This commit adds an nginx proxy in front of Prometheus that intercepts the requests that are sent to the Prometheus pod. This change was necessary since the Prometheus pod encounters issues with Rancher proxy URLs that are formatted like:
```
<server-url>/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-prometheus:9090/proxy
```
Specifically, if using the root_url option, it doubles up this URL when making requests for resources, e.g.
```
<server-url>/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-prometheus:9090/proxy/<my-path>
=>
<server-url>/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-prometheus:9090/proxy/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-prometheus:9090/proxy/<my-path>
```
However, this does not resolve the issue in https://github.com/rancher/rancher/issues/29068.
(partially cherry picked from commit 92f0eca770)
This commit adds an nginx proxy in front of Grafana that intercepts the requests that are sent to the Grafana pod. This change was necessary since the Grafana pod encounters issues with Rancher proxy URLs that are formatted like:
```
<server-url>/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-grafana:80/proxy
```
Specifically, if using the root_url option, it doubles up this URL when making requests for resources, e.g.
```
<server-url>/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-grafana:80/proxy/<my-path>
=>
<server-url>/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-grafana:80/proxy/k8s/clusters/<cluster-id>/api/v1/namespaces/cattle-monitoring-system/services/http:rancher-monitoring-grafana:80/proxy/<my-path>
```
(partially cherry picked from commit d6c774aa42)
This commit adds support for deploying rancher-monitoring into hardened clusters.
It modifies some of the default securityContexts and does some misc. fixes such as:
- Removing default AppArmor PSP annotations from Grafana (related to https://github.com/helm/charts/issues/9090)
- Modifying rkeScheduler and rkeControllerManager to use localhost to scrape components since the endpoints aren't exposed in a hardened cluster
These changes have been verified on a hardened RKE cluster.
(partially cherry picked from commit e3d6033572)
This commit renames `grafana-dashboards` to `cattle-dashboards` and deprecates the `grafana-datasources` namespace in favor of the normal release namespace.
Related Issue: rancher/rancher#28887
(partially cherry picked from commit b80fb3a8ff)
Adding rancher-cis-benchmark - Main chart for deploying cis-operator
Review comments and changes CRDs and adding the roles
Adding default ClusterScanProfiles in a Configmap
Updating kubernetes version to have major.minor.patch
Package the CRDs within the original chart and add package.yaml
chart changes for tolerations, crds, added
global.cattle.systemDefaultRegistry
Review changes to removed nodeSelector helper, combine all cis clusterroles in one file
CRD name change and adding keywords, moving package.yaml one folder upi
Renamed hardened benchmark
Move providesGVR to chart.yaml
(partially cherry picked from commit b55e6ec019)
- `rke2-scheduler`
- `rke2-controller-manager`
- `rke2-proxy`
- `rke2-etcd`
All exporters are created from the cattle-pushprox chart. This commit
also modifies the relevant Grafana Dashboard ConfigMaps and
PrometheusRules to deploy if the PushProx exporters are enabled.
See changes to `overlay/CHANGELOG.md` for details on what has been added/modified.
(partially cherry picked from commit e5dfdc5c88)
This commit sets the following field to false:
`<serviceMonitor|podMonitor|rule>SelectorNilUsesHelmValues: true`
As a result, we look for all CRs with any labels in all namespaces rather than just
the ones tagged with `release: rancher-monitoring`.
(partially cherry picked from commit d2bf307e59)
If the Grafana deployment strategy is not Recreate, the deployment will
be stuck during an upgrade when PV is attached.
(partially cherry picked from commit f3aebdca14)
This commit adds NoExecute / NoSchedule tolerations by default to all of the
PushProx exporters since the default expectation when deploying these exporters
is that they are deployed on the expected nodes based on nodeSelector labels
regardless of any taints added to those nodes.
Users can always choose to override these settings if necessary.
(partially cherry picked from commit 215cf10a68)
- Moves `monitoringRole` settings into `global.rbac` in values.yaml
- Moves user ClusterRoles into one file: `rancher-monitoring/clusterroles.yaml`
- Reformats user ClusterRoles format to look like upstream format
- Enables aggregateRolesForRBAC by default
- Updates README.md and CHANGELOG.md for relevant ClusterRole changes
(partially cherry picked from commit 3d6b8c94c7)
Adds prometheus-adapter and rancher-pushprox to the README.md and also
adds fields for Rancher Monitoring config
(partially cherry picked from commit 63647c6849)
- Update namespace annotation to `cattle-gatekeeper-system`
- Remove `gatekeeper-system` from templates as Rancher handles
namespaces for chart installation.
(partially cherry picked from commit 6e147640be)
Removes the code that supports the Helm 2 hack for crd/ (`prometheus-operator/cleanup-crds.yaml` and
`prometheus-operator/crds.yaml`) and removes crd-install hooks from crds.
Also updates the README.md and CHANGELOG.md accordingly.
(partially cherry picked from commit 921f735cbc)
This commit adds script changes to automatically allow packages to split
the CRD components located in a crd/ directory into a separate package.
It also automatically adds in a validation yaml helper to the main package
to prevent a user from installing the base package without installing the crd
install package first.
Any package can enable the creation of a separate crd package by just adding
`splitCRDsIntoSeparatePackage: true` into the package.yaml, as shown in the
rancher-monitoring chart.
(partially cherry picked from commit fcc8528186)
This commit adds support for deploying rancher-monitoring into hardened clusters.
It modifies some of the default securityContexts and does some misc. fixes such as:
- Removing default AppArmor PSP annotations from Grafana (related to https://github.com/helm/charts/issues/9090)
- Modifying rkeScheduler and rkeControllerManager to use localhost to scrape components since the endpoints aren't exposed in a hardened cluster
These changes have been verified on a hardened RKE cluster.
This commit renames `grafana-dashboards` to `cattle-dashboards` and deprecates the `grafana-datasources` namespace in favor of the normal release namespace.
Related Issue: rancher/rancher#28887
- `rke2-scheduler`
- `rke2-controller-manager`
- `rke2-proxy`
- `rke2-etcd`
All exporters are created from the cattle-pushprox chart. This commit
also modifies the relevant Grafana Dashboard ConfigMaps and
PrometheusRules to deploy if the PushProx exporters are enabled.
See changes to `overlay/CHANGELOG.md` for details on what has been added/modified.
This commit sets the following field to false:
`<serviceMonitor|podMonitor|rule>SelectorNilUsesHelmValues: true`
As a result, we look for all CRs with any labels in all namespaces rather than just
the ones tagged with `release: rancher-monitoring`.
This commit adds NoExecute / NoSchedule tolerations by default to all of the
PushProx exporters since the default expectation when deploying these exporters
is that they are deployed on the expected nodes based on nodeSelector labels
regardless of any taints added to those nodes.
Users can always choose to override these settings if necessary.