Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(charts)!: Update Helm release grafana to 8.8.5 #2460

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 3, 2024

This PR contains the following updates:

Package Update Change
grafana (source) major 6.40.4 -> 8.8.5

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

grafana/helm-charts (grafana)

v8.8.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@mimir-distributed-5.7.0-weekly.325...grafana-8.8.5

v8.8.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@helm-loki-6.24.1...grafana-8.8.4

v8.8.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@beyla-1.6.2...grafana-8.8.3

v8.8.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@tempo-1.16.0...grafana-8.8.2

v8.8.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-8.8.0...grafana-8.8.1

v8.8.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-8.7.1...grafana-8.8.0

v8.7.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@tempo-distributed-1.26.1...grafana-8.7.1

v8.7.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@tempo-distributed-1.26.0...grafana-8.7.0

v8.6.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@helm-loki-6.22.0...grafana-8.6.4

v8.6.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@beyla-1.5.0...grafana-8.6.3

v8.6.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@mimir-distributed-5.6.0-weekly.318...grafana-8.6.2

v8.6.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@oncall-1.13.3...grafana-8.6.1

v8.6.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@tempo-vulture-0.7.0...grafana-8.6.0

v8.5.12

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@beyla-1.4.5...grafana-8.5.12

v8.5.11

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.5.10...grafana-8.5.11

v8.5.10

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@beyla-1.4.4...grafana-8.5.10

v8.5.9

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@k8s-monitoring-1.6.1...grafana-8.5.9

v8.5.8

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.5.7...grafana-8.5.8

v8.5.7

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@alloy-0.9.2...grafana-8.5.7

v8.5.6

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed
New Contributors

Full Changelog: grafana/helm-charts@helm-loki-6.18.0...grafana-8.5.6

v8.5.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.18.4...grafana-8.5.5

v8.5.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@mimir-distributed-5.5.0...grafana-8.5.4

v8.5.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@alloy-0.9.1...grafana-8.5.3

v8.5.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@alloy-0.9.0...grafana-8.5.2

v8.5.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@helm-loki-6.11.0...grafana-8.5.1

v8.5.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.4.9...grafana-8.5.0

v8.4.9

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@helm-loki-6.10.1...grafana-8.4.9

v8.4.8

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed
New Contributors

Full Changelog: grafana/helm-charts@alloy-0.6.1...grafana-8.4.8

v8.4.7

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.4.6...grafana-8.4.7

v8.4.6

Compare Source

v8.4.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-sampling-1.0.0...grafana-8.4.5

v8.4.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.4.3...grafana-8.4.4

v8.4.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.4.2...grafana-8.4.3

v8.4.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.16.1...grafana-8.4.2

v8.4.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@k8s-monitoring-1.4.4...grafana-8.4.1

v8.4.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@loki-distributed-0.79.2...grafana-8.4.0

v8.3.8

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed
New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.15.3...grafana-8.3.8

v8.3.7

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-agent-operator-0.4.1...grafana-8.3.7

v8.3.6

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-8.3.5...grafana-8.3.6

v8.3.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@synthetic-monitoring-agent-0.3.0...grafana-8.3.5

v8.3.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@loki-distributed-0.79.1...grafana-8.3.4

v8.3.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@alloy-0.5.1...grafana-8.3.3

v8.3.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@helm-loki-6.6.5...grafana-8.3.2

v8.3.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.3.0...grafana-8.3.1

v8.3.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.13.2...grafana-8.3.0

v8.2.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@tempo-distributed-1.13.1...grafana-8.2.2

v8.2.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.2.0...grafana-8.2.1

v8.2.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-8.1.1...grafana-8.2.0

v8.1.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-8.1.0...grafana-8.1.1

v8.1.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@alloy-0.4.0...grafana-8.1.0

v8.0.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@k8s-monitoring-1.0.13...grafana-8.0.2

v8.0.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.11.0...grafana-8.0.1

v8.0.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-7.3.12...grafana-8.0.0

v7.3.12

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@oncall-1.5.5...grafana-7.3.12

v7.3.11

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@k8s-monitoring-1.0.8...grafana-7.3.11

