From 443e7d914463f839ed314d58621d267a909ae9c5 Mon Sep 17 00:00:00 2001 From: Klavs Klavsen Date: Thu, 23 Jul 2020 01:46:18 +0200 Subject: [PATCH 1/5] add alertmanger useExistingRole support Signed-off-by: Klavs Klavsen --- .../prometheus/templates/rbac/alertmanager-clusterrole.yaml | 2 +- .../templates/rbac/alertmanager-clusterrolebinding.yaml | 4 ++++ stable/prometheus/templates/rbac/alertmanager-role.yaml | 2 +- .../prometheus/templates/rbac/alertmanager-rolebinding.yaml | 4 ++++ stable/prometheus/values.yaml | 5 ++++- 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/stable/prometheus/templates/rbac/alertmanager-clusterrole.yaml b/stable/prometheus/templates/rbac/alertmanager-clusterrole.yaml index f8b95a76e432..d70445f1d695 100644 --- a/stable/prometheus/templates/rbac/alertmanager-clusterrole.yaml +++ b/stable/prometheus/templates/rbac/alertmanager-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}} +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: diff --git a/stable/prometheus/templates/rbac/alertmanager-clusterrolebinding.yaml b/stable/prometheus/templates/rbac/alertmanager-clusterrolebinding.yaml index 7354931550a5..b096297ba70f 100644 --- a/stable/prometheus/templates/rbac/alertmanager-clusterrolebinding.yaml +++ b/stable/prometheus/templates/rbac/alertmanager-clusterrolebinding.yaml @@ -12,5 +12,9 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole +{{- if (not .Values.alertmanager.useExistingRole) }} name: {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + name: {{ .Values.alertmanager.useExistingRole }} +{{- end }} {{- end }} diff --git a/stable/prometheus/templates/rbac/alertmanager-role.yaml b/stable/prometheus/templates/rbac/alertmanager-role.yaml index 1abea5369f4e..a4153a412426 100644 --- a/stable/prometheus/templates/rbac/alertmanager-role.yaml +++ b/stable/prometheus/templates/rbac/alertmanager-role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}} +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}} {{- range $.Values.alertmanager.namespaces }} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role diff --git a/stable/prometheus/templates/rbac/alertmanager-rolebinding.yaml b/stable/prometheus/templates/rbac/alertmanager-rolebinding.yaml index 1dc1a360b642..f583a5e6add4 100644 --- a/stable/prometheus/templates/rbac/alertmanager-rolebinding.yaml +++ b/stable/prometheus/templates/rbac/alertmanager-rolebinding.yaml @@ -14,6 +14,10 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role +{{- if (not $.Values.alertmanager.useExistingRole) }} name: {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + name: {{ $.Values.alertmanager.useExistingRole }} +{{- end }} {{- end }} {{ end }} diff --git a/stable/prometheus/values.yaml b/stable/prometheus/values.yaml index f653f46ef759..d57bc49f7220 100644 --- a/stable/prometheus/values.yaml +++ b/stable/prometheus/values.yaml @@ -33,10 +33,13 @@ alertmanager: enabled: true ## Use a ClusterRole (and ClusterRoleBinding) - ## - If set to false, we define a Role and RoleBinding in the defined namespaces ONLY + ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. useClusterRole: true + # Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + useExistingRole: false + ## alertmanager container name ## name: alertmanager From 1009bd19331271e21a0cd1da53a2ecac586e27f0 Mon Sep 17 00:00:00 2001 From: Klavs Klavsen Date: Thu, 23 Jul 2020 01:59:56 +0200 Subject: [PATCH 2/5] bump chart version Signed-off-by: Klavs Klavsen --- stable/prometheus/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/prometheus/Chart.yaml b/stable/prometheus/Chart.yaml index 771454e8cc02..e6c0fe4fc2ba 100644 --- a/stable/prometheus/Chart.yaml +++ b/stable/prometheus/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: prometheus -version: 11.10.0 +version: 11.10.1 appVersion: 2.19.0 description: Prometheus is a monitoring system and time series database. home: https://prometheus.io/ From a96c97f61975ff7c4bded5ba073f6d327a151b09 Mon Sep 17 00:00:00 2001 From: Klavs Klavsen Date: Thu, 23 Jul 2020 02:02:56 +0200 Subject: [PATCH 3/5] lint fix - hopefully Signed-off-by: Klavs Klavsen --- stable/prometheus/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/prometheus/values.yaml b/stable/prometheus/values.yaml index d57bc49f7220..346895c98d47 100644 --- a/stable/prometheus/values.yaml +++ b/stable/prometheus/values.yaml @@ -37,7 +37,7 @@ alertmanager: ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. useClusterRole: true - # Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. useExistingRole: false ## alertmanager container name From 20fdd1df2bf2b7af12d03ed79127758decb35047 Mon Sep 17 00:00:00 2001 From: Klavs Klavsen Date: Thu, 23 Jul 2020 03:11:54 +0200 Subject: [PATCH 4/5] proper version bump and add README docs. Signed-off-by: Klavs Klavsen --- stable/prometheus/Chart.yaml | 2 +- stable/prometheus/README.