rancher-charts/charts/rancher-monitoring/14.5.100/templates/alertmanager/secret.yaml

167 lines
6.3 KiB
YAML

{{- if and (.Values.alertmanager.enabled) (not .Values.alertmanager.alertmanagerSpec.useExistingSecret) }}
{{- if .Release.IsInstall }}
{{- $secretName := (printf "alertmanager-%s-alertmanager" (include "kube-prometheus-stack.fullname" .)) }}
{{- if (lookup "v1" "Secret" (include "kube-prometheus-stack.namespace" .) $secretName) }}
{{- required (printf "Cannot overwrite existing secret %s in namespace %s." $secretName (include "kube-prometheus-stack.namespace" .)) "" }}
{{- end }}{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
namespace: {{ template "kube-prometheus-stack.namespace" . }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
"helm.sh/hook-weight": "3"
{{- if .Values.alertmanager.secret.annotations }}
{{ toYaml .Values.alertmanager.secret.annotations | indent 4 }}
{{- end }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
{{ include "kube-prometheus-stack.labels" . | indent 4 }}
data:
{{- if .Values.alertmanager.tplConfig }}
alertmanager.yaml: {{ tpl (toYaml .Values.alertmanager.config) . | b64enc | quote }}
{{- else }}
alertmanager.yaml: {{ toYaml .Values.alertmanager.config | b64enc | quote }}
{{- end}}
{{- range $key, $val := .Values.alertmanager.templateFiles }}
{{ $key }}: {{ $val | b64enc | quote }}
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
namespace: {{ template "kube-prometheus-stack.namespace" . }}
labels:
{{ include "kube-prometheus-stack.labels" . | indent 4 }}
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
"helm.sh/hook-weight": "5"
spec:
template:
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
labels: {{ include "kube-prometheus-stack.labels" . | nindent 8 }}
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
spec:
serviceAccountName: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
{{- if .Values.alertmanager.secret.securityContext }}
securityContext:
{{ toYaml .Values.alertmanager.secret.securityContext | indent 8 }}
{{- end }}
containers:
- name: copy-pre-install-secret
image: {{ template "system_default_registry" . }}{{ .Values.alertmanager.secret.image.repository }}:{{ .Values.alertmanager.secret.image.tag }}
imagePullPolicy: {{ .Values.alertmanager.secret.image.pullPolicy }}
command:
- /bin/sh
- -c
- >
if kubectl get secret -n {{ template "kube-prometheus-stack.namespace" . }} alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager > /dev/null 2>&1; then
echo "Secret already exists"
exit 1
fi;
kubectl patch secret -n {{ template "kube-prometheus-stack.namespace" . }} --dry-run -o yaml
alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
-p '{{ printf "{\"metadata\":{\"name\": \"alertmanager-%s-alertmanager\"}}" (include "kube-prometheus-stack.fullname" .) }}'
| kubectl apply -f -;
kubectl annotate secret -n {{ template "kube-prometheus-stack.namespace" . }}
alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-alertmanager
helm.sh/hook- helm.sh/hook-delete-policy- helm.sh/hook-weight-;
restartPolicy: OnFailure
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
labels:
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
"helm.sh/hook-weight": "3"
rules:
- apiGroups:
- ""
resources:
- secrets
verbs: ['create', 'get', 'patch']
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
labels:
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
"helm.sh/hook-weight": "3"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
subjects:
- kind: ServiceAccount
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
namespace: {{ template "kube-prometheus-stack.namespace" . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
namespace: {{ template "kube-prometheus-stack.namespace" . }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
"helm.sh/hook-weight": "3"
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: alertmanager-{{ template "kube-prometheus-stack.fullname" . }}-pre-install
namespace: {{ template "kube-prometheus-stack.namespace" . }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
"helm.sh/hook-weight": "3"
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'secret'
{{- end }}