--- charts-original/templates/alertmanager/secret.yaml +++ charts/templates/alertmanager/secret.yaml @@ -1,11 +1,19 @@ {{- if and (.Values.alertmanager.enabled) (not .Values.alertmanager.alertmanagerSpec.useExistingSecret) }} +{{- if .Release.IsInstall }} +{{- $secretName := (printf "alertmanager-%s-alertmanager" (include "kube-prometheus-stack.fullname" .)) }} +{{- if (lookup "v1" "Secret" (include "kube-prometheus-stack.namespace" .) $secretName) }} +{{- required (printf "Cannot overwrite existing secret %s in namespace %s." $secretName (include "kube-prometheus-stack.namespace" .)) "" }} +{{- end }}{{- end }} apiVersion: v1 kind: Secret metadata: - name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install namespace: {{ template "kube-prometheus-stack.namespace" . }} -{{- if .Values.alertmanager.secret.annotations }} annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed + "helm.sh/hook-weight": "3" +{{- if .Values.alertmanager.secret.annotations }} {{ toYaml .Values.alertmanager.secret.annotations | indent 4 }} {{- end }} labels: @@ -20,4 +28,139 @@ {{- range $key, $val := .Values.alertmanager.templateFiles }} {{ $key }}: {{ $val | b64enc | quote }} {{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: +{{ include "kube-prometheus-stack.labels" . | indent 4 }} + app: {{ template "kube-prometheus-stack.name" . }}-alertmanager + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed + "helm.sh/hook-weight": "5" +spec: + template: + metadata: + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + labels: {{ include "kube-prometheus-stack.labels" . | nindent 8 }} + app: {{ template "kube-prometheus-stack.name" . }}-alertmanager + spec: + serviceAccountName: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install +{{- if .Values.alertmanager.secret.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.secret.securityContext | indent 8 }} +{{- end }} + containers: + - name: copy-pre-install-secret + image: {{ template "system_default_registry" . }}{{ .Values.alertmanager.secret.image.repository }}:{{ .Values.alertmanager.secret.image.tag }} + imagePullPolicy: {{ .Values.alertmanager.secret.image.pullPolicy }} + command: + - /bin/sh + - -c + - > + if kubectl get secret -n {{ template "kube-prometheus-stack.namespace" . }} alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager > /dev/null 2>&1; then + echo "Secret already exists" + exit 1 + fi; + kubectl patch secret -n {{ template "kube-prometheus-stack.namespace" . }} --dry-run -o yaml + alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + -p '{{ printf "{\"metadata\":{\"name\": \"alertmanager-%s-alertmanager\"}}" (include "kube-prometheus-stack.fullname" .) }}' + | kubectl apply -f -; + kubectl annotate secret -n {{ template "kube-prometheus-stack.namespace" . }} + alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager + helm.sh/hook- helm.sh/hook-delete-policy- helm.sh/hook-weight-; + restartPolicy: OnFailure + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + labels: + app: {{ template "kube-prometheus-stack.name" . }}-alertmanager + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed + "helm.sh/hook-weight": "3" +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: ['create', 'get', 'patch'] +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + labels: + app: {{ template "kube-prometheus-stack.name" . }}-alertmanager + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed + "helm.sh/hook-weight": "3" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install +subjects: +- kind: ServiceAccount + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + namespace: {{ template "kube-prometheus-stack.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-alertmanager + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed + "helm.sh/hook-weight": "3" +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-alertmanager + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed + "helm.sh/hook-weight": "3" +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' {{- end }}