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/stable/prometheus/Chart.yaml b/stable/prometheus/Chart.yaml index e6c0fe4fc2ba..6e38caecd8fe 100644 --- a/stable/prometheus/Chart.yaml +++ b/stable/prometheus/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: prometheus -version: 11.10.1 +version: 11.11.0 appVersion: 2.19.0 description: Prometheus is a monitoring system and time series database. home: https://prometheus.io/ diff --git a/stable/prometheus/README.md b/stable/prometheus/README.md index 215152725ce9..c78f6996e1a0 100644 --- a/stable/prometheus/README.md +++ b/stable/prometheus/README.md @@ -126,6 +126,8 @@ Parameter | Description | Default --------- | ----------- | ------- `alertmanager.enabled` | If true, create alertmanager | `true` `alertmanager.name` | alertmanager container name | `alertmanager` +`alertmanager.useClusterRole` | Use a ClusterRole (and ClusterRoleBinding). If set to false - we define a Role and RoleBinding in the defined namespaces ONLY. This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. | `alertmanager` +`alertmanager.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `alertmanager` `alertmanager.image.repository` | alertmanager container image repository | `prom/alertmanager` `alertmanager.image.tag` | alertmanager container image tag | `v0.21.0` `alertmanager.image.pullPolicy` | alertmanager container image pull policy | `IfNotPresent` From cc222e0171ae9a8aae66ee5ec248284949e1899f Mon Sep 17 00:00:00 2001 From: Klavs Klavsen Date: Thu, 23 Jul 2020 07:11:57 +0200 Subject: [PATCH 5/5] add useExistingRole option Signed-off-by: Klavs Klavsen --- stable/grafana/Chart.yaml | 2 +- stable/grafana/README.md | 1 + stable/grafana/templates/clusterrole.yaml | 2 +- stable/grafana/templates/clusterrolebinding.yaml | 4 ++++ stable/grafana/templates/role.yaml | 2 +- stable/grafana/templates/rolebinding.yaml | 4 ++++ 6 files changed, 12 insertions(+), 3 deletions(-) diff --git a/stable/grafana/Chart.yaml b/stable/grafana/Chart.yaml index 10bbcfd74ebf..ec94b5a97852 100644 --- a/stable/grafana/Chart.yaml +++ b/stable/grafana/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: grafana -version: 5.5.1 +version: 5.6.1 appVersion: 7.0.5 kubeVersion: "^1.8.0-0" description: The leading tool for querying and visualizing time series and metrics. diff --git a/stable/grafana/README.md b/stable/grafana/README.md index 5c16af34451e..f5b0cf927880 100644 --- a/stable/grafana/README.md +++ b/stable/grafana/README.md @@ -160,6 +160,7 @@ You have to add --force to your helm upgrade command as the labels of the chart | `serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` | | `rbac.create` | Create and use RBAC resources | `true` | | `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` | +| `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | | `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true` | | `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `true` | | `rbac.extraRoleRules` | Additional rules to add to the Role | [] | diff --git a/stable/grafana/templates/clusterrole.yaml b/stable/grafana/templates/clusterrole.yaml index b3ef6ab3bf20..f09e06563cf1 100644 --- a/stable/grafana/templates/clusterrole.yaml +++ b/stable/grafana/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) (not .Values.rbac.useExistingRole) }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/stable/grafana/templates/clusterrolebinding.yaml b/stable/grafana/templates/clusterrolebinding.yaml index 8ee08b2aa97e..4accbfac0485 100644 --- a/stable/grafana/templates/clusterrolebinding.yaml +++ b/stable/grafana/templates/clusterrolebinding.yaml @@ -15,6 +15,10 @@ subjects: namespace: {{ template "grafana.namespace" . }} roleRef: kind: ClusterRole +{{- if (not .Values.rbac.useExistingRole) }} name: {{ template "grafana.fullname" . }}-clusterrole +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} apiGroup: rbac.authorization.k8s.io {{- end -}} diff --git a/stable/grafana/templates/role.yaml b/stable/grafana/templates/role.yaml index c95c1d042411..db853559a1d6 100644 --- a/stable/grafana/templates/role.yaml +++ b/stable/grafana/templates/role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create -}} +{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: diff --git a/stable/grafana/templates/rolebinding.yaml b/stable/grafana/templates/rolebinding.yaml index beaf2f003aa9..3738e580f053 100644 --- a/stable/grafana/templates/rolebinding.yaml +++ b/stable/grafana/templates/rolebinding.yaml @@ -13,7 +13,11 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role +{{- if (not .Values.rbac.useExistingRole) }} name: {{ template "grafana.fullname" . }} +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} subjects: - kind: ServiceAccount name: {{ template "grafana.serviceAccountName" . }}