v7.3.10

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.9.9...grafana-7.3.10

v7.3.9

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-sampling-0.1.1...grafana-7.3.9

v7.3.8

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@rollout-operator-0.15.0...grafana-7.3.8

v7.3.7

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@k8s-monitoring-0.11.2...grafana-7.3.7

v7.3.6

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-7.3.5...grafana-7.3.6

v7.3.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-7.3.4...grafana-7.3.5

v7.3.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-agent-0.36.0...grafana-7.3.4

v7.3.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@loki-distributed-0.78.3...grafana-7.3.3

v7.3.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-7.3.1...grafana-7.3.2

v7.3.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-agent-0.33.0...grafana-7.3.1

v7.3.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@promtail-6.15.5...grafana-7.3.0

v7.2.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@helm-loki-5.42.0...grafana-7.2.5

v7.2.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@loki-stack-2.10.1...grafana-7.2.4

v7.2.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-7.2.2...grafana-7.2.3

v7.2.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.8.0...grafana-7.2.2

v7.2.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-7.2.0...grafana-7.2.1

v7.2.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@helm-k6-operator-3.4.0...grafana-7.2.0

v7.1.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-7.0.22...grafana-7.1.0

v7.0.22

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@tempo-distributed-1.7.4...grafana-7.0.22

v7.0.21

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors

Full Changelog: grafana/helm-charts@grafana-7.0.20...grafana-7.0.21

v7.0.20

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

Full Changelog: grafana/helm-charts@grafana-agent-0.30.0...grafana-7.0.20

v7.0.19

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

New Contributors


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from dfroberg as a code owner June 3, 2024 16:11
Copy link

github-actions bot commented Jun 3, 2024

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.0.0

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,16 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +141,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +186,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +207,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +253,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 83dd8ec542152bdf045ab464c90449c6ac8bfa004122939a03042db7ef9cb977
+        checksum/sc-dashboard-provider-config: 593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +289,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +302,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +354,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +397,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +512,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +536,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +550,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +605,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from d86578d to a5dc67c Compare June 7, 2024 21:20
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.0.0 feat(charts)!: Update Helm release grafana to 8.0.1 Jun 7, 2024
Copy link

github-actions bot commented Jun 7, 2024

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.0.1

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 84ab5d180187b2eb3132dd2d4ef99c6fac69ad5f2305ac6a8188eb561f25f885
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from a5dc67c to 40bc5ec Compare June 12, 2024 11:36
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.0.1 feat(charts)!: Update Helm release grafana to 8.0.2 Jun 12, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.0.2

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 650370735618da1cb2bf7f47629ae159e380302e2fe81b94ace890ba8d19db46
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 40bc5ec to 354e03e Compare June 27, 2024 08:08
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.0.2 feat(charts)!: Update Helm release grafana to 8.1.1 Jun 27, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.1.1

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: f7570a639fb1a098ebaff7782a3192bc29933b7119b4261c7224e58c772ef7e5
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 354e03e to b157c62 Compare June 27, 2024 23:01
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.1.1 feat(charts)!: Update Helm release grafana to 8.2.0 Jun 27, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.2.0

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: b5a9c55d19c0ab9f9270ade9cf23de42d56a066c659ece024491249c92795ae9
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.0.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from b157c62 to 90da4f6 Compare July 1, 2024 11:19
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.2.0 feat(charts)!: Update Helm release grafana to 8.2.1 Jul 1, 2024
Copy link

github-actions bot commented Jul 1, 2024

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.2.1

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 0554d0e20431356219238f4b7f28f91c637d59d0f65a501246a3fbf0f4c048c8
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 90da4f6 to a606917 Compare July 1, 2024 23:00
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.2.1 feat(charts)!: Update Helm release grafana to 8.2.2 Jul 1, 2024
Copy link

github-actions bot commented Jul 1, 2024

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.2.2

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 4738d0ff7b0d3761e9281fe45de0cacd2af93c5ca8891694b0b818c0639b8ba9
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from a606917 to a99c942 Compare July 3, 2024 08:00
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.2.2 feat(charts)!: Update Helm release grafana to 8.3.1 Jul 3, 2024
Copy link

