rancher-charts/packages/rancher-monitoring/generated-changes/patch/templates/alertmanager/secret.yaml.patch

165 lines
6.4 KiB
Diff

--- charts-original/templates/alertmanager/secret.yaml
+++ charts/templates/alertmanager/secret.yaml
@@ -1,11 +1,19 @@
{{- if and (.Values.alertmanager.enabled) (not .Values.alertmanager.alertmanagerSpec.useExistingSecret) }}
+{{- if .Release.IsInstall }}
+{{- $secretName := (printf "alertmanager-%s-alertmanager" (include "kube-prometheus-stack.fullname" .)) }}
+{{- if (lookup "v1" "Secret" (include "kube-prometheus-stack.namespace" .) $secretName) }}
+{{- required (printf "Cannot overwrite existing secret %s in namespace %s." $secretName (include "kube-prometheus-stack.namespace" .)) "" }}
+{{- end }}{{- end }}
apiVersion: v1
kind: Secret
metadata:
- name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
namespace: {{ template "kube-prometheus-stack.namespace" . }}
-{{- if .Values.alertmanager.secret.annotations }}
annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+ "helm.sh/hook-weight": "3"
+{{- if .Values.alertmanager.secret.annotations }}
{{ toYaml .Values.alertmanager.secret.annotations | indent 4 }}
{{- end }}
labels:
@@ -20,4 +28,139 @@
{{- range $key, $val := .Values.alertmanager.templateFiles }}
{{ $key }}: {{ $val | b64enc | quote }}
{{- end }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ namespace: {{ template "kube-prometheus-stack.namespace" . }}
+ labels:
+{{ include "kube-prometheus-stack.labels" . | indent 4 }}
+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+ "helm.sh/hook-weight": "5"
+spec:
+ template:
+ metadata:
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ labels: {{ include "kube-prometheus-stack.labels" . | nindent 8 }}
+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+ spec:
+ serviceAccountName: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+{{- if .Values.alertmanager.secret.securityContext }}
+ securityContext:
+{{ toYaml .Values.alertmanager.secret.securityContext | indent 8 }}
+{{- end }}
+ containers:
+ - name: copy-pre-install-secret
+ image: {{ template "system_default_registry" . }}{{ .Values.alertmanager.secret.image.repository }}:{{ .Values.alertmanager.secret.image.tag }}
+ imagePullPolicy: {{ .Values.alertmanager.secret.image.pullPolicy }}
+ command:
+ - /bin/sh
+ - -c
+ - >
+ if kubectl get secret -n {{ template "kube-prometheus-stack.namespace" . }} alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager > /dev/null 2>&1; then
+ echo "Secret already exists"
+ exit 1
+ fi;
+ kubectl patch secret -n {{ template "kube-prometheus-stack.namespace" . }} --dry-run -o yaml
+ alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ -p '{{ printf "{\"metadata\":{\"name\": \"alertmanager-%s-alertmanager\"}}" (include "kube-prometheus-stack.fullname" .) }}'
+ | kubectl apply -f -;
+ kubectl annotate secret -n {{ template "kube-prometheus-stack.namespace" . }}
+ alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager
+ helm.sh/hook- helm.sh/hook-delete-policy- helm.sh/hook-weight-;
+ restartPolicy: OnFailure
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ labels:
+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+ "helm.sh/hook-weight": "3"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs: ['create', 'get', 'patch']
+- apiGroups: ['policy']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames:
+ - alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ labels:
+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+ "helm.sh/hook-weight": "3"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+subjects:
+- kind: ServiceAccount
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ namespace: {{ template "kube-prometheus-stack.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ namespace: {{ template "kube-prometheus-stack.namespace" . }}
+ labels:
+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+ "helm.sh/hook-weight": "3"
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
+ namespace: {{ template "kube-prometheus-stack.namespace" . }}
+ labels:
+ app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+ "helm.sh/hook-weight": "3"
+spec:
+ privileged: false
+ allowPrivilegeEscalation: false
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'MustRunAsNonRoot'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+ volumes:
+ - 'secret'
{{- end }}