Merge pull request #1766 from aiyengar2/support_k8s_122_rke1

Support monitoring on k8s 1.22 RKE1 and RKE2 clusters and support pushprox in SELinux
2022-03-02 16:46:02 -08:00 · 2022-03-02 16:46:02 -08:00 · e05dac2b05
parent 844f135745 523f6f942b
commit e05dac2b05
157 changed files with 1102 additions and 62 deletions
--- a/assets/rancher-monitoring/rancher-monitoring-100.1.1+up19.0.3.tgz
+++ b/assets/rancher-monitoring/rancher-monitoring-100.1.1+up19.0.3.tgz
--- a/assets/rancher-pushprox/rancher-pushprox-100.0.2.tgz
+++ b/assets/rancher-pushprox/rancher-pushprox-100.0.2.tgz
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedKubelet/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/hardenedNodeExporter/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/k3sServer/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmControllerManager/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmEtcd/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmProxy/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/kubeAdmScheduler/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2ControllerManager/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Etcd/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2IngressNginx/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Proxy/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-clients-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-clients-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -54,6 +55,9 @@ spec:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+    seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 6 }}
+{{- end }}
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-clients.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-clients.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
 apiVersion: apps/v1
 {{- if .Values.clients.deployment.enabled }}
@ -102,7 +103,7 @@ spec:
          CERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CERT_FILE_NAME}" | sort -r | head -n 1)
          KEY_FILE_SOURCE=$(find /etc/source/ -type f -name "${KEY_FILE_NAME}" | sort -r | head -n 1)
          CACERT_FILE_SOURCE=$(find /etc/source/ -type f -name "${CACERT_FILE_NAME}" | sort -r | head -n 1)
-          
+
          test -z ${CERT_FILE_SOURCE} && echo "Failed to find cert file" && exit 1
          test -z ${KEY_FILE_SOURCE} && echo "Failed to find key file" && exit 1
          test -z ${CACERT_FILE_SOURCE} && echo "Failed to find cacert file" && exit 1
@ -133,6 +134,9 @@ spec:
          value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
        securityContext:
          runAsNonRoot: false
+{{- if and .Values.global.seLinux.enabled .Values.clients.https.seLinuxOptions }}
+          seLinuxOptions: {{ .Values.clients.https.seLinuxOptions | toYaml | nindent 12 }}
+{{- end }}
        volumeMounts:
        - name: metrics-cert-dir-source
          mountPath: /etc/source
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-proxy-rbac.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-proxy-rbac.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-proxy.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-proxy.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if and .Values.proxy }}{{ if .Values.proxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-servicemonitor.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/templates/pushprox-servicemonitor.yaml
@ -1,3 +1,4 @@
+{{- template "applyKubeVersionOverrides" . -}}
 {{- if .Values.serviceMonitor }}{{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/values.yaml
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rke2Scheduler/values.yaml
@ -10,6 +10,30 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+  seLinux:
+    enabled: false
+
+# A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides.
+#
+# For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches
+# any of the semver constraints provided as keys on the map.
+#
+# On seeing a match, the default value for each values.yaml field overridden will be updated with the new value.
+#
+# If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order.
+#
+# Notes:
+# - On running a helm template, Helm generally assumes the kubeVersion is v1.20.0
+# - On running a helm install --dry-run, the correct kubeVersion should be chosen.
+kubeVersionOverrides: []
+# - constraint: "< 1.21"
+#   values:
+#     metricsPort: 10252
+#     clients:
+#       https:
+#         enabled: false
+#         insecureSkipVerify: false
+#         useServiceAccountCredentials: false

 namespaceOverride: ""

@ -53,6 +77,9 @@ clients:
    certFile: ""
    keyFile: ""
    caCertFile: ""
+    # seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host.
+    # Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided.
+    seLinuxOptions: {}

  metrics:
    # Whether the client should publish PushProx client-specific metrics to .Values.clients.port
--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rkeControllerManager/README.md
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rkeControllerManager/README.md
@ -42,6 +42,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `clients.https.certFile` | The path to the TLS cert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.keyFile` | The path to the TLS key file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
 | `clients.https.caCertFile` | The path to the TLS cacert file located within `clients.https.certDir`. Required and only used if `clients.https.enabled` is set | `""` |
+| `clients.https.seLinuxOptions` | seLinuxOptions to be passed into the container that copies certs. Should define a container with permissions to read the files in the certDir provided on the host. Required and only used if `clients.https.enabled` is set and `clients.https.certDir` is provided. | `""` |
 | `clients.metrics.enabled` | Whether the client should publish PushProx client-specific metrics. | `false` |
 | `clients.rbac.additionalRules` | Additional permissions to provide to the ServiceAccount bound to the client. This can be used to provide additional permissions for the client to scrape metrics from the k8s API. Only enabled if clients.https.enabled and clients.https.useServiceAccountCredentials are true | `[]` |
 | `clients.deployment.enabled` | Deploys the client as a Deployment (generally used if the underlying hostNetwork Pod that is being scraped is managed by a Deployment) | `false` |
@ -55,6 +56,7 @@ The following tables list the configurable parameters of the rancher-pushprox ch
 | `proxy.resources` | Set resource limits and requests for the proxy container | `{}` |
 | `proxy.nodeSelector` | Select which nodes the proxy can be deployed on | `{}` |
 | `proxy.tolerations` | Specify tolerations (if necessary) to allow the proxy to be deployed on the selected node | `[]` |
+| `kubeVersionOverrides` | A list of Semver constraint strings (defined by https://github.com/Masterminds/semver) and values.yaml overrides. For each key in kubeVersionOverrides, this chart will check to see if the current Kubernetes cluster's version matches any of the semver constraints provided as keys on the map. On seeing a match, the default value for each values.yaml field overridden will be updated with the new value. If multiple matches are encountered (due to overlapping semver ranges), the matches will be applied in order. | `[]`

 *Tip: The filepaths set in `clients.https.<cert|key|caCert>File` can include wildcard characters*. 

--- a/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rkeControllerManager/templates/_helpers.tpl
+++ b/charts/rancher-monitoring/100.1.1+up19.0.3/charts/rkeControllerManager/templates/_helpers.tpl
@ -30,6 +30,16 @@ kubernetes.io/os: linux

 # General

+{{- define "applyKubeVersionOverrides" -}}
+{{- $overrides := dict -}}
+{{- range $override := .Values.kubeVersionOverrides -}}
+{{- if semverCompare $override.constraint $.Capabilities.KubeVersion.Version -}}
+{{- $_ := mergeOverwrite $overrides $override.values -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values $overrides -}}
+{{- end -}}
+
 {{- define "pushprox.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
--- a/Show More
+++ b/Show More