github-actions bot commented Jul 3, 2024

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.3.1

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: dd77c7c002fe81ab5b675639a44580e50525eba99891f11f2f6a8571ced78181
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from a99c942 to 2986d5b Compare July 4, 2024 14:13
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.3.1 feat(charts)!: Update Helm release grafana to 8.3.2 Jul 4, 2024
Copy link

github-actions bot commented Jul 4, 2024

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.3.2

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 58a4997a1119d6f0661fab2877ba458fa7c053aa36c0e885b08ff1178757c6a4
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 2986d5b to 42e0b2f Compare July 12, 2024 22:50
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.3.2 feat(charts)!: Update Helm release grafana to 8.3.3 Jul 12, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.3.3

@@ -1,6 +1,7 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
@@ -9,17 +10,6 @@
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -50,16 +40,17 @@
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -151,27 +142,9 @@
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
+    grafana_dashboard: ""
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -214,27 +187,7 @@
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
     app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -255,25 +208,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -320,24 +254,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 31634d6f12a3a098ac3477396d2d0c2be0b0c3618f03ab2eceb759b8630bb82b
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +290,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +303,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.26.1"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +355,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.1.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +398,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -525,7 +513,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -549,7 +537,7 @@
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +551,42 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/managed-by: Helm
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -582,7 +606,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.6.0 feat(charts)!: Update Helm release grafana to 8.6.1 Nov 22, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.6.1

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 5aea692250a24b6315add9fb3c04e753ead363a9e5fe914e84783127a1f52d78
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +490,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +520,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +537,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +579,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +589,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from c6ab6d9 to c53979a Compare November 26, 2024 12:22
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.6.1 feat(charts)!: Update Helm release grafana to 8.6.2 Nov 26, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.6.2

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: aa99480bdd3dcc0bfd5dbaa377e3b82a3ffa07e269c6ea0563cb31e43d827fc3
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +490,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +520,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +537,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +579,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +589,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from c53979a to e868f90 Compare November 27, 2024 04:00
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.6.2 feat(charts)!: Update Helm release grafana to 8.6.3 Nov 27, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.6.3

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 0d43569ffea16dbe84a92f22b0bd3af9ef0b7ed2888cba0b5d40e730ba87baf7
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +490,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +520,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +537,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +579,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +589,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from e868f90 to 0b211da Compare November 29, 2024 16:24
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.6.3 feat(charts)!: Update Helm release grafana to 8.6.4 Nov 29, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.6.4

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 07f4a4b7436436e2b19536e7ba422a965fd53ec44a0559057f6ffe8e6b3ec5e0
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.3.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +490,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +520,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +537,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +579,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +589,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 0b211da to 9b9ac38 Compare December 12, 2024 20:31
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.6.4 feat(charts)!: Update Helm release grafana to 8.7.0 Dec 12, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.7.0

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 42b34601b30d8423db3a9e4be7d7ec2e6fbf0c0a9c230274081ef89b8d48a2f1
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,17 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +490,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +500,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +520,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +537,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +579,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +589,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 9b9ac38 to ea8bc29 Compare December 15, 2024 18:13
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.7.0 feat(charts)!: Update Helm release grafana to 8.8.1 Dec 15, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.8.1

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 4934e22a3b1b7367bd4159d993c32ebd4b3d4aaecce9f407f14b1b56c142865f
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
+            - name: profiling
+              containerPort: 6060
+              protocol: TCP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +493,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +523,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +540,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +582,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +592,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from ea8bc29 to 4f62b08 Compare December 16, 2024 21:30
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.8.1 feat(charts)!: Update Helm release grafana to 8.8.2 Dec 16, 2024
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.8.2

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: b7c1e096c33741c490702b256ccd954230e087716b2615af7b46656cfbdce6de
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
+            - name: profiling
+              containerPort: 6060
+              protocol: TCP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +493,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +523,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +540,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +582,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +592,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 4f62b08 to 4fcbb1d Compare January 16, 2025 00:50
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.8.2 feat(charts)!: Update Helm release grafana to 8.8.3 Jan 16, 2025
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.8.3

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 88870a511f628b71a66ba0494ac4e6b8c567699cca5b830f6c5138fdfab95651
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
+            - name: profiling
+              containerPort: 6060
+              protocol: TCP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +493,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +523,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +540,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +582,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +592,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 4fcbb1d to 6f20c67 Compare January 17, 2025 09:56
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.8.3 feat(charts)!: Update Helm release grafana to 8.8.4 Jan 17, 2025
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.8.4

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 44ea32072565e3fdaddd94c225dd1b7f79dd91fc50d34bfa96472bdb869ffdd1
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:7.85.0"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
+            - name: profiling
+              containerPort: 6060
+              protocol: TCP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +493,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +523,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +540,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +582,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +592,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

Signed-off-by: Danny Froberg <dfroberg@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/grafana-8.x branch from 6f20c67 to f7794cf Compare January 21, 2025 19:01
@renovate renovate bot changed the title feat(charts)!: Update Helm release grafana to 8.8.4 feat(charts)!: Update Helm release grafana to 8.8.5 Jan 21, 2025
Copy link

Path: cluster/core/monitoring/grafana/helm-release.yaml
Version: 6.40.4 -> 8.8.5

@@ -1,25 +1,14 @@
 # Source: grafana/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: true
 metadata:
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana
   namespace: default
 ---
-# Source: grafana/templates/tests/test-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-  name: grafana-test
-  namespace: default
----
 # Source: grafana/templates/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -29,7 +18,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
   admin-user: "YWRtaW4="
@@ -43,23 +31,23 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-config-dashboards
   namespace: default
 data:
   provider.yaml: |-
     apiVersion: 1
     providers:
-    - name: 'sidecarProvider'
-      orgId: 1
-      folder: ''
-      type: file
-      disableDeletion: false
-      allowUiUpdates: false
-      updateIntervalSeconds: 30
-      options:
-        foldersFromFilesStructure: false
-        path: /tmp/dashboards
+      - name: 'sidecarProvider'
+        orgId: 1
+        folder: ''
+        folderUid: ''
+        type: file
+        disableDeletion: false
+        allowUiUpdates: false
+        updateIntervalSeconds: 30
+        options:
+          foldersFromFilesStructure: false
+          path: /tmp/dashboards
 ---
 # Source: grafana/templates/configmap.yaml
 apiVersion: v1
@@ -70,7 +58,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 data:
   plugins: natel-discrete-panel,pr0ps-trackmap-panel,grafana-piechart-panel,vonage-status-panel,grafana-worldmap-panel,grafana-clock-panel
   grafana.ini: |
@@ -149,29 +136,9 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
     dashboard-provider: default
 data: {}
 ---
-# Source: grafana/templates/tests/test-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-data:
-  run.sh: |-
-    @test "Test Health" {
-      url="http://grafana/api/health"
-
-      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
-      [ "$code" == "200" ]
-    }
----
 # Source: grafana/templates/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -179,7 +146,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   name: grafana-clusterrole
 rules:
   - apiGroups: [""] # "" indicates the core API group
@@ -194,7 +160,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 subjects:
   - kind: ServiceAccount
     name: grafana
@@ -213,28 +178,7 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana]
----
-# Source: grafana/templates/tests/test-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: [grafana-test]
+rules: []
 ---
 # Source: grafana/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -245,7 +189,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -255,25 +198,6 @@
     name: grafana
     namespace: default
 ---
-# Source: grafana/templates/tests/test-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-test
-  namespace: default
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-test
-subjects:
-  - kind: ServiceAccount
-    name: grafana-test
-    namespace: default
----
 # Source: grafana/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -283,7 +207,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
@@ -304,7 +227,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -320,24 +242,33 @@
         app.kubernetes.io/name: grafana
         app.kubernetes.io/instance: grafana
       annotations:
-        checksum/config: 2f76c91babf4c50bb6e4ad5890ba25835bd2d037b05452e13fff1317661f93ec
-        checksum/dashboards-json-config: a652350250573ac5d0a297866f63cd1542e38764f44849812602331ec4a44ba0
-        checksum/sc-dashboard-provider-config: 7dffc9de897da308d1d87ba3237f265bd382d64730d454a5a26b24ea9e1f6009
-        checksum/secret: 9e9fb76c95b670be03455fe71cd145a6c31de42f78eed0cd976243298d90199c
+        checksum/config: 330cae61f960c400b62f029b22fcdc6fcd6cb105ac1153553dd63eaad3fb86b3
+        checksum/dashboards-json-config: 1a09301d7b520e1d6bcc06c4440608268f5b5be577e11d655820bcdf25ec620a
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
+        kubectl.kubernetes.io/default-container: grafana
     spec:
       serviceAccountName: grafana
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 472
         runAsGroup: 472
+        runAsNonRoot: true
         runAsUser: 472
       initContainers:
         - name: download-dashboards
-          image: "curlimages/curl:7.85.0"
+          image: "docker.io/curlimages/curl:8.9.1"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
           args: ["-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh"]
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/download_dashboards.sh"
@@ -347,7 +278,7 @@
       enableServiceLinks: true
       containers:
         - name: grafana-sc-dashboard
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -360,11 +291,32 @@
               value: "both"
             - name: NAMESPACE
               value: "ALL"
+            - name: REQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-user
+            - name: REQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: grafana
+                  key: admin-password
+            - name: REQ_URL
+              value: http://localhost:3000/api/admin/provisioning/dashboards/reload
+            - name: REQ_METHOD
+              value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-dashboard-volume
               mountPath: "/tmp/dashboards"
         - name: grafana-sc-datasources
-          image: "quay.io/kiwigrid/k8s-sidecar:1.19.2"
+          image: "quay.io/kiwigrid/k8s-sidecar:1.28.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: METHOD
@@ -391,12 +343,26 @@
               value: http://localhost:3000/api/admin/provisioning/datasources/reload
             - name: REQ_METHOD
               value: POST
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: sc-datasources-volume
               mountPath: "/etc/grafana/provisioning/datasources"
         - name: grafana
-          image: "ghcr.io/k8s-at-home/grafana:9.1.7"
+          image: "docker.io/ghcr.io/k8s-at-home/grafana:11.4.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config
               mountPath: "/etc/grafana/grafana.ini"
@@ -420,7 +386,20 @@
             - name: grafana
               containerPort: 3000
               protocol: TCP
+            - name: gossip-tcp
+              containerPort: 9094
+              protocol: TCP
+            - name: gossip-udp
+              containerPort: 9094
+              protocol: UDP
+            - name: profiling
+              containerPort: 6060
+              protocol: TCP
           env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: GF_SECURITY_ADMIN_USER
               valueFrom:
                 secretKeyRef:
@@ -514,7 +493,6 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
     nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_DOMAIN}"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia.security.svc.cluster.local/api/verify"
@@ -525,7 +503,7 @@
         - grafana.${SECRET_DOMAIN}
       secretName: ${SECRET_DOMAIN//./-}-tls
   rules:
-    - host: grafana.${SECRET_DOMAIN}
+    - host: "grafana.${SECRET_DOMAIN}"
       http:
         paths:
           - path: /
@@ -545,11 +523,10 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
 spec:
   endpoints:
     - port: service
-      interval: 1m
+      interval: 30s
       scrapeTimeout: 30s
       honorLabels: true
       path: /metrics
@@ -563,6 +540,40 @@
     matchNames:
       - default
 ---
+# Source: grafana/templates/tests/test-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+---
+# Source: grafana/templates/tests/test-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-test
+  namespace: default
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/instance: grafana
+data:
+  run.sh: |-
+    @test "Test Health" {
+      url="http://grafana/api/health"
+
+      code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^  HTTP/{print $2}')
+      [ "$code" == "200" ]
+    }
+---
 # Source: grafana/templates/tests/test.yaml
 apiVersion: v1
 kind: Pod
@@ -571,9 +582,8 @@
   labels:
     app.kubernetes.io/name: grafana
     app.kubernetes.io/instance: grafana
-    app.kubernetes.io/managed-by: Helm
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
     "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
   namespace: default
 spec:
@@ -582,7 +592,7 @@
     worker: true
   containers:
     - name: grafana-test
-      image: "bats/bats:v1.4.1"
+      image: "docker.io/bats/bats:v1.4.1"
       imagePullPolicy: "IfNotPresent"
       command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"]
       volumeMounts:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants