add metrics agents #461

klinch0 · 2024-11-04T11:27:09Z

Summary by CodeRabbit

New Features
- Introduced new HelmRelease configurations for cert-manager, monitoring agents, and Victoria Metrics Operator in Kubernetes.
- Added resource specifications for vmselect in the VictoriaMetrics operator.
- Enhanced monitoring capabilities with new alert rules for various Kubernetes resources.
Improvements
- Updated resource limits for Redis failover.
- Refined error handling and control flow in scripts for improved reliability.
- Enhanced documentation for the Victoria Metrics Operator with updated installation instructions and configuration options.
Bug Fixes
- Resolved issues with resource dependencies and configurations across various Helm charts.

coderabbitai · 2024-11-04T11:27:19Z

Caution

Review failed

The pull request is closed.

Walkthrough

This pull request introduces several updates across various configuration files, particularly focusing on Helm chart configurations for Kubernetes resources. Key changes include the addition of new HelmRelease configurations for cert-manager and monitoring agents, updates to existing configurations, and modifications to resource limits and dependencies. Additionally, changes were made to the .pre-commit-config.yaml file to update linting tools and arguments. The migration script was also updated to facilitate the transition to a new version of the deployment.

Changes

File Path	Change Summary
`.pre-commit-config.yaml`	Updated `markdownlint-cli` version from `v0.41.0` to `v0.42.0` and added `--unsafe` argument to `check-yaml` hook.
`packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml`	Introduced a new HelmRelease configuration for cert-manager CRDs, including a new Secret resource.
`packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml`	Added dependency for cert-manager CRDs in the HelmRelease configuration.
`packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml`	Added a new HelmRelease configuration for monitoring agents with detailed specifications.
`packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml`	Introduced a new HelmRelease configuration for the Victoria Metrics Operator with dependencies.
`packages/apps/kubernetes/values.schema.json`	Added new `monitoringAgents` property with `enabled` and `valuesOverride` sub-properties.
`packages/apps/kubernetes/values.yaml`	Introduced `monitoringAgents` section with `enabled` and `valuesOverride` parameters.
`packages/core/platform/bundles/distro-full.yaml`	Added new release entries for `cert-manager-crds` and `monitoring-agents`, updated dependencies.
`packages/core/platform/bundles/distro-hosted.yaml`	Similar updates as `distro-full.yaml` with new release entries and updated dependencies.
`packages/core/platform/bundles/paas-full.yaml`	Added new releases and updated dependencies for `cert-manager-crds` and `monitoring-agents`.
`packages/core/platform/bundles/paas-hosted.yaml`	Similar updates as `paas-full.yaml` with new releases and updated dependencies.
`packages/system/cert-manager-crds/.helmignore`	Added entries to ignore `images` and `hack` directories in Helm packaging.
`packages/system/cert-manager-crds/Chart.yaml`	Updated chart name from `cozy-monitoring` to `cozy-cert-manager-crds`.
`packages/system/cert-manager-crds/Makefile`	Introduced a new target `update` for managing Helm charts.
`packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml`	New `Chart.yaml` file created with metadata for cert-manager Helm chart.
`packages/system/cert-manager-crds/charts/cert-manager/README.md`	Added comprehensive documentation for cert-manager Helm chart.
`packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl`	Introduced template definitions for generating names and labels.
`packages/system/cert-manager-crds/charts/cert-manager/values.schema.json`	Added schema definitions for cert-manager Helm values.
`packages/system/cert-manager-crds/charts/cert-manager/values.yaml`	Added comprehensive configuration options for cert-manager.
`packages/system/cert-manager-crds/values.yaml`	New option `installCRDs` set to `true`.
`packages/system/cert-manager/values.yaml`	Updated `installCRDs` setting from `true` to `false`.
`packages/system/monitoring-agents/Chart.yaml`	New file created for monitoring agents Helm chart.
`packages/system/monitoring-agents/alerts/flux.yaml`	Introduced new alert rules for various resources in the monitoring system.
`packages/system/monitoring-agents/charts/fluent-bit/Chart.yaml`	Updated Fluent Bit OCI image version from `v3.1.6` to `v3.1.9`.
`packages/system/monitoring-agents/charts/kube-state-metrics/Chart.yaml`	Updated version from `5.25.1` to `5.26.0`.
`packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml`	Updated `appVersion` from `v0.76.0` to `v0.77.1` and chart version from `14.0.0` to `15.0.0`.
`scripts/migrations/6`	Migration script updated for cert-manager CRDs and monitoring resource removal.
`hack/e2e.sh`	Improved error handling and control flow in end-to-end testing script.
`packages/system/monitoring-agents/Makefile`	Updated exported variables `NAME` and `NAMESPACE` for monitoring agents.

Possibly related PRs

fix exclude for templates #434: The changes in this PR involve modifications to the .pre-commit-config.yaml file, which is directly related to the main PR's updates to the same file, specifically regarding the markdownlint and check-yaml hooks.

Suggested labels

size:L

Suggested reviewers

kvaps

Poem

🐰 In the fields where changes bloom,
New configurations dispel the gloom.
Helm releases dance in the breeze,
With certs and monitors, all at ease.
A hop, a skip, through YAML we weave,
In Kubernetes, we believe! 🌼

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 20

🧹 Outside diff range and nitpick comments (61)

packages/system/monitoring-agents/charts/fluent-bit/ci/ci-values.yaml (1)
8-8: LGTM! Consider adding a comment explaining the CI-specific setting.

The deterministicUid: true setting is appropriate for CI environments as it ensures consistent dashboard UIDs during testing.

Consider adding a comment to explain why this differs from the default value:
dashboards:
  enabled: true
+  # Set to true in CI to ensure consistent dashboard UIDs across test runs
  deterministicUid: true
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md (1)
7-7: Fix grammar in feature description.

The sentence is missing the preposition "to" which makes it grammatically incorrect.
- Allow extract name prefix from app level fullnameOverride property
+ Allow to extract name prefix from app level fullnameOverride property
🧰 Tools

🪛 LanguageTool

[uncategorized] ~7-~7: Possible missing preposition found.
Context: ...color=informational&logo=helm) - Allow extract name prefix from app level fullnameOver...

(AI_HYDRA_LEO_MISSING_TO)
packages/system/cert-manager-crds/Makefile (1)
3-8: Consider these improvements for better maintainability and reliability.

While the update target's implementation is functional, consider these enhancements:

Add version pinning to prevent unexpected updates:

Add error handling for helm commands

Improve readability of the cleanup command

Add proper make declarations and documentation

Here's a suggested improvement:
+# Version of cert-manager to use
+CERT_MANAGER_VERSION ?= v1.13.2
+
+# Declare phony targets
+.PHONY: update
+
+# update: Downloads and prepares cert-manager CRDs from Jetstack helm chart
 update:
-	rm -rf charts
-	helm repo add jetstack https://charts.jetstack.io
-	helm repo update jetstack
-	helm pull jetstack/cert-manager --untar --untardir charts
-	rm -f -- `find charts/cert-manager/templates -maxdepth 1 -mindepth 1 | grep -v 'crds.yaml\|_helpers.tpl'`
+	rm -rf charts
+	helm repo add jetstack https://charts.jetstack.io || exit 1
+	helm repo update jetstack || exit 1
+	helm pull jetstack/cert-manager --version $(CERT_MANAGER_VERSION) --untar --untardir charts || exit 1
+	# Keep only CRDs and helpers
+	find charts/cert-manager/templates -maxdepth 1 -mindepth 1 \
+		! -name 'crds.yaml' \
+		! -name '_helpers.tpl' \
+		-exec rm -f {} +
packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml (1)

Line range hint 1-29: Review security implications of highly privileged PSP.

The PSP configuration grants extensive privileges including:

All capabilities (allowedCapabilities: '*')

Privileged mode

Host namespace access (network, PID, IPC)

Unrestricted volume mounts

Full port range access

While metrics-server might require some elevated privileges, consider restricting these to the minimum necessary set.

Consider:

Limiting capabilities to only those required

Restricting volume types to specific needs

Narrowing host port range if possible

Documenting why each privilege is needed

Would you like assistance in creating a more restrictive PSP configuration based on metrics-server's actual requirements?

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)
packages/system/monitoring-agents/templates/vmagent.yaml (2)
13-13: Consider adding reliability configurations for remote write.

The current remote write configuration might benefit from additional reliability settings:

Queue configuration for data buffering

Retry/backoff settings

Multiple endpoints for redundancy

Consider adding these configurations:
  remoteWrite:
  - url: {{ .Values.vmagent.remoteWrite.url | quote }}
+   showURL: true
+   queues: 4
+   maxDiskUsagePerURL: "1GB"
+   maxRetries: 5
+   retryInterval: "30s"
11-12: Review resource implications of scrape configuration.

The promscrape.maxScrapeSize: 32MB setting is quite large and might impact memory usage. Consider:

Adding resource limits/requests

Documenting the rationale for the 32MB limit

Evaluating if stateful mode would be beneficial for reliability

Example resource configuration:
spec:
  resources:
    limits:
      cpu: "1"
      memory: "1Gi"
    requests:
      cpu: "200m"
      memory: "512Mi"
packages/system/monitoring-agents/charts/fluent-bit/templates/vpa.yaml (1)
18-20: LGTM! Consider standardizing the indentation pattern.

The indentation fix for controlledResources is correct. For consistency with other similar blocks in the file (like maxAllowed and minAllowed), consider using the same pattern throughout.
-      controlledResources:
-        {{- toYaml . | nindent 8 }}
+      controlledResources: {{- toYaml . | nindent 8 }}
packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml (3)
10-19: Consider adjusting the interval and adding timeout.

A few suggestions to improve the chart specification:

The 5-minute interval might be too aggressive for an operator deployment. Consider increasing it to reduce unnecessary reconciliation load.

Add a timeout configuration to prevent long-running operations from blocking other deployments.
 spec:
   interval: 5m
+  timeout: 10m
   releaseName: cozy-victoria-metrics-operator
32-40: Verify the dependency chain completeness.

The operator depends on Cilium and cert-manager-crds, which is good. However, consider adding:

A dependency on cert-manager itself (not just CRDs)

Health checks or conditions for the dependencies
   dependsOn:
   {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
   {{- end }}
   - name: {{ .Release.Name }}-cilium
     namespace: {{ .Release.Namespace }}
   - name: {{ .Release.Name }}-cert-manager-crds
     namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-cert-manager
+    namespace: {{ .Release.Namespace }}
1-41: Add resource constraints and security context.

The configuration is missing important production-ready settings:

Resource requests and limits

Security context for the operator

Pod security settings

Would you like me to provide a template for these security and resource configurations?

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)
packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml (1)
Line range hint 7-8: Fix typo in label name

There's a typo in one of the labels: coztstack.io should be cozystack.io
  labels:
    cozystack.io/repository: system
-   coztstack.io/target-cluster-name: {{ .Release.Name }}
+   cozystack.io/target-cluster-name: {{ .Release.Name }}
packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml (1)
24-30: Consider setting a finite retry limit.

The current configuration uses unlimited retries (retries: -1) for both install and upgrade remediation. This could lead to infinite retry loops in case of persistent failures, potentially impacting system resources.

Consider setting a reasonable finite limit (e.g., 5 or 10 retries) to prevent endless retry cycles.
  install:
    createNamespace: true
    remediation:
-     retries: -1
+     retries: 5
  upgrade:
    remediation:
-     retries: -1
+     retries: 5
packages/apps/kubernetes/values.yaml (1)
67-69: Consider enhancing the documentation with examples.

While the basic documentation is good, it would be helpful to:

Document the supported keys in valuesOverride

Include example configurations for common use cases (e.g., different agent configurations for development vs production)

Example documentation enhancement:
    ## @param addons.monitoringAgents.enabled Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage
    ## @param addons.monitoringAgents.valuesOverride Custom values to override
+   ## Supported values in valuesOverride:
+   ## fluentbit:
+   ##   resources: {}      # Resource limits and requests
+   ##   tolerations: []    # Pod tolerations
+   ## vmagent:
+   ##   resources: {}      # Resource limits and requests
+   ##   scrapeInterval: "" # Metrics scraping interval
+   ## Example:
+   ## valuesOverride:
+   ##   fluentbit:
+   ##     resources:
+   ##       limits:
+   ##         memory: 200Mi
+   ##       requests:
+   ##         memory: 100Mi
    ##
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_enterprise.tpl (3)
2-3: Minor: Ensure consistent whitespace handling in template definitions.

While the value access improvements are good, there's an inconsistency in whitespace handling:

Line 12 uses }} (with space)

Other lines use }}- (without space)

This could lead to unexpected whitespace in the output. Consider using consistent -}} trimming across all definitions.

Also applies to: 7-8, 12-13

16-29: Consider improving error message formatting.

The enterprise check logic is solid, but the error message could be more readable. Consider using YAML's multi-line string format:
-    {{ fail `Pass valid license at .Values.license or .Values.global.license if you have an enterprise license for running this software.
-       See https://victoriametrics.com/legal/esa/ for details.
-       Documentation - https://docs.victoriametrics.com/enterprise
-       for more information, visit https://victoriametrics.com/products/enterprise/
-       To request a trial license, go to https://victoriametrics.com/products/enterprise/trial/` }}
+    {{ fail "Pass valid license at .Values.license or .Values.global.license if you have an enterprise license for running this software.\n
+      \nReferences:\n
+      - License Agreement: https://victoriametrics.com/legal/esa/\n
+      - Documentation: https://docs.victoriametrics.com/enterprise\n
+      - Product Info: https://victoriametrics.com/products/enterprise/\n
+      - Trial License: https://victoriametrics.com/products/enterprise/trial/" }}
63-74: Consider adding validation for flag styles.

The flag style handling is good, but consider adding validation for supported styles to prevent silent failures with unexpected values.
    {{- $flagName := "licenseFile" -}}
-    {{- if eq .flagStyle "kebab" }}
+    {{- $validStyles := list "camel" "kebab" -}}
+    {{- if not (has .flagStyle $validStyles) -}}
+        {{- $_ := set . "flagStyle" "camel" -}}
+    {{- end -}}
+    {{- if eq .flagStyle "kebab" -}}
      {{- $flagName = "license-file" -}}
    {{- end -}}
The current implementation is approved as it handles the basic use case well.
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl (1)

98-98: LGTM! Consider accessibility in HTML table.

The switch to HTML-based values table (chart.valuesTableHtml) allows for better formatting control. However, ensure the HTML table includes proper accessibility attributes (headers, scope, etc.) in the template.
packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml (3)
45-50: Consider securing the remote write endpoint

The remote write URL uses plain HTTP. Consider the following recommendations:

Use HTTPS for secure metrics transmission

Make the prometheus path (0/prometheus) configurable through values
-        url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
+        url: https://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/{{ .Values.vmagent.prometheusPath | default "0/prometheus" }}
53-56: Enhance readiness probe configuration

The readiness probe uses a generic root path ("/"). Consider using a more specific health check endpoint.
     readinessProbe:
       httpGet:
-        path: /
+        path: /api/v1/health
+        port: 2020
70-82: Secure log shipping configuration

The HTTP output configuration uses plain HTTP for log shipping. Consider:

Using HTTPS for secure log transmission

Making the endpoint port configurable

Adding authentication headers through secrets
     outputs: |
       [OUTPUT]
           Name http
           Match kube.*
           Host vlogs-generic.{{ $targetTenant }}.svc
-          port 9428
+          port {{ .Values.fluent_bit.output.port | default "9428" }}
+          tls On
+          tls.verify On
packages/core/platform/bundles/paas-hosted.yaml (1)

17-22: LGTM! Separating CRDs is a good practice.

Separating cert-manager CRDs into their own release is a good architectural decision. This separation allows for better lifecycle management of CRDs, which often require special handling during upgrades and deletions.
packages/apps/kubernetes/values.schema.json (2)
87-91: Consider adding schema validation for valuesOverride

While the basic structure is correct, consider adding additional schema validation for the valuesOverride object to:

Define allowed properties that can be overridden

Validate the types and ranges of override values

Document the available override options

This would help prevent configuration errors and improve the developer experience.

Example enhancement:
 "valuesOverride": {
     "type": "object",
     "description": "Custom values to override",
-    "default": {}
+    "default": {},
+    "properties": {
+        "fluentbit": {
+            "type": "object",
+            "properties": {
+                "resources": {"type": "object"},
+                "tolerations": {"type": "array"}
+            }
+        },
+        "vmagent": {
+            "type": "object",
+            "properties": {
+                "resources": {"type": "object"},
+                "tolerations": {"type": "array"}
+            }
+        }
+    }
 }
84-84: Enhance the description for clarity

The current description could be more specific about the configuration requirements and behavior. Consider expanding it to clearly document:

The prerequisites for both tenant and root storage scenarios

The configuration steps needed for each case

The implications of enabling/disabling this feature
-"description": "Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage",
+"description": "Enables monitoring agents (fluentbit for logs, vmagent for metrics). When tenant monitoring is enabled, data is sent to tenant storage. Otherwise, data is sent to root storage. Requires appropriate storage configuration and credentials in both scenarios.",
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl (2)
24-36: LGTM: Security context adaptation is comprehensive

The security context handling properly adapts to OpenShift requirements while maintaining flexibility through global configuration.

Consider documenting the available adaptation modes (force, auto) in the chart's values.yaml or README to help users understand the security context behavior.

89-115: LGTM: Command-line argument handling is robust

The implementation properly handles various argument types and includes validation for empty keys.

Consider adding validation for common argument patterns to catch potential issues early. For example:
 {{- define "vm.arg" -}}
   {{- if empty .value }}
+    {{- if contains " " .key }}
+      {{- fail (printf "Key '%s' contains spaces which is not allowed" .key) -}}
+    {{- end }}
     {{- .key -}}
   {{- else if and (kindIs "bool" .value) .value -}}
packages/core/platform/bundles/distro-full.yaml (1)

65-71: LGTM with security consideration.

The monitoring-agents configuration looks correct with proper namespace and dependency chain. The privileged: true flag is expected for monitoring agents that need deep system access.

Consider documenting the specific permissions and access levels required by these monitoring agents for security auditing purposes.
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl (3)
Line range hint 62-77: Consider improving template indentation.

While the label implementation is correct and follows Kubernetes best practices, the template readability could be improved with consistent indentation.

Consider adjusting the indentation like this:
{{- define "vm-operator.selectorLabels" -}}
{{- $Release := (.helm).Release | default .Release -}}
-app.kubernetes.io/name: {{ include "vm-operator.name" . }}
-app.kubernetes.io/instance: {{ $Release.Name | trunc 63 | trimSuffix "-" }}
+  app.kubernetes.io/name: {{ include "vm-operator.name" . }}
+  app.kubernetes.io/instance: {{ $Release.Name | trunc 63 | trimSuffix "-" }}
{{- with .extraLabels }}
{{ toYaml . }}
{{- end }}
{{- end -}}
83-87: LGTM! Good CRD lifecycle management.

The CRD annotations correctly implement the "keep" policy which is crucial for preserving CRDs across helm operations. The use of meta.helm.sh annotations ensures proper tracking of resources.

The "keep" policy is particularly important for CRDs as it prevents accidental deletion during helm operations, which could impact multiple resources across the cluster.

Line range hint 101-121: Consider enhancing altNames handling.

While the certificate generation logic is solid, the altNames construction could be more robust by:

Adding validation for required values

Supporting custom altNames through values

Consider adding support for custom altNames:
{{- $altNames := default list -}}
+ {{- if $Values.admissionWebhooks.extraAltNames -}}
+   {{- $altNames = concat $altNames $Values.admissionWebhooks.extraAltNames -}}
+ {{- end -}}
{{- $namePrefix := (printf "%s.%s" $serviceName (include "vm.namespace" .)) -}}
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/CHANGELOG.md (3)

13-13: Improve clarity of the change description.

The current description is grammatically incorrect and lacks clarity. Consider rephrasing to:
"Added ability to extract name prefix from application-level fullnameOverride property"

21-21: Add context to the compatibility error message change.

The description "Display compatibility error message" lacks context about what compatibility issues are being addressed. Consider adding details about:

What type of compatibility is being checked

When this error message appears

How users should respond to this message

Line range hint 3-5: Add context to the TODO item.

The "Next release" section contains a bare TODO without any context. Consider either:

Removing the TODO if there are no pending items

Adding specific items that are planned for the next release

Adding a brief description of what needs to be done
packages/system/monitoring-agents/alerts/flux.yaml (2)
Line range hint 28-31: Fix inconsistency between alert evaluation time and description

There's a mismatch between the alert evaluation time (for: 5m) and the description text which mentions "more than 15 minutes". This inconsistency appears in multiple alerts and could be confusing for operators.

Either:

Adjust the evaluation time to match the description: for: 15m

Or update the description text to match the actual evaluation time

Example fix for HelmRelease alert (apply similar changes to other alerts):
    - alert: HelmReleaseNotReady
      expr: gotk_resource_info{customresource_kind="HelmRelease", ready!="True"} > 0
      for: 5m
      labels:
        severity: major
        service: fluxcd
        exported_instance: '{{ $labels.exported_namespace }}/{{ $labels.name }}'
      annotations:
        summary: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready"
-        description: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is in an unready state for more than 15 minutes."
+        description: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is in an unready state for more than 5 minutes."
Also applies to: 63-73

Line range hint 75-143: Consider adding team labels for better alert routing

The suspended state alerts are well-structured, but consider adding team-specific labels to help with alert routing. This would allow different teams to receive alerts relevant to their responsibilities.

Example enhancement:
    - alert: HelmReleaseSuspended
      expr: gotk_resource_info{customresource_kind="HelmRelease", suspended="true"} > 0
      for: 5m
      labels:
        severity: warning
        service: fluxcd
+       team: platform
+       component: gitops
        exported_instance: '{{ $labels.exported_namespace }}/{{ $labels.name }}'
packages/core/platform/bundles/paas-full.yaml (1)
185-185: Fix comma spacing in dependencies list.

The addition of cert-manager-issuers as a dependency is appropriate. However, please add spaces after commas for consistency.
-  dependsOn: [cilium,kubeovn,cert-manager-issuers]
+  dependsOn: [cilium, kubeovn, cert-manager-issuers]
🧰 Tools

🪛 yamllint

[warning] 185-185: too few spaces after comma

(commas)

[warning] 185-185: too few spaces after comma

(commas)
packages/system/monitoring-agents/charts/metrics-server/CHANGELOG.md (1)
17-18: Update the release date format.

According to Keep a Changelog format, either remove "TBC" or replace it with the actual release date in YYYY-MM-DD format.
-## [3.12.2] - TBC
+## [3.12.2] - 2024-11-14
packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl (1)
143-202: Robust implementation of common utilities with important safeguards

Notable strengths:

Standardized image URL generation across cert-manager organization (as noted in the comment)

Strong validation preventing misconfiguration of CRD installation options

Smart handling of namespace to work around Helm limitation

Comprehensive labeling with proper versioning

One suggestion to consider:

Consider adding validation for the image digest format in the image template. This could prevent issues with malformed digest strings. Example:
 {{- define "image" -}}
 {{- $defaultTag := index . 1 -}}
 {{- with index . 0 -}}
 {{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
-{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- if .digest -}}
+  {{- if not (regexMatch "^sha256:[a-f0-9]{64}$" .digest) -}}
+    {{- fail (printf "ERROR: Invalid digest format: %s" .digest) -}}
+  {{- end -}}
+  {{- printf "@%s" .digest -}}
+{{- else -}}
+  {{- printf ":%s" (default $defaultTag .tag) -}}
+{{- end -}}
 {{- end }}
 {{- end }}
packages/system/monitoring-agents/charts/prometheus-node-exporter/values.yaml (2)
138-138: Consider adding common node-exporter environment variables

While the empty env map is valid, consider adding these commonly used environment variables for better metrics collection:
-env: {}
+env:
+  # Enable the process collector
+  PROCFS_PATH: /host/proc
+  # Enable the sysfs collector
+  SYSFS_PATH: /host/sys
+  # Set logging level
+  LOG_LEVEL: info
Line range hint 449-454: Reconsider disabling termination messages

Termination messages are valuable for debugging container failures. The current configuration disables them by default, which might make troubleshooting more difficult.

Consider this configuration instead:
terminationMessageParams:
-  enabled: false
+  enabled: true
   # If enabled, specify the path for termination messages
   terminationMessagePath: /dev/termination-log
-  terminationMessagePolicy: File
+  # FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty
+  terminationMessagePolicy: FallbackToLogsOnError
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md (2)
12-12: Improve clarity with proper punctuation.

The description of the change would be clearer with a comma after "CRDs":
-replaced `crd.enabled` property to `crds.plain`. Instead of disabling CRDs it selects if CRDs should be rendered from template or as plain CRDs
+replaced `crd.enabled` property to `crds.plain`. Instead of disabling CRDs, it selects if CRDs should be rendered from template or as plain CRDs
🧰 Tools

🪛 LanguageTool

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

5-12: Enhance documentation of breaking changes.

For version 0.36.0, consider adding:

Migration instructions for users updating from previous versions

Example of the new configuration format

Impact on existing deployments

This would help users understand the implications of the crd.enabled to crds.plain property change.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md (2)
96-135: Fix markdown list formatting for consistency.

The installation instructions should use consistent list formatting. Currently, the lists use dashes (-) with 2-space indentation, which differs from the rest of the document.

Apply these changes:
-  - For HTTPS repository
+* For HTTPS repository

-  - For OCI repository
+* For OCI repository
🧰 Tools

🪛 Markdownlint

96-96: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

101-101: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

111-111: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

117-117: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

125-125: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

131-131: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

96-96: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

101-101: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

111-111: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

117-117: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

125-125: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

131-131: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

137-137: Fix grammar in command description.

There's a grammatical error in the command description.
-Get the pods lists by running this commands:
+Get the pods list by running these commands:
🧰 Tools

🪛 LanguageTool

[grammar] ~137-~137: Did you mean “these”?
Context: ... Get the pods lists by running this commands: console kubectl get pods ...

(THIS_TOOLS)
packages/system/monitoring-agents/charts/fluent-bit/dashboards/fluent-bit.json (1)

1562-1562: LGTM! Well-implemented dashboard UID generation.

The conditional UID generation is well-implemented, using a proper combination of namespace and fullname for uniqueness. Making this configurable via Values.dashboards.deterministicUid is a good practice.

Consider adding a comment above this line to document the UID generation behavior and its implications for dashboard persistence across deployments.

🧰 Tools

🪛 Biome

[error] 1562-1562: Expected a property but instead found '{'.

Expected a property here.

(parse)

[error] 1562-1562: Property key must be double quoted

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found printf

Remove printf

(parse)

[error] 1562-1562: expected : but instead found "\"%s\""

Remove ""%s""

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found "%s-%s"

Remove "%s-%s"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Release

Remove Release

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Namespace

Remove Namespace

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found include

Remove include

(parse)

[error] 1562-1562: expected : but instead found "fluent-bit.fullname"

Remove "fluent-bit.fullname"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: expected , but instead found "null"

Remove "null"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Values

Remove Values

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found dashboards

Remove dashboards

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found deterministicUid

Remove deterministicUid

(parse)

[error] 1562-1562: expected : but instead found }

Remove }

(parse)
packages/system/cert-manager-crds/charts/cert-manager/values.yaml (3)
89-97: Consider increasing replica count for high availability in production

The current configuration uses a single replica. While this works for development, it's recommended to use 2-3 replicas in production for high availability.

Consider updating the configuration for production:
-replicaCount: 1
+replicaCount: 3
608-614: Consider increasing webhook replica count for high availability

Similar to the controller, running a single webhook replica in production could lead to availability issues.

Consider updating the configuration for production:
-  replicaCount: 1
+  replicaCount: 3
987-1000: Consider increasing CA injector replica count for high availability

Running a single CA injector replica in production could lead to availability issues.

Consider updating the configuration for production:
-  replicaCount: 1
+  replicaCount: 3
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml (2)
499-500: Improve proxyUrl field description

The proxyUrl field description could be more detailed. Consider adding information about:

The format of the proxy URL

Whether authentication is supported

Any special considerations for HTTPS proxies

Consider updating the description to be more comprehensive:
-  description: '`proxyURL` defines the HTTP proxy server to use.'
+  description: |-
+    `proxyURL` defines the HTTP/HTTPS proxy server to use for scraping.
+    The URL must start with http:// or https://.
+    Authentication can be specified in the URL (e.g., http://user:password@proxy:8080).
1-1: Consider documenting upgrade path

This CRD update includes several version-dependent features with different minimum version requirements (v2.43.0 for proxy features, v2.49.0 for scrape protocols). Consider:

Adding upgrade documentation in the chart's README

Including validation webhooks to prevent usage of features with incompatible Prometheus versions

Adding feature gates or capability detection

Would you like help creating upgrade documentation or implementing validation webhooks?
packages/system/cert-manager-crds/charts/cert-manager/README.md (5)
21-33: Installation commands should use consistent formatting

The installation commands section could be improved for better readability and consistency.

Apply this diff to standardize the command formatting:
-```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
-```
+```console
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+```

-```console
-## Add the Jetstack Helm repository
-$ helm repo add jetstack https://charts.jetstack.io --force-update
+```console
+# Add the Jetstack Helm repository
+helm repo add jetstack https://charts.jetstack.io --force-update
-## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.16.1 jetstack/cert-manager
+# Install the cert-manager helm chart
+helm install cert-manager --namespace cert-manager --version v1.16.1 jetstack/cert-manager
🧰 Tools

🪛 Markdownlint

22-22: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

157-162: Fix grammatical error in leader election description

The sentence contains a grammatical error using "led" instead of "lead".

Apply this diff to fix the grammar:
-The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot.
+The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a lead but unrenewed leader slot.
🧰 Tools

🪛 LanguageTool

[grammar] ~157-~157: Did you mean “LED” (= diode, light)?
Context: ...l attempting to acquire leadership of a led but unrenewed leader slot. This is effe...

(LED)

573-582: Fix article usage for HTTP proxy environment variables

The sections describing HTTP proxy environment variables use incorrect articles.

Apply this diff to fix the grammar:
-Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
+Configures the HTTP_PROXY environment variable where an HTTP proxy is required.

-Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
+Configures the HTTPS_PROXY environment variable where an HTTP proxy is required.

-Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
+Configures the NO_PROXY environment variable where an HTTP proxy is required, but certain domains should be excluded.
🧰 Tools

🪛 LanguageTool

[misspelling] ~573-~573: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...e HTTP_PROXY environment variable where a HTTP proxy is required. #### **https_p...

(EN_A_VS_AN)

[misspelling] ~577-~577: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ... HTTPS_PROXY environment variable where a HTTP proxy is required. #### **no_prox...

(EN_A_VS_AN)

[misspelling] ~581-~581: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...the NO_PROXY environment variable where a HTTP proxy is required, but certain dom...

(EN_A_VS_AN)

1248-1251: Improve clarity of hostNetwork description

The description of hostNetwork usage contains a typo and could be clearer.

Apply this diff to improve the text:
-Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
+Required for use in some managed Kubernetes clusters (such as AWS EKS) with custom CNI (such as Calico), because the control plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working.
🧰 Tools

🪛 LanguageTool

[formatting] ~1249-~1249: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...S EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot com...

(COMMA_BEFORE_BECAUSE)

1990-1991: Fix broken link to values.yaml

The default values.yaml link should use relative path instead of absolute GitHub URL for better maintainability.

Apply this diff to fix the link:
-> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
+> **Tip**: You can use the default [values.yaml](../values.yaml)
packages/system/cert-manager-crds/charts/cert-manager/values.schema.json (3)
1-4: Add schema metadata for better documentation.

Consider adding schema metadata at the root level for better documentation and maintainability.
 {
+  "title": "cert-manager Helm Values Schema",
+  "description": "JSON Schema for validating cert-manager Helm values",
+  "version": "1.0.0",
   "$defs": {
     // ...
   },
   "$ref": "#/$defs/helm-values",
   "$schema": "http://json-schema.org/draft-07/schema#"
 }
Also applies to: 2132-2135

1184-1188: Add value constraints for numeric fields.

Consider adding minimum value constraints for numeric fields to prevent invalid configurations.
 "helm-values.replicaCount": {
   "default": 1,
   "description": "The number of replicas of the cert-manager controller to run.\n\nThe default is 1, but in production set this to 2 or 3 to provide high availability.\n\nIf `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.\n\nNote that cert-manager uses leader election to ensure that there can only be a single instance active at a time.",
-  "type": "number"
+  "type": "integer",
+  "minimum": 1
 }
331-335: Standardize description formatting.

The description formatting varies across the schema. Consider:

Using consistent markdown formatting for all descriptions

Formatting URLs consistently

Using consistent indentation for examples
 "helm-values.affinity": {
   "default": {},
-  "description": "A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).\n\nFor example:\naffinity:\n  nodeAffinity:\n   requiredDuringSchedulingIgnoredDuringExecution:\n     nodeSelectorTerms:\n     - matchExpressions:\n       - key: foo.bar.com/role\n         operator: In\n         values:\n         - master",
+  "description": "A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).\n\n**Example:**\n```yaml\naffinity:\n  nodeAffinity:\n    requiredDuringSchedulingIgnoredDuringExecution:\n      nodeSelectorTerms:\n      - matchExpressions:\n        - key: foo.bar.com/role\n          operator: In\n          values:\n          - master\n```",
   "type": "object"
 }
Also applies to: 1713-1715
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl (1)
10-20: Simplify and Clarify the Variant Handling Logic

The nested conditionals for setting the $variant variable can be simplified for better readability and maintainability. Consider refactoring the code to reduce complexity.

Here's a proposed refactor:
{{- $variant := .app.image.variant }}
{{- if eq (include "vm.enterprise.disabled" .) "false" -}}
  {{- if $variant }}
    {{- $variant = printf "enterprise-%s" $variant }}
  {{- else }}
    {{- $variant = "enterprise" }}
  {{- end }}
{{- end -}}
{{- with $variant -}}
  {{- $tag = printf "%s-%s" $tag . }}
{{- end -}}
This refactor maintains the same logic while making the flow clearer.
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl (1)
6-10: Handle unexpected .style values in vm.service

The current conditional statements only check for "managed" and "plain" styles without a default case:
{{- if eq .style "managed" -}}
    {{- $nameTpl = "vm.managed.fullname" }}
{{- else if eq .style "plain" -}}
    {{- $nameTpl = "vm.plain.fullname" }}
{{- end -}}
If .style is neither "managed" nor "plain", $nameTpl remains as "vm.fullname". Ensure this is the intended behavior, or consider adding an else clause to handle unexpected values.

Example modification:
{{- if eq .style "managed" -}}
    {{- $nameTpl = "vm.managed.fullname" }}
{{- else if eq .style "plain" -}}
    {{- $nameTpl = "vm.plain.fullname" }}
+{{- else -}}
+    {{- /* Handle unexpected style */ -}}
+    {{- $nameTpl = "vm.default.fullname" }}
{{- end -}}
Ensure that "vm.default.fullname" is defined or handle the default case appropriately.
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl (2)

82-113: Refactor 'vm.managed.fullname' and 'vm.plain.fullname' to eliminate code duplication

The templates vm.managed.fullname (lines 82-97) and vm.plain.fullname (lines 98-113) share similar logic with minor differences in how they handle prefixes and suffixes. Refactoring these into a single template that accepts parameters for prefix and suffix adjustments would reduce code duplication and enhance maintainability.

142-152: Consider adding standard Kubernetes labels for better resource identification

Including additional standard labels such as app.kubernetes.io/component and app.kubernetes.io/part-of in the vm.labels template can improve resource identification and management within Kubernetes.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 57e90b7 and 92ff25b.

⛔ Files ignored due to path filters (4)

packages/apps/vm-instance/logos/vmi.svg is excluded by !**/*.svg
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.lock is excluded by !**/*.lock
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.lock is excluded by !**/*.lock
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (82)

.pre-commit-config.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml (1 hunks)
packages/apps/kubernetes/values.schema.json (1 hunks)
packages/apps/kubernetes/values.yaml (1 hunks)
packages/apps/vm-instance/Chart.yaml (1 hunks)
packages/core/installer/values.yaml (1 hunks)
packages/core/platform/bundles/distro-full.yaml (2 hunks)
packages/core/platform/bundles/distro-hosted.yaml (3 hunks)
packages/core/platform/bundles/paas-full.yaml (3 hunks)
packages/core/platform/bundles/paas-hosted.yaml (2 hunks)
packages/system/cert-manager-crds/.helmignore (1 hunks)
packages/system/cert-manager-crds/Chart.yaml (1 hunks)
packages/system/cert-manager-crds/Makefile (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/README.md (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/values.schema.json (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/values.yaml (1 hunks)
packages/system/cert-manager-crds/values.yaml (1 hunks)
packages/system/cert-manager/values.yaml (1 hunks)
packages/system/monitoring-agents/Chart.yaml (1 hunks)
packages/system/monitoring-agents/alerts/flux.yaml (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/Chart.yaml (2 hunks)
packages/system/monitoring-agents/charts/fluent-bit/ci/ci-values.yaml (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/dashboards/fluent-bit.json (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/templates/NOTES.txt (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/templates/vpa.yaml (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/values.yaml (1 hunks)
packages/system/monitoring-agents/charts/kube-state-metrics/Chart.yaml (1 hunks)
packages/system/monitoring-agents/charts/kube-state-metrics/templates/deployment.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/CHANGELOG.md (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/Chart.yaml (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/README.md (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/deployment.yaml (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/rolebinding-nanny.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/service.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/servicemonitor.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/values.yaml (2 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/Chart.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/NOTES.txt (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/networkpolicy.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/rbac-configmap.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/serviceaccount.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/values.yaml (1 hunks)
packages/system/monitoring-agents/templates/apiserver-scrape.yaml (1 hunks)
packages/system/monitoring-agents/templates/cadvisor-scrape.yaml (1 hunks)
packages/system/monitoring-agents/templates/etcd-scrape.yaml (1 hunks)
packages/system/monitoring-agents/templates/kubelet-scrape.yaml (2 hunks)
packages/system/monitoring-agents/templates/namespaces.yaml (1 hunks)
packages/system/monitoring-agents/templates/vmagent.yaml (1 hunks)
packages/system/monitoring-agents/values.yaml (2 hunks)
packages/system/monitoring/charts/metrics-server/RELEASE.md (0 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml (2 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-podmonitors.yaml (4 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-probes.yaml (4 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusrules.yaml (2 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml (4 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.yaml (3 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md (4 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl (3 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/RELEASE_NOTES.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_changelog.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_index.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/crds/Chart.yaml (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/CHANGELOG.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.yaml (2 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_enterprise.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_ingress.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl (2 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/NOTES.txt (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl (3 hunks)

⛔ Files not processed due to max files limit (20)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/cleanup.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/cluster_role.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/crb.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/crd.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/crd_clusterrole.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/deployment.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/pdb.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/rb.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/role.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/role_binding.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/service.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/service_account.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/service_scrape.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/uninstall_hook.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/webhook.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/values.yaml
packages/system/victoria-metrics-operator/values.yaml
scripts/installer.sh
scripts/migrations/6

💤 Files with no reviewable changes (1)

packages/system/monitoring/charts/metrics-server/RELEASE.md

✅ Files skipped from review due to trivial changes (27)

packages/apps/vm-instance/Chart.yaml
packages/core/installer/values.yaml
packages/system/cert-manager-crds/.helmignore
packages/system/cert-manager-crds/Chart.yaml
packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml
packages/system/cert-manager-crds/values.yaml
packages/system/cert-manager/values.yaml
packages/system/monitoring-agents/Chart.yaml
packages/system/monitoring-agents/charts/fluent-bit/Chart.yaml
packages/system/monitoring-agents/charts/fluent-bit/templates/NOTES.txt
packages/system/monitoring-agents/charts/fluent-bit/values.yaml
packages/system/monitoring-agents/charts/kube-state-metrics/Chart.yaml
packages/system/monitoring-agents/charts/metrics-server/values.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/Chart.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/NOTES.txt
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/rbac-configmap.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/serviceaccount.yaml
packages/system/monitoring-agents/templates/apiserver-scrape.yaml
packages/system/monitoring-agents/templates/cadvisor-scrape.yaml
packages/system/monitoring-agents/templates/etcd-scrape.yaml
packages/system/monitoring-agents/templates/kubelet-scrape.yaml
packages/system/monitoring-agents/templates/namespaces.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_changelog.md
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_index.md
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/crds/Chart.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_ingress.tpl

🧰 Additional context used

🪛 yamllint

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/core/platform/bundles/paas-full.yaml

[warning] 185-185: too few spaces after comma

(commas)

[warning] 185-185: too few spaces after comma

(commas)

packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🪛 LanguageTool

packages/system/cert-manager-crds/charts/cert-manager/README.md

[style] ~34-~34: Consider a shorter alternative to avoid wordiness.
Context: ...sion v1.16.1 jetstack/cert-manager ``` In order to begin issuing certificates, you will ne...

(IN_ORDER_TO_PREMIUM)

[style] ~97-~97: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...o/v1.ACMEChallengeSolverHTTP01Ingress). For example, secretTemplate in CertificateS...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

[typographical] ~147-~147: If you want to indicate numerical ranges or time ranges, consider using an en dash.
Context: ... verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose. #### *...

(DASH_RULE)

[grammar] ~157-~157: Did you mean “LED” (= diode, light)?
Context: ...l attempting to acquire leadership of a led but unrenewed leader slot. This is effe...

(LED)

[typographical] ~296-~296: It seems that a comma is missing.
Context: ...the services are installed into. If not set then they use the namespace of the rele...

(IF_NOT_COMMA)

[uncategorized] ~303-~303: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...o these annotations (some resources use eg. "cainjector.name" which resolves to the...

(E_G)

[formatting] ~415-~415: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...rt-manager. To disable the auto-approval, because eg. you are using approver-policy, you ...

(COMMA_BEFORE_BECAUSE)

[uncategorized] ~415-~415: The abbreviation “e.g.” (= for example) requires two periods.
Context: .... To disable the auto-approval, because eg. you are using approver-policy, you can ...

(E_G)

[style] ~531-~531: To form a complete sentence, be sure to include a subject or ‘there’.
Context: ...ch they should be applied to ClusterIP. Can be IPv4 and/or IPv6. #### **podDnsPoli...

(MISSING_IT_THERE)

[style] ~548-~548: To form a complete sentence, be sure to include a subject.
Context: ...iases for cert-manager-controller pods. May be useful when performing ACME DNS-01 s...

(MISSING_IT_THERE)

[misspelling] ~573-~573: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...e HTTP_PROXY environment variable where a HTTP proxy is required. #### **https_p...

(EN_A_VS_AN)

[misspelling] ~577-~577: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ... HTTPS_PROXY environment variable where a HTTP proxy is required. #### **no_prox...

(EN_A_VS_AN)

[misspelling] ~581-~581: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...the NO_PROXY environment variable where a HTTP proxy is required, but certain dom...

(EN_A_VS_AN)

[style] ~654-~654: Consider a shorter alternative to avoid wordiness.
Context: ...oller Pod. This is enabled by default, in order to enable the clock-skew liveness probe th...

(IN_ORDER_TO_PREMIUM)

[style] ~674-~674: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...ager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonit...

(CAN_NOT_PREMIUM)

[style] ~959-~959: To form a complete sentence, be sure to include a subject.
Context: ...minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or...

(MISSING_IT_THERE)

[style] ~965-~965: To form a complete sentence, be sure to include a subject.
Context: ...ximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or...

(MISSING_IT_THERE)

[style] ~1175-~1175: To form a complete sentence, be sure to include a subject or ‘there’.
Context: ...ch they should be applied to ClusterIP. Can be IPv4 and/or IPv6. #### **webhook.ima...

(MISSING_IT_THERE)

[formatting] ~1249-~1249: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...S EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot com...

(COMMA_BEFORE_BECAUSE)

[style] ~1258-~1258: This phrase is redundant. Consider using “outside”.
Context: ...seful if you want to expose the webhook outside of the cluster. In some cases, the control...

(OUTSIDE_OF)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md

[grammar] ~137-~137: Did you mean “these”?
Context: ... Get the pods lists by running this commands: console kubectl get pods ...

(THIS_TOOLS)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/RELEASE_NOTES.md

[uncategorized] ~8-~8: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md

[uncategorized] ~7-~7: Possible missing preposition found.
Context: ...color=informational&logo=helm) - Allow extract name prefix from app level fullnameOver...

(AI_HYDRA_LEO_MISSING_TO)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/NOTES.txt

[uncategorized] ~2-~2: Loose punctuation mark.
Context: ...--namespace {{ include "vm.namespace" . }} get pods -l "app.kubernetes.io/instanc...

(UNLIKELY_OPENING_PUNCTUATION)

[style] ~4-~4: Consider using a more formal alternative.
Context: ....io/instance={{ $.Release.Name }}" Get more information on https://github.com/VictoriaMetrics/h...

(MORE_INFO)

🪛 Markdownlint

packages/system/cert-manager-crds/charts/cert-manager/README.md

22-22: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

59-59: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

68-68: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

1988-1988: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

407-407: null
Bare URL used

(MD034, no-bare-urls)

416-416: null
Bare URL used

(MD034, no-bare-urls)

627-627: null
Bare URL used

(MD034, no-bare-urls)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md

96-96: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

101-101: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

111-111: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

117-117: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

125-125: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

131-131: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

96-96: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

101-101: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

111-111: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

117-117: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

125-125: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

131-131: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

🪛 Biome

packages/system/monitoring-agents/charts/fluent-bit/dashboards/fluent-bit.json

[error] 1562-1562: Expected a property but instead found '{'.

Expected a property here.

(parse)

[error] 1562-1562: Property key must be double quoted

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found printf

Remove printf

(parse)

[error] 1562-1562: expected : but instead found "\"%s\""

Remove ""%s""

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found "%s-%s"

Remove "%s-%s"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Release

Remove Release

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Namespace

Remove Namespace

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found include

Remove include

(parse)

[error] 1562-1562: expected : but instead found "fluent-bit.fullname"

Remove "fluent-bit.fullname"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: expected , but instead found "null"

Remove "null"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Values

Remove Values

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found dashboards

Remove dashboards

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found deterministicUid

Remove deterministicUid

(parse)

[error] 1562-1562: expected : but instead found }

Remove }

(parse)

🔇 Additional comments (90)

packages/system/monitoring-agents/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml (1)

1-5: Consider adding egress rules if required.

The network policy only defines ingress rules. If the node exporter needs to communicate with other services, consider adding appropriate egress rules.

Let's check if there are any other network policies in the repository that might provide guidance:

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md (1)

1-4: LGTM!

The version number and release date are properly formatted following the standard release notes structure.

packages/system/cert-manager-crds/Makefile (1)

1-1: LGTM!

Good practice to include common make targets from the base package.mk file.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/NOTES.txt (2)

1-2: LGTM! Improved namespace handling.

The change to use {{ include "vm.namespace" . }} instead of direct namespace reference is a good practice as it centralizes namespace logic and likely handles edge cases better.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~2-~2: Loose punctuation mark.
Context: ...--namespace {{ include "vm.namespace" . }} get pods -l "app.kubernetes.io/instanc...

(UNLIKELY_OPENING_PUNCTUATION)

4-5: LGTM! Documentation improvements.

The URL formatting has been improved by removing the trailing period, making it more copy-paste friendly.

🧰 Tools

🪛 LanguageTool

[style] ~4-~4: Consider using a more formal alternative.
Context: ....io/instance={{ $.Release.Name }}" Get more information on https://github.com/VictoriaMetrics/h...

(MORE_INFO)

packages/system/monitoring-agents/charts/metrics-server/templates/rolebinding-nanny.yaml (1)

7-7: LGTM! Good improvement in namespace handling.

The change from a hardcoded namespace to {{ .Release.Namespace }} enhances the chart's flexibility and reusability. This modification aligns well with Helm best practices and ensures consistency with the namespace reference in the subjects section.

packages/system/monitoring-agents/charts/metrics-server/templates/service.yaml (1)

22-22: LGTM! Good addition of the appProtocol field.

The explicit declaration of appProtocol: https aligns with Kubernetes best practices for protocol specification. This addition improves service discovery, helps with service mesh integration, and enhances observability by making the application protocol explicit at the Kubernetes level.

packages/system/monitoring-agents/templates/vmagent.yaml (1)

7-8: Verify external labels configuration and add documentation.

The external labels are crucial for proper data routing and multi-tenancy. Please ensure:

Default values are provided in values.yaml
Values are properly validated in the schema
Documentation explains the impact of these labels

✅ Verification successful

External labels configuration is properly defined and validated

The verification shows that:

Default values are provided in values.yaml:
- cluster: cozystack
- tenant: tenant-root
The values are properly used in the template
The configuration is straightforward and follows standard Helm templating practices

The initial concern can be closed as the implementation is correct and follows best practices.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if values and schema validation exist for external labels
echo "Checking values.yaml for default values:"
rg "vmagent:" -A 10 "values.yaml"

echo "\nChecking schema validation:"
rg "vmagent" -A 10 "values.schema.json"

Length of output: 340

Script:

#!/bin/bash
# Let's try to find the values and schema files first
echo "Looking for values files:"
fd -g "*values*.y*ml"

echo -e "\nLooking for schema files:"
fd -g "*schema*.json"

echo -e "\nChecking the directory structure around the template:"
find "$(dirname packages/system/monitoring-agents/templates/vmagent.yaml)" -type f

Length of output: 11948

Script:

#!/bin/bash
# Let's check the values and schema for monitoring-agents specifically
echo "Checking monitoring-agents values.yaml:"
cat packages/system/monitoring-agents/values.yaml

echo -e "\nChecking for any schema file in monitoring-agents:"
fd -g "*schema*.json" packages/system/monitoring-agents/

echo -e "\nChecking vmagent template content for context:"
cat packages/system/monitoring-agents/templates/vmagent.yaml

Length of output: 12569

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.yaml (2)

4-4: Verify the implementation of name prefix extraction feature.

The changelog indicates a new feature for extracting name prefix from app-level fullnameOverride property. This is a significant change that could affect all dependent charts.

✅ Verification successful

Let me gather more information about the implementation details.

Feature implementation verified and working as expected

The implementation of name prefix extraction from app-level fullnameOverride property is correctly implemented in the vm.fullname template within _helpers.tpl. The feature supports multiple levels of override precedence:

Direct app-level fullnameOverride via .Values.fullnameOverride
Chart-specific override via .Values.global.<chart-name>.fullnameOverride
Global override via .Values.global.fullnameOverride

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of the name prefix extraction feature
# and its usage across dependent charts

# Check for the implementation of the name prefix extraction
echo "Checking for name prefix extraction implementation:"
rg -l "_helpers" packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/

# Check for usage of fullnameOverride in dependent charts
echo "Checking for fullnameOverride usage in dependent charts:"
rg -l "fullnameOverride:" packages/system/victoria-metrics-operator/charts/

Length of output: 532

Script:

#!/bin/bash
# Check the content of _helpers.tpl for name prefix extraction logic
echo "Checking _helpers.tpl content:"
find packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/ -name "_helpers.tpl" -exec cat {} \;

# Check the values.yaml content for fullnameOverride configuration
echo -e "\nChecking values.yaml content:"
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/values.yaml | grep -A 5 "fullnameOverride"

Length of output: 7586

28-28: Verify version bump alignment with dependencies.

The version increase from 0.0.5 to 0.0.16 is significant. Ensure this version bump aligns with the changes in dependent charts and follows proper semantic versioning.

✅ Verification successful

Based on the git history and changes, I can now provide a final response:

Version bump is aligned with template changes and follows proper versioning

The version increase from 0.0.5 to 0.0.16 is justified by the following changes:

Addition of new functionality to extract name prefix from app level fullnameOverride property
Significant template improvements including:
- Enhanced image template with enterprise variant support
- Improved security context handling
- Updated command line argument handling
- New helper functions for service and FQDN generation

The version bump follows semantic versioning as these are non-breaking changes in a library chart, appropriately incrementing the patch version.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify version alignment in dependent charts
# and check for any breaking changes

# Find all Chart.yaml files in the victoria-metrics-operator directory
echo "Checking dependent charts versions:"
fd "Chart.yaml$" packages/system/victoria-metrics-operator/ --exec cat {} \; 

# Look for potential breaking changes in templates
echo "Checking for potential breaking changes:"
rg -l "Breaking-Change:|BREAKING CHANGE:" packages/system/victoria-metrics-operator/

Length of output: 3817

Script:

#!/bin/bash
# Let's check for changes in the Chart.yaml file history and dependencies
git log -p packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.yaml

# Check if there are any changes in the templates directory that might indicate breaking changes
echo "Checking template changes:"
fd . packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/ --exec git log -p {} \;

# Check for any dependency version constraints in parent charts
echo "Checking dependency constraints:"
rg "victoria-metrics-common.*version:" -A 2 -B 2 packages/system/victoria-metrics-operator/

Length of output: 39969

.pre-commit-config.yaml (2)

Line range hint 8-9: Consider security implications of --unsafe flag

The --unsafe flag allows parsing of custom tags and merge keys, which is necessary for Kubernetes YAML files. However, this could potentially mask YAML syntax issues. Since this hook excludes templates (via exclude: '^.*templates/.*\.yaml$'), the risk is minimized as it only affects non-template YAML files.

✅ Verification successful

Based on the output, I can see that this repository contains many YAML files, particularly Kubernetes-related configuration files including Helm charts, CRDs, and various infrastructure components. Given that:

Many of these YAML files contain Kubernetes-specific custom resources and configurations that require custom tag parsing
The files include CRDs (Custom Resource Definitions) which often use custom YAML tags
There are Helm chart templates and values files that may contain custom YAML syntax

The --unsafe flag is indeed necessary and appropriate here

The repository primarily consists of Kubernetes-related YAML files that legitimately require custom YAML parsing. The exclusion of templates via exclude: '^.*templates/.*\.yaml$' is a good practice, and the --unsafe flag is necessary for properly validating the Kubernetes manifests, CRDs, and Helm chart files present in the repository.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for non-template YAML files that might be affected
# by the --unsafe flag

# Find all YAML files excluding templates
fd -e yaml -e yml | grep -v "templates/"

Length of output: 26231

13-13: Verify compatibility with markdownlint-cli v0.42.0

The version bump from v0.41.0 to v0.42.0 might introduce breaking changes.

packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/networkpolicy.yaml (2)

17-20: Verify the default port configuration is secure.

The default configuration only exposes the service port, which is a secure approach. However, ensure this aligns with the node exporter's requirements.

Let's verify the service port configuration:

✅ Verification successful

Port configuration is secure and follows standard practices

The port configuration is secure and follows Prometheus Node Exporter standards:

Uses the standard Node Exporter port 9100 as the default container and target port
Service port is restricted to metrics endpoint only
Host port binding is disabled by default (enableHostPort: false)
Port configuration is consistent across container, service, and target port definitions

The NetworkPolicy correctly restricts access to this specific port, making the configuration both secure and functional.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the default service port matches node exporter's standard port
# Expected: Find service port definition matching 9100 (standard node exporter port)

fd --type f 'values.yaml' --exec sh -c 'echo "=== {} ==="; cat {} | grep -A 5 "service:"'

Length of output: 21518

Script:

#!/bin/bash
# Let's check the port configuration in the node exporter's configuration files
# First, check the default port in values.yaml
echo "=== Checking default port configuration ==="
cat packages/system/monitoring-agents/charts/prometheus-node-exporter/values.yaml | grep -A 10 "port:"

# Then check the container port and configuration
echo -e "\n=== Checking container port and configuration ==="
cat packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/daemonset.yaml | grep -A 5 "containerPort:"

Length of output: 2145

15-17: LGTM: Flexible ingress configuration implemented correctly.

The implementation allows for custom ingress rules while maintaining proper YAML structure through toYaml.

Let's verify the values schema supports this configuration:

✅ Verification successful

Based on the shell script results, I can now verify the implementation. The output shows:

The values.yaml in prometheus-node-exporter chart has proper networkPolicy configuration:

networkPolicy:
  enabled: true
  ingress:
  - ports:
    - port: 9100

The networkpolicy.yaml template correctly implements the conditional logic:

spec:
  ingress:
    {{- if .Values.networkPolicy.ingress }}
      {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
    {{- else }}
    - ports:
      - port: {{ .Values.service.port }}
    {{- end }}

LGTM: NetworkPolicy implementation is correct and well-structured

The implementation provides:

Proper schema support for custom ingress rules
Sensible default that only exposes the service port
Correct YAML indentation and templating

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if values schema properly defines the networkPolicy structure
# Expected: Find networkPolicy schema definition with ingress field

fd --type f 'values.schema.json' --exec sh -c 'echo "=== {} ==="; cat {} | jq ".properties.networkPolicy"'

Length of output: 21518

Script:

#!/bin/bash
# Let's check the values.yaml file for networkPolicy configuration
fd --type f 'values.yaml' --exec sh -c 'echo "=== {} ==="; cat {}' | grep -A 10 "networkPolicy:"

# Also check for any existing networkPolicy templates
fd --type f 'networkpolicy.yaml' --exec sh -c 'echo "=== {} ==="; cat {}'

Length of output: 39016

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml (2)

Line range hint 29-31: LGTM on maintainer addition

The addition of the new maintainer follows the established format and includes all required information.

13-13: Verify breaking changes for major version bump

The chart version has been bumped from 14.0.0 to 15.0.0, which indicates breaking changes. Please verify if there are breaking changes in the Prometheus Operator CRDs between v0.76.0 and v0.77.1 that justify this major version bump.

Also applies to: 38-38

✅ Verification successful

Let me generate another script to specifically check for changes in the Prometheus Operator CRDs between these versions, as the current results don't show the actual CRD changes.

This script will help us examine the actual CRD definitions in the prometheus-operator-crds chart to determine if there are any breaking changes that justify the major version bump.

Based on the examination of the CRD files, I can now generate a final response. The CRDs show significant changes in v0.77.1 including new features that require specific Prometheus versions and new fields, which justifies the major version bump.

Major version bump is justified

The chart version bump from 14.0.0 to 15.0.0 is warranted due to several breaking changes and new features in the CRDs:

New scrapeProtocols field added requiring Prometheus >= v2.49.0
New trackTimestampsStaleness field requiring Prometheus >= v2.48.0
New keepDroppedTargets field requiring Prometheus >= v2.47.0
Changes to OAuth2 TLS configuration requiring Prometheus >= v2.43.0

These changes represent significant updates to the CRD schemas that could affect existing deployments, making the major version bump appropriate according to semantic versioning principles.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for breaking changes in the Prometheus Operator CRDs

# Test: Search for CRD files and their changes
fd -e yaml -e yml . | grep -i "crd" | xargs rg -l "kind:\s*CustomResourceDefinition" | \
  while read -r file; do
    echo "=== Checking CRD file: $file ==="
    rg "^[+-]" "$file" || true
  done

Length of output: 25505

Script:

#!/bin/bash
# Description: Check for CRD files in the prometheus-operator-crds chart and their content

# Find and examine CRD files specifically in the prometheus-operator-crds directory
fd . packages/system/victoria-metrics-operator/charts/prometheus-operator-crds -e yaml -e yml | grep -i "crd" | while read -r file; do
    echo "=== Examining CRD file: $file ==="
    # Show file content to examine the CRD structure and any version-specific fields
    cat "$file"
done

Length of output: 188216

packages/system/monitoring-agents/charts/metrics-server/templates/servicemonitor.yaml (2)

13-13: LGTM! Improved label alignment with Kubernetes standards.

The change from {{ .Release.Name }} to app.kubernetes.io/instance follows Kubernetes recommended labels, making it more consistent with standard practices.

13-13: Verify impact on existing metric queries.

This change in jobLabel will affect the job label in scraped metrics. Please ensure:

Existing Prometheus queries using the job label are updated
Grafana dashboards referencing these metrics are reviewed
Any alerting rules based on these metrics are adjusted

packages/system/monitoring-agents/charts/metrics-server/Chart.yaml (2)

3-10: LGTM! Well-structured changelog entries.

The changelog entries are clear, descriptive, and follow good practices by:

Including links to release notes
Properly categorizing changes (added/changed/fixed)
Providing clear descriptions of modifications

12-12: Version updates follow semantic versioning.

The version updates are appropriate:

App version bump (0.7.1 -> 0.7.2) reflects the new Metrics Server release
Chart version bump (3.12.1 -> 3.12.2) follows semantic versioning for the included changes

Let's verify the referenced versions exist:

Also applies to: 32-32

✅ Verification successful

Version updates are correctly documented and follow semantic versioning

The Chart.yaml shows proper version documentation with:

Clear changelog entries linking to the official releases (v0.7.2 for Metrics Server and 1.8.21 for addonResizer)
Appropriate version bumps documented in annotations
Chart version (3.12.2) and appVersion (0.7.2) following semantic versioning principles
Detailed changelog entries explaining the nature of changes (added/changed/fixed)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the referenced versions exist in their respective repositories

# Test 1: Verify Metrics Server version exists
gh api repos/kubernetes-sigs/metrics-server/releases/tags/v0.7.2 --silent || echo "Metrics Server v0.7.2 not found"

# Test 2: Verify addon-resizer version exists
gh api repos/kubernetes/autoscaler/releases/tags/addon-resizer-1.8.21 --silent || echo "addon-resizer-1.8.21 not found"

Length of output: 156

Script:

#!/bin/bash
# Let's try a different approach to verify the versions

# Check the current version in the Chart.yaml
echo "Current Chart.yaml contents:"
cat packages/system/monitoring-agents/charts/metrics-server/Chart.yaml

# Check git history for version changes
echo -e "\nGit history for Chart.yaml:"
git log -p packages/system/monitoring-agents/charts/metrics-server/Chart.yaml | grep -A 5 -B 5 "appVersion:"

Length of output: 2181

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.yaml (3)

15-15: Verify version update documentation.

The chart has been updated with:

Application version: v0.48.4
Chart version: 0.36.0

These changes should be properly documented in the changelog.

#!/bin/bash
# Description: Verify version updates in changelog and release notes

# Test: Check for version references in documentation
rg -i "0\.36\.0|v0\.48\.4" CHANGELOG.md RELEASE_NOTES.md

Also applies to: 43-43

20-23: Verify the CRDs dependency configuration.

The new dependency configuration has some unusual characteristics:

Empty repository ("")
Wildcard version (0.0.*)

Please confirm if this is the intended configuration for CRD handling.

#!/bin/bash
# Description: Check for similar dependency patterns in other charts

# Test: Look for similar dependency configurations
rg --type yaml "condition: crds\.plain" -A 3

4-4: Verify migration documentation for CRD handling changes.

The change from crd.enabled to crds.plain represents a significant modification in CRD management. While the annotation clearly describes the change, we should ensure proper migration guidance is available for users.

✅ Verification successful

Migration path for CRD configuration change is properly documented

The change from crd.enabled to crds.plain is well documented in both the changelog and values.yaml:

The new crds.plain parameter's behavior is clearly explained in values.yaml
The change is documented in the changelog with a clear explanation of the new functionality
The default value is set to false, which means CRDs will be rendered from templates by default
The configuration includes additional CRD-related settings like cleanup options

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if migration documentation exists for the CRD changes

# Test: Look for migration guides or upgrade notes
rg -i -A 5 "migration|upgrade.*crd" README.md UPGRADE.md docs/

Length of output: 249

Script:

#!/bin/bash
# Let's check for any documentation about CRD configuration in the chart
fd -t f -e md . packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/ -x rg -i -A 5 "crd|configuration"

# Also check values.yaml for the new configuration
fd values.yaml packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/ -x cat

Length of output: 14572

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml (1)

20-24: Verify the storage and target namespace separation.

The configuration uses the same namespace for both storage and target. While this is valid, ensure this is intentional as separating them might provide better resource isolation and management.

✅ Verification successful

The previous search might have been too specific. Let's broaden our search to understand the namespace patterns in the codebase, particularly focusing on victoria-metrics configurations and similar operators.

Using same namespace for storage and target is consistent with project patterns

The search results show that using identical namespaces for both targetNamespace and storageNamespace is a consistent pattern across all HelmReleases in the codebase, including:

cert-manager
cilium
fluxcd
ingress-nginx
monitoring-agents
victoria-metrics-operator

This appears to be an intentional design choice across the project, and the victoria-metrics-operator configuration follows this established pattern correctly.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if other operators in the codebase follow similar namespace patterns
rg -l "targetNamespace.*storageNamespace" | while read -r file; do
  echo "=== $file ==="
  rg "targetNamespace|storageNamespace" "$file"
done

Length of output: 58

Script:

#!/bin/bash
# Let's try a broader search for namespace configurations in helm releases
rg -g "*.yaml" "targetNamespace:|storageNamespace:" -B2 -A2

# Also search for any victoria-metrics related configurations
fd "victoria.*\.yaml$" --exec cat {}

Length of output: 6404

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml (1)

46-47: LGTM! Proper dependency ordering

The addition of the cert-manager-crds dependency is correct and follows best practices. This ensures that the Custom Resource Definitions are available before cert-manager is installed, which is a critical requirement for Kubernetes operators.

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml (4)

31-36: LGTM! Values override configuration is well-structured.

The configuration correctly handles values override through a Secret resource and uses proper conditional templating.

45-54: LGTM! Secret configuration follows security best practices.

The Secret resource is well-configured:

Uses stringData instead of data for better security
Properly conditional based on values override presence
Correct YAML indentation for values

38-44: Verify dependency chain with other HelmReleases.

The configuration sets up dependencies on the main release and cilium. Let's verify the dependency chain to ensure proper ordering.

#!/bin/bash
# Description: Verify HelmRelease dependencies
# Expected: Find related HelmReleases and their dependencies

# Search for related HelmReleases and their dependencies
rg -g '*.yaml' -A 5 'kind: HelmRelease.*name:.*cilium'

11-18: Verify chart availability in the repository.

The configuration references a custom chart cozy-cert-manager-crds. Let's verify its existence in the repository.

✅ Verification successful

Chart configuration is valid and properly referenced

The verification shows that:

The chart cozy-cert-manager-crds exists in the repository at packages/system/cert-manager-crds/
The HelmRepository cozystack-system is properly defined in packages/core/platform/templates/helmrepos.yaml
The reference to this repository in the HelmRelease is correct:
- Kind: HelmRepository
- Name: cozystack-system
- Namespace: cozy-system

The configuration is valid and follows the expected pattern used by other components in the system.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the existence of the cert-manager CRDs chart
# Expected: Find references to the chart in Helm repository configurations

# Search for chart definition or references
rg -g '!{.git,vendor}' "cozy-cert-manager-crds"

Length of output: 150

Script:

#!/bin/bash
# Let's try a broader search for helm repository configurations and charts
# Search for HelmRepository configurations
echo "=== Searching for HelmRepository configurations ==="
rg -g '*.yaml' 'kind:\s*HelmRepository.*name:\s*cozystack-system' -A 5

# Search for any cert-manager related charts or CRDs
echo -e "\n=== Searching for cert-manager related configurations ==="
rg -g '*.yaml' 'cert-manager|certmanager' -B 2 -A 2

Length of output: 353054

Script:

#!/bin/bash
# Let's verify the existence of the chart in the repository structure
echo "=== Checking for chart files ==="
fd "cozy-cert-manager-crds" packages/

# Check the chart's source repository configuration
echo -e "\n=== Checking HelmRepository configuration ==="
rg -g '*.yaml' 'cozystack-system.*HelmRepository' -A 5

Length of output: 276

Script:

#!/bin/bash
# Let's try a different approach to find the repository configuration
echo "=== Checking for HelmRepository configurations ==="
rg -g '*.yaml' 'kind:\s*HelmRepository' -B 2 -A 5

# Also check for the chart in system directory
echo -e "\n=== Checking for cert-manager CRDs chart in system directory ==="
ls -la packages/system/cert-manager-crds/ 2>/dev/null || echo "Directory not found"

# Check for any references to the repository name
echo -e "\n=== Checking for repository references ==="
rg -g '*.yaml' 'name:\s*cozystack-system' -B 2 -A 2

Length of output: 21879

packages/apps/kubernetes/values.yaml (1)

64-71: LGTM! Well-structured monitoring agents configuration.

The new monitoringAgents section follows the established patterns and maintains consistency with other addon configurations. The default values are safe and the integration aligns well with the PR objectives.

packages/core/platform/bundles/distro-hosted.yaml (4)

17-22: LGTM: Good practice separating cert-manager CRDs.

Separating CRDs into a dedicated release is a good practice as it allows better lifecycle management and upgrade paths.

27-27: LGTM: Correct dependency chain for cert-manager.

The dependency on cert-manager-crds ensures proper installation order, with CRDs being available before cert-manager deployment.

115-115: LGTM: Appropriate dependency configuration for external-dns.

The empty dependsOn list is appropriate as external-dns can operate independently of other components.

48-54: Verify the need for privileged access.

The monitoring-agents release is configured with privileged: true. While the dependency on monitoring is logical, we should verify if privileged access is necessary for all monitoring agents.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_enterprise.tpl (1)

37-43: LGTM! Good security practices in volume mounting.

The volume and mount definitions are well-structured with appropriate security considerations:

Proper secret volume mounting
Read-only access for license files
Conditional creation based on secret existence

Also applies to: 50-56

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl (3)

8-8: LGTM! Good improvement to documentation links.

Using an absolute URL to the official documentation is more maintainable and ensures better accessibility.

90-90: LGTM! Good use of centralized documentation template.

Using chart.helmDocs template promotes consistency and reduces duplication across chart documentation.

73-73: Verify template availability and content.

The change to use templates (chart.installSection and chart.uninstallSection) promotes consistency, but we should verify these templates exist and contain the necessary information.

Also applies to: 88-88

✅ Verification successful

Missing required helm-docs templates

The chart.installSection and chart.uninstallSection templates are not found in the codebase. These are standard helm-docs templates that should be available in the helm-docs installation, but are being referenced in the README.md.gotmpl file.

The template inclusions at lines 73 and 88 rely on helm-docs built-in templates
These templates are not part of the chart's codebase but are provided by helm-docs during documentation generation
The change is safe as it uses standard helm-docs functionality

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the referenced templates exist in the chart
# Expected: Find template definitions for installSection and uninstallSection

# Search for template definitions
echo "Searching for template definitions..."
fd --type f -e tpl -e gotmpl . | xargs rg -l "define.*chart\.(install|uninstall)Section"

Length of output: 175

Script:

#!/bin/bash
# Let's try a broader search to find any template-related files and their content
# First, let's check the chart directory structure
echo "Chart directory structure:"
fd --type f . packages/system/victoria-metrics-operator/charts

# Now let's look for any template files or documentation about templates
echo -e "\nSearching for template-related files:"
fd --type f -e tpl -e gotmpl . packages/system/victoria-metrics-operator/charts

# Let's also check for any _helpers.tpl which is a common location for chart templates
echo -e "\nChecking for helpers.tpl content:"
fd --type f -e tpl . packages/system/victoria-metrics-operator/charts --exec cat {}

Length of output: 28235

Script:

#!/bin/bash
# Let's check the helm-docs templates directory which is a common location for shared chart documentation templates
echo "Checking for helm-docs templates:"
fd --type f . packages/system/victoria-metrics-operator/charts --exec grep -l "chart.installSection"

# Let's also check the parent directory for shared templates
echo -e "\nChecking parent directory for templates:"
fd --type f . packages/system --exec grep -l "chart.installSection"

# Let's look at the actual content of the README.md to see what's being replaced
echo -e "\nChecking README content:"
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md

Length of output: 29690

Script:

#!/bin/bash
# Let's check the helm-docs templates in the parent directory structure
echo "Checking for helm-docs templates in parent directories:"
fd --type f -e gotmpl -e tpl . packages/system --exec grep -A 5 -B 5 "define.*chart\.installSection"

# Let's also check the actual content of the README.md.gotmpl to see the context
echo -e "\nChecking README.md.gotmpl content:"
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl

Length of output: 3840

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml (1)

30-34: Review infinite retry policy

Setting retries: -1 for both install and upgrade remediation will cause infinite retry attempts. This might mask underlying issues and make debugging more difficult.

Consider setting a reasonable retry limit based on your deployment requirements.

packages/core/platform/bundles/paas-hosted.yaml (2)

27-27: LGTM! Correct dependency chain established.

The dependency on cert-manager-crds ensures proper installation order, with CRDs being available before cert-manager starts.

48-54: Verify security implications of privileged monitoring agents.

While the configuration looks correct, the privileged: true flag warrants careful consideration. Let's verify:

Why elevated privileges are required
What specific permissions are granted
Whether these permissions can be reduced

✅ Verification successful

Based on the shell script results, I can now provide a final response since I have sufficient information about the security configurations:

Privileged flag is justified for monitoring agents

The privileged: true flag is necessary as the monitoring agents bundle includes components that require elevated permissions for system monitoring:

metrics-server needs privileged access to collect node metrics
node-exporter requires host access for system metrics collection
fluent-bit needs privileged access for log collection

The security configurations show appropriate safeguards are in place:

Metrics-server uses restrictive security contexts with dropped capabilities
Node-exporter runs with non-root user (65534)
Components use read-only root filesystem where possible
Pod Security Policies enforce least privilege principle

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for related security configurations and permissions
echo "Searching for related RBAC configurations..."
rg -A 10 "monitoring-agents" --type yaml | grep -A 5 -E "Role|ClusterRole|SecurityContextConstraints"

echo "Checking for security-related values in the Helm chart..."
rg -A 10 "securityContext|capabilities|privileged" --type yaml | grep -A 5 "monitoring-agents"

Length of output: 41469

packages/apps/kubernetes/values.schema.json (2)

79-92: LGTM: Schema structure follows established patterns

The monitoringAgents configuration follows the same structure as other addon configurations, maintaining consistency in the schema.

79-92: Verify schema consistency with related configurations

Let's ensure the schema aligns with the actual configurations in related files.

✅ Verification successful

Schema is consistent with configurations and implementation

The schema definition aligns perfectly with the actual usage in the codebase:

The values.yaml matches the schema structure with enabled and valuesOverride fields
The monitoring-agents.yaml HelmRelease is properly gated by .Values.addons.monitoringAgents.enabled
The configuration is consistently referenced as .Values.addons.monitoringAgents across templates
No hardcoded values bypass the schema validation

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistency between schema and related configurations

# Check for corresponding values.yaml default values
echo "Checking for corresponding values.yaml configuration..."
rg -l "monitoringAgents:" packages/apps/kubernetes/

# Check for related HelmRelease configurations
echo "Checking for HelmRelease configurations..."
rg -l "monitoring-agents" packages/apps/kubernetes/templates/helmreleases/

# Verify no hardcoded values bypass the schema
echo "Checking for potential hardcoded values..."
rg "fluentbit|vmagent" packages/apps/kubernetes/templates/

Length of output: 690

Script:

#!/bin/bash
# Let's verify the actual values and configuration alignment

# Check values.yaml content for monitoringAgents structure
echo "=== Values.yaml monitoringAgents configuration ==="
rg -A 10 "monitoringAgents:" packages/apps/kubernetes/values.yaml

# Check monitoring-agents.yaml HelmRelease structure
echo -e "\n=== Monitoring Agents HelmRelease configuration ==="
cat packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

# Check if there are any other references to these configurations
echo -e "\n=== Other references to monitoring configurations ==="
rg "\.monitoringAgents\." packages/apps/kubernetes/templates/

Length of output: 4406

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl (3)

2-6: LGTM: Port extraction logic is well-implemented

The port extraction logic correctly handles both default values and flag-based port configurations.

71-78: LGTM: Health check configuration is well-implemented

The probe path and scheme handling properly accounts for path prefixes and TLS configuration.

12-18: LGTM: OpenShift detection is robust

The platform detection logic is well-implemented with proper fallback handling for capabilities.

Let's verify the OpenShift detection usage:

✅ Verification successful

The previous search might have been too strict. Let's broaden it to catch any references to the OpenShift detection template and related configurations.

Let's examine the actual implementations and usage patterns to ensure the OpenShift detection is consistently implemented and properly used.

OpenShift detection implementation is consistent and well-used

The verification shows that the OpenShift detection is properly implemented and consistently used across the codebase:

The vm.isOpenshift template in victoria-metrics-operator correctly detects OpenShift using the API version check
The same detection pattern is used in kubeapps and redis charts with identical logic
The detection is properly used for security context adaptation in all implementations
Values files show proper configuration options for OpenShift compatibility with adaptSecurityContext settings

The implementation is robust and follows best practices for platform detection and security context handling.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for uses of the OpenShift detection template to ensure consistent usage
rg -l "vm\.isOpenshift" --type yaml

Length of output: 37

Script:

#!/bin/bash
# Let's try a broader search for OpenShift detection patterns in yaml/tpl files
rg -l "isOpenshift" --type yaml
rg -l "isOpenshift" -g "*.tpl"

# Also search for potential references in values files
rg -l "openshift" -g "values.yaml"

Length of output: 745

Script:

#!/bin/bash
# Let's examine the implementation and usage in the found tpl files
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl
cat packages/system/dashboard/charts/kubeapps/charts/common/templates/_compatibility.tpl
cat packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_compatibility.tpl

# Also check how it's referenced in the victoria-metrics values
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/values.yaml

Length of output: 16810

packages/core/platform/bundles/distro-full.yaml (2)

44-44: LGTM! Correct dependency order.

The dependency change from cilium to cert-manager-crds ensures proper installation order where CRDs are available before the main cert-manager components.

34-39: LGTM! Good practice separating CRDs into a dedicated release.

The addition of a separate release for cert-manager CRDs follows Kubernetes best practices for CRD management.

Let's verify the chart structure:

✅ Verification successful

Verified: Chart structure and CRD configuration are correct

The chart is properly structured with:

CRDs defined in templates/crds.yaml within the cert-manager subchart
Correct values configuration with installCRDs: true
Proper dependency chain in distro-full.yaml (cert-manager depends on cert-manager-crds)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the cert-manager-crds chart exists and contains CRDs
fd -t f "Chart.yaml" -x grep -l "name: cozy-cert-manager-crds" {}

Length of output: 114

Script:

#!/bin/bash
# Let's verify the content of the chart to ensure it contains CRDs
cat ./packages/system/cert-manager-crds/Chart.yaml

# Check for CRD files in the chart
fd -t f "\.yaml$" ./packages/system/cert-manager-crds/templates/

# Verify the dependency chain in distro-full.yaml
cat ./packages/core/platform/bundles/distro-full.yaml

Length of output: 4687

Script:

#!/bin/bash
# Let's check if CRDs are defined in the root directory of the chart
fd -t f "\.yaml$" ./packages/system/cert-manager-crds/

# Also check if there's a values.yaml that might reference CRDs
cat ./packages/system/cert-manager-crds/values.yaml 2>/dev/null

# Look for any CRD-related files in the chart directory
ls -la ./packages/system/cert-manager-crds/

Length of output: 903

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl (4)

6-8: LGTM! Good practice with backward compatibility.

The new variable structure using (.helm) with fallbacks to legacy fields is a robust approach that maintains backward compatibility while preparing for future helm updates. The implementation correctly handles all edge cases including name truncation and overrides.

Also applies to: 23-35

42-43: LGTM! Consistent with other changes.

The chart helper maintains consistency with the new variable structure while preserving the standard chart naming convention.

50-55: LGTM! Service account handling is correct.

The service account helper properly implements the new variable structure while maintaining the correct logic for both scenarios (create/no-create).

94-94: LGTM! Clean and straightforward.

The cleanup hook naming is simple and follows consistent naming patterns.

packages/system/monitoring-agents/charts/metrics-server/templates/deployment.yaml (2)

14-15: LGTM! Improved robustness of revisionHistoryLimit condition.

The new condition properly handles both empty string and quoted empty string cases, making it more robust for various YAML parsing scenarios.

36-38: LGTM! Clean conditional assignment using Helm's with block.

The use of the with block for conditional assignment of schedulerName follows Helm best practices and maintains clean template syntax.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/CHANGELOG.md (1)

Line range hint 1-113: Overall changelog structure and content looks good!

The changelog effectively documents the chart's evolution with consistent formatting and clear version entries. Each version includes appropriate metadata (release date, Helm version) and meaningful change descriptions.

packages/system/monitoring-agents/alerts/flux.yaml (1)

Line range hint 1-143: Verify coverage of all FluxCD resources

Let's ensure we're monitoring all critical FluxCD resources.

✅ Verification successful

Let me try a different approach to verify the FluxCD resources coverage by searching through the repository for any Flux-related configuration or documentation that might indicate the expected resources.

Let me check the Flux operator CRDs directly from the repository to get a definitive list of resources we should be monitoring.

Let me check one final thing to verify if we're missing any core Flux resources that should be monitored.

Based on the analysis of the repository and the current alerts configuration, I can now provide a final response:

All critical Flux resources are properly monitored

The current alert configuration in flux.yaml covers all essential Flux CD resources:

HelmRelease (ready and suspended states)
GitRepository (ready and suspended states)
Kustomization (ready and suspended states)
ImageRepository (ready and suspended states)
HelmChart (ready and suspended states)

The alerts monitor both the operational state (ready!="True") and suspension state (suspended="true") with appropriate severity levels (major for failures, warning for suspensions). This provides comprehensive coverage of the core Flux CD functionality.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any FluxCD CRDs that might need monitoring but aren't covered by alerts

# Get all FluxCD CRDs and compare with our alert coverage
kubectl get crds -o json | jq -r '.items[] | select(.metadata.name | contains(".flux.")) | .metadata.name' > /tmp/flux_crds.txt

# Compare with resