point to Rancher mirrors of the original images from upstream.
|
||||
- Modified the behavior of the chart to create the Alertmanager Config Secret via a pre-install hook instead of using the normal Helm lifecycle to manage the secret. The benefit of this approach is that all changes to the Config Secret done on a live cluster will never get overridden on a `helm upgrade` since the secret only gets created on a `helm install`. If you would like the secret to be cleaned up on an `helm uninstall`, enable `alertmanager.cleanupOnUninstall`; however, this is disabled by default to prevent the loss of alerting configuration on an uninstall. This secret will never be modified on a `helm upgrade`.
|
||||
- Modified the default `securityContext` for `Pod` templates across the chart to `{"runAsNonRoot": "true", "runAsUser": "1000"}` and set `grafana.rbac.pspUseAppArmor=false` in order to make it possible to deploy this chart on a hardened cluster without AppArmor installed.
|
||||
- Modified the default `securityContext` for `Pod` templates across the chart to `{"runAsNonRoot": "true", "runAsUser": "1000"}` and replaced `grafana.rbac.pspUseAppArmor` in favor of `grafana.rbac.pspAnnotations={}` in order to make it possible to deploy this chart on a hardened cluster which does not support Seccomp or AppArmor annotations in PSPs. Users can always choose to specify the annotations they want to use for the PSP directly as part of the values provided.
|
||||
- Modified `.Values.prometheus.prometheusSpec.containers` to take in a string representing a template that should be rendered by Helm (via `tpl`) instead of allowing a user to provide YAML directly.
|
||||
- Modified the default Grafana configuration to auto assign users who access Grafana to the Viewer role and enable anonymous access to Grafana dashboards by default. This default works well for a Rancher user who is accessing Grafana via the `kubectl proxy` on the Rancher Dashboard UI since anonymous users who enter via the proxy are authenticated by the k8s API Server, but you can / should modify this behavior if you plan on exposing Grafana in a way that does not require authentication (e.g. as a `NodePort` service).
|
||||
- Modified the default Grafana configuration to add a default dashboard for Rancher on the Grafana home page.
|
|
@ -6,13 +6,9 @@ metadata:
|
|||
namespace: {{ template "grafana.namespace" . }}
|
||||
labels:
|
||||
{{- include "grafana.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.rbac.pspUseAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
{{- if .Values.rbac.pspAnnotations }}
|
||||
annotations: {{ toYaml .Values.rbac.pspAnnotations | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
|
|
|
@ -1,7 +1,17 @@
|
|||
rbac:
|
||||
create: true
|
||||
pspEnabled: true
|
||||
pspUseAppArmor: false
|
||||
pspAnnotations: {}
|
||||
## Specify pod annotations
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
|
||||
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
|
||||
##
|
||||
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
# seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
# apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
|
||||
namespaced: false
|
||||
extraRoleRules: []
|
||||
# - apiGroups: []
|
||||
|
|
Binary file not shown.
|
@ -57,4 +57,4 @@ dependencies:
|
|||
repository: file://../../rancher-pushprox/charts
|
||||
version: 0.1.0
|
||||
digest: sha256:816a7b6760971acf88b62b4178a5d8919cb97b6576cdca22021137929b1ed031
|
||||
generated: "2020-10-12T22:24:52.859070811Z"
|
||||
generated: "2020-10-13T02:35:25.604939063Z"
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
{{- $namespaces := dict "_0" .Release.Namespace -}}
|
||||
{{- if and .Values.grafana.enabled (or .Values.grafana.sidecar.dashboards.enabled .Values.grafana.defaultDashboardsEnabled) -}}
|
||||
{{- $_ := set $namespaces "_1" .Values.grafana.sidecar.dashboards.searchNamespace -}}
|
||||
{{- end -}}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ .Chart.Name }}-patch-sa
|
||||
annotations:
|
||||
"helm.sh/hook": post-install, post-upgrade
|
||||
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
labels:
|
||||
app: {{ .Chart.Name }}-patch-sa
|
||||
spec:
|
||||
serviceAccountName: {{ .Chart.Name }}-patch-sa
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
{{- range $_, $ns := $namespaces }}
|
||||
- name: patch-sa-{{ $ns }}
|
||||
image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }}
|
||||
imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }}
|
||||
command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
|
||||
args: ["-n", "{{ $ns }}"]
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
labels:
|
||||
app: {{ .Chart.Name }}-patch-sa
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs: ['get', 'patch']
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
labels:
|
||||
app: {{ .Chart.Name }}-patch-sa
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ .Chart.Name }}-patch-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ .Chart.Name }}-patch-sa
|
||||
{{- range $_, $ns := $namespaces }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: default-allow-all
|
||||
namespace: {{ $ns }}
|
||||
spec:
|
||||
podSelector: {}
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- end }}
|
|
@ -338,6 +338,10 @@ additionalPrometheusRules: []
|
|||
global:
|
||||
cattle:
|
||||
systemDefaultRegistry: ""
|
||||
kubectl:
|
||||
repository: rancher/kubectl
|
||||
tag: v1.18.6
|
||||
pullPolicy: IfNotPresent
|
||||
rbac:
|
||||
## Create RBAC resources for ServiceAccounts and users
|
||||
##
|
||||
|
|
10
index.yaml
10
index.yaml
|
@ -812,7 +812,7 @@ entries:
|
|||
catalog.cattle.io/ui-component: monitoring
|
||||
apiVersion: v1
|
||||
appVersion: 0.38.1
|
||||
created: "2020-10-12T22:25:01.32011898Z"
|
||||
created: "2020-10-13T02:35:33.467832582Z"
|
||||
dependencies:
|
||||
- condition: kubeStateMetrics.enabled
|
||||
name: kube-state-metrics
|
||||
|
@ -908,7 +908,7 @@ entries:
|
|||
description: Collects several related Helm charts, Grafana dashboards, and Prometheus
|
||||
rules combined with documentation and scripts to provide easy to operate end-to-end
|
||||
Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
|
||||
digest: b10f0c697c62187084882f2fb3842ba4db66cf52a89f284ce8698ced0d129a72
|
||||
digest: 8899b5ec82b4155a3ac33ccccce425baf72dfcea841f0af3f453878345f82e73
|
||||
home: https://github.com/prometheus-operator/kube-prometheus
|
||||
icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
|
||||
keywords:
|
||||
|
@ -1078,9 +1078,9 @@ entries:
|
|||
catalog.cattle.io/namespace: cattle-monitoring-system
|
||||
catalog.cattle.io/release-name: rancher-monitoring-crd
|
||||
apiVersion: v1
|
||||
created: "2020-10-12T22:25:01.326842648Z"
|
||||
created: "2020-10-13T02:35:33.474117471Z"
|
||||
description: Installs the CRDs for rancher-monitoring.
|
||||
digest: 60ac396d93049e577906ea3dca75fee5eeec556c45915da8d04edc5d2129cdca
|
||||
digest: d33479a7f57f59db8bbf808bdc99d70318bb82900a186a95e3018a55f46b1a8b
|
||||
name: rancher-monitoring-crd
|
||||
type: application
|
||||
urls:
|
||||
|
@ -1228,4 +1228,4 @@ entries:
|
|||
urls:
|
||||
- assets/rio/rio-0.8.000.tgz
|
||||
version: 0.8.000
|
||||
generated: "2020-10-12T22:53:17.316876871Z"
|
||||
generated: "2020-10-13T02:35:33.438687468Z"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
e0eddabe716afe6e14b6e82adc0275e4b1406b8347dbd37852ce5295965ded9a packages/rancher-monitoring/overlay/CHANGELOG.md
|
||||
9553024443b0a1f67b6a5f5426713144d38674d7c457f64512e8ca48ae249d2c packages/rancher-monitoring/overlay/CHANGELOG.md
|
||||
909d2625c716cebb846218604f54369de9436729133004d041b65ec7345d618f packages/rancher-monitoring/overlay/app-README.md
|
||||
ef03cc1278c0b75fb92012a5136500f5c2bdce9129d2c66c9c9ceec45021cc45 packages/rancher-monitoring/overlay/charts/grafana/templates/nginx-config.yaml
|
||||
af335d5859f759a451fb6590d1865b3fb49459c50ba002b6791fb3ddb5a36865 packages/rancher-monitoring/overlay/templates/prometheus/nginx-config.yaml
|
||||
|
@ -6,5 +6,6 @@ af335d5859f759a451fb6590d1865b3fb49459c50ba002b6791fb3ddb5a36865 packages/ranch
|
|||
bb4f6fc55612f35e086c1b5657fc1ca356f8c3add72145a39e1d6202a4d40ebe packages/rancher-monitoring/overlay/templates/rancher-monitoring/config-role.yaml
|
||||
5ad9876026208a86d66a2ae78ed5d0789ac5aa490cf126b47f73a9919bd37b47 packages/rancher-monitoring/overlay/templates/rancher-monitoring/dashboard-role.yaml
|
||||
33fee4fdab967c396d8dd12f058136c3414357cb65bd162c1e26dae561d5ac1d packages/rancher-monitoring/overlay/templates/rancher-monitoring/default-dashboard.yaml
|
||||
9ab6bb402a9c1d5ad652cbd01a14c9fede7d14f9131a3e375ba2933adf1ae98d packages/rancher-monitoring/overlay/templates/rancher-monitoring/hardened.yaml
|
||||
e99f1420d98f0e27f6ed5deba21b3000c7e1085de55de2610b971938eedd5c52 packages/rancher-monitoring/package.yaml
|
||||
648db85abcb871c047b5e3bacd8a0ff1b79fd40a192149b73403fcbd58098278 packages/rancher-monitoring/rancher-monitoring.patch
|
||||
ba5acbe90e85d05e7e405e5258780980bb2b7c79dc55547293017ba9d6ba1ed9 packages/rancher-monitoring/rancher-monitoring.patch
|
||||
|
|
Loading…
Reference in New Issue