-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(charts)!: Update Helm release grafana to 8.8.5 #2460
base: main
Are you sure you want to change the base?
Conversation
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,16 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +141,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +186,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +207,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +253,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 83dd8ec542152bdf045ab464c90449c6ac8bfa004122939a03042db7ef9cb977
+ checksum/sc-dashboard-provider-config: 593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +289,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +302,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +354,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +397,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +512,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +536,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +550,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +605,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
d86578d
to
a5dc67c
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 84ab5d180187b2eb3132dd2d4ef99c6fac69ad5f2305ac6a8188eb561f25f885
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
a5dc67c
to
40bc5ec
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 650370735618da1cb2bf7f47629ae159e380302e2fe81b94ace890ba8d19db46
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
40bc5ec
to
354e03e
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: f7570a639fb1a098ebaff7782a3192bc29933b7119b4261c7224e58c772ef7e5
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
354e03e
to
b157c62
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: b5a9c55d19c0ab9f9270ade9cf23de42d56a066c659ece024491249c92795ae9
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
b157c62
to
90da4f6
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 0554d0e20431356219238f4b7f28f91c637d59d0f65a501246a3fbf0f4c048c8
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
90da4f6
to
a606917
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 4738d0ff7b0d3761e9281fe45de0cacd2af93c5ca8891694b0b818c0639b8ba9
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
a606917
to
a99c942
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: dd77c7c002fe81ab5b675639a44580e50525eba99891f11f2f6a8571ced78181
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
a99c942
to
2986d5b
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 58a4997a1119d6f0661fab2877ba458fa7c053aa36c0e885b08ff1178757c6a4
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
2986d5b
to
42e0b2f
Compare
Path: @@ -1,6 +1,7 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -50,16 +40,17 @@
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -151,27 +142,9 @@
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
dashboard-provider: default
+ grafana_dashboard: ""
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -320,24 +254,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 31634d6f12a3a098ac3477396d2d0c2be0b0c3618f03ab2eceb759b8630bb82b
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +303,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +355,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -525,7 +513,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -549,7 +537,7 @@
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +551,42 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test-success
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/managed-by: Helm
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -582,7 +606,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 5aea692250a24b6315add9fb3c04e753ead363a9e5fe914e84783127a1f52d78
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +490,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +520,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +537,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +579,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +589,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
c6ab6d9
to
c53979a
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: aa99480bdd3dcc0bfd5dbaa377e3b82a3ffa07e269c6ea0563cb31e43d827fc3
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +490,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +520,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +537,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +579,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +589,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
c53979a
to
e868f90
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 0d43569ffea16dbe84a92f22b0bd3af9ef0b7ed2888cba0b5d40e730ba87baf7
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +490,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +520,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +537,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +579,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +589,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
e868f90
to
0b211da
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 07f4a4b7436436e2b19536e7ba422a965fd53ec44a0559057f6ffe8e6b3ec5e0
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +490,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +520,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +537,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +579,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +589,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
0b211da
to
9b9ac38
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 42b34601b30d8423db3a9e4be7d7ec2e6fbf0c0a9c230274081ef89b8d48a2f1
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +490,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +520,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +537,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +579,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +589,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
9b9ac38
to
ea8bc29
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 4934e22a3b1b7367bd4159d993c32ebd4b3d4aaecce9f407f14b1b56c142865f
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
+ - name: profiling
+ containerPort: 6060
+ protocol: TCP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +493,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +523,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +540,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +582,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +592,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
ea8bc29
to
4f62b08
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: b7c1e096c33741c490702b256ccd954230e087716b2615af7b46656cfbdce6de
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
+ - name: profiling
+ containerPort: 6060
+ protocol: TCP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +493,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +523,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +540,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +582,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +592,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
4f62b08
to
4fcbb1d
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 88870a511f628b71a66ba0494ac4e6b8c567699cca5b830f6c5138fdfab95651
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
+ - name: profiling
+ containerPort: 6060
+ protocol: TCP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +493,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +523,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +540,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +582,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +592,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
4fcbb1d
to
6f20c67
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 44ea32072565e3fdaddd94c225dd1b7f79dd91fc50d34bfa96472bdb869ffdd1
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:7.85.0"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
+ - name: profiling
+ containerPort: 6060
+ protocol: TCP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +493,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +523,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +540,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +582,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +592,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
Signed-off-by: Danny Froberg <dfroberg@users.noreply.github.com>
6f20c67
to
f7794cf
Compare
Path: @@ -1,25 +1,14 @@
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
+automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/secret.yaml
apiVersion: v1
kind: Secret
@@ -29,7 +18,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
type: Opaque
data:
admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: default
data:
provider.yaml: |-
apiVersion: 1
providers:
- - name: 'sidecarProvider'
- orgId: 1
- folder: ''
- type: file
- disableDeletion: false
- allowUiUpdates: false
- updateIntervalSeconds: 30
- options:
- foldersFromFilesStructure: false
- path: /tmp/dashboards
+ - name: 'sidecarProvider'
+ orgId: 1
+ folder: ''
+ folderUid: ''
+ type: file
+ disableDeletion: false
+ allowUiUpdates: false
+ updateIntervalSeconds: 30
+ options:
+ foldersFromFilesStructure: false
+ path: /tmp/dashboards
---
# Source: grafana/templates/configmap.yaml
apiVersion: v1
@@ -70,7 +58,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
data:
plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
grafana.ini: |
@@ -149,29 +136,9 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
dashboard-provider: default
data: {}
---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-data:
- run.sh: |-
- @test "Test Health" {
- url="http://grafana/api/health"
-
- code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
- [ "$code" == "200" ]
- }
----
# Source: grafana/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
name: grafana-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: grafana
@@ -213,28 +178,7 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: [grafana-test]
+rules: []
---
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -255,25 +198,6 @@
name: grafana
namespace: default
---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: grafana-test
- namespace: default
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: grafana-test
-subjects:
- - kind: ServiceAccount
- name: grafana-test
- namespace: default
----
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -283,7 +207,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
@@ -304,7 +227,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
- checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
- checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
- checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
- checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+ checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+ checksum/dashboards-json-config: 1a09301d7b520e1d6bcc06c4440608268f5b5be577e11d655820bcdf25ec620a
+ checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+ checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+ kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
+ runAsNonRoot: true
runAsUser: 472
initContainers:
- name: download-dashboards
- image: "curlimages/curl:7.85.0"
+ image: "docker.io/curlimages/curl:8.9.1"
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
env:
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -360,11 +291,32 @@
value: "both"
- name: NAMESPACE
value: "ALL"
+ - name: REQ_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-user
+ - name: REQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: grafana
+ key: admin-password
+ - name: REQ_URL
+ value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+ - name: REQ_METHOD
+ value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
- image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+ image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@@ -391,12 +343,26 @@
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana
- image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+ image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
- name: grafana
containerPort: 3000
protocol: TCP
+ - name: gossip-tcp
+ containerPort: 9094
+ protocol: TCP
+ - name: gossip-udp
+ containerPort: 9094
+ protocol: UDP
+ - name: profiling
+ containerPort: 6060
+ protocol: TCP
env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
@@ -514,7 +493,6 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
- grafana.${SECRET_DOMAIN}
secretName: ${SECRET_DOMAIN//./-}-tls
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: "grafana.${SECRET_DOMAIN}"
http:
paths:
- path: /
@@ -545,11 +523,10 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
- interval: 1m
+ interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
@@ -563,6 +540,40 @@
matchNames:
- default
---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-test
+ namespace: default
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+ labels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+data:
+ run.sh: |-
+ @test "Test Health" {
+ url="http://grafana/api/health"
+
+ code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}')
+ [ "$code" == "200" ]
+ }
+---
# Source: grafana/templates/tests/test.yaml
apiVersion: v1
kind: Pod
@@ -571,9 +582,8 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
- app.kubernetes.io/managed-by: Helm
annotations:
- "helm.sh/hook": test-success
+ "helm.sh/hook": test
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
namespace: default
spec:
@@ -582,7 +592,7 @@
worker: true
containers:
- name: grafana-test
- image: "bats/bats:v1.4.1"
+ image: "docker.io/bats/bats:v1.4.1"
imagePullPolicy: "IfNotPresent"
command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts: |
This PR contains the following updates:
6.40.4
->8.8.5
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
grafana/helm-charts (grafana)
v8.8.5
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@mimir-distributed-5.7.0-weekly.325...grafana-8.8.5
v8.8.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@helm-loki-6.24.1...grafana-8.8.4
v8.8.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@beyla-1.6.2...grafana-8.8.3
v8.8.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@tempo-1.16.0...grafana-8.8.2
v8.8.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-8.8.0...grafana-8.8.1
v8.8.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-8.7.1...grafana-8.8.0
v8.7.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@tempo-distributed-1.26.1...grafana-8.7.1
v8.7.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@tempo-distributed-1.26.0...grafana-8.7.0
v8.6.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@helm-loki-6.22.0...grafana-8.6.4
v8.6.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@beyla-1.5.0...grafana-8.6.3
v8.6.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@mimir-distributed-5.6.0-weekly.318...grafana-8.6.2
v8.6.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@oncall-1.13.3...grafana-8.6.1
v8.6.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@tempo-vulture-0.7.0...grafana-8.6.0
v8.5.12
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
managed-by
should not be templated by @bleggett in https://github.com/grafana/helm-charts/pull/3398New Contributors
Full Changelog: grafana/helm-charts@beyla-1.4.5...grafana-8.5.12
v8.5.11
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.5.10...grafana-8.5.11
v8.5.10
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@beyla-1.4.4...grafana-8.5.10
v8.5.9
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@k8s-monitoring-1.6.1...grafana-8.5.9
v8.5.8
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.5.7...grafana-8.5.8
v8.5.7
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@alloy-0.9.2...grafana-8.5.7
v8.5.6
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@helm-loki-6.18.0...grafana-8.5.6
v8.5.5
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.18.4...grafana-8.5.5
v8.5.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@mimir-distributed-5.5.0...grafana-8.5.4
v8.5.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@alloy-0.9.1...grafana-8.5.3
v8.5.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@alloy-0.9.0...grafana-8.5.2
v8.5.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@helm-loki-6.11.0...grafana-8.5.1
v8.5.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.4.9...grafana-8.5.0
v8.4.9
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@helm-loki-6.10.1...grafana-8.4.9
v8.4.8
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@alloy-0.6.1...grafana-8.4.8
v8.4.7
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.4.6...grafana-8.4.7
v8.4.6
Compare Source
v8.4.5
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-sampling-1.0.0...grafana-8.4.5
v8.4.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.4.3...grafana-8.4.4
v8.4.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.4.2...grafana-8.4.3
v8.4.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.16.1...grafana-8.4.2
v8.4.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@k8s-monitoring-1.4.4...grafana-8.4.1
v8.4.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@loki-distributed-0.79.2...grafana-8.4.0
v8.3.8
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.15.3...grafana-8.3.8
v8.3.7
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-agent-operator-0.4.1...grafana-8.3.7
v8.3.6
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-8.3.5...grafana-8.3.6
v8.3.5
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@synthetic-monitoring-agent-0.3.0...grafana-8.3.5
v8.3.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@loki-distributed-0.79.1...grafana-8.3.4
v8.3.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@alloy-0.5.1...grafana-8.3.3
v8.3.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@helm-loki-6.6.5...grafana-8.3.2
v8.3.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.3.0...grafana-8.3.1
v8.3.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.13.2...grafana-8.3.0
v8.2.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@tempo-distributed-1.13.1...grafana-8.2.2
v8.2.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.2.0...grafana-8.2.1
v8.2.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-8.1.1...grafana-8.2.0
v8.1.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-8.1.0...grafana-8.1.1
v8.1.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@alloy-0.4.0...grafana-8.1.0
v8.0.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@k8s-monitoring-1.0.13...grafana-8.0.2
v8.0.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
folderUid
option by @Rohlik in https://github.com/grafana/helm-charts/pull/2956New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.11.0...grafana-8.0.1
v8.0.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-7.3.12...grafana-8.0.0
v7.3.12
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@oncall-1.5.5...grafana-7.3.12
v7.3.11
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@k8s-monitoring-1.0.8...grafana-7.3.11
v7.3.10
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.9.9...grafana-7.3.10
v7.3.9
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-sampling-0.1.1...grafana-7.3.9
v7.3.8
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@rollout-operator-0.15.0...grafana-7.3.8
v7.3.7
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@k8s-monitoring-0.11.2...grafana-7.3.7
v7.3.6
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-7.3.5...grafana-7.3.6
v7.3.5
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-7.3.4...grafana-7.3.5
v7.3.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
serviceAccount.automountServiceAccountToken
and documentautomountServiceAccountToken
by @jkroepke in https://github.com/grafana/helm-charts/pull/2997Full Changelog: grafana/helm-charts@grafana-agent-0.36.0...grafana-7.3.4
v7.3.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@loki-distributed-0.78.3...grafana-7.3.3
v7.3.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-7.3.1...grafana-7.3.2
v7.3.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-agent-0.33.0...grafana-7.3.1
v7.3.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@promtail-6.15.5...grafana-7.3.0
v7.2.5
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@helm-loki-5.42.0...grafana-7.2.5
v7.2.4
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@loki-stack-2.10.1...grafana-7.2.4
v7.2.3
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-7.2.2...grafana-7.2.3
v7.2.2
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.8.0...grafana-7.2.2
v7.2.1
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-7.2.0...grafana-7.2.1
v7.2.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@helm-k6-operator-3.4.0...grafana-7.2.0
v7.1.0
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-7.0.22...grafana-7.1.0
v7.0.22
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@tempo-distributed-1.7.4...grafana-7.0.22
v7.0.21
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Full Changelog: grafana/helm-charts@grafana-7.0.20...grafana-7.0.21
v7.0.20
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
Full Changelog: grafana/helm-charts@grafana-agent-0.30.0...grafana-7.0.20
v7.0.19
Compare Source
The leading tool for querying and visualizing time series and metrics.
What's Changed
New Contributors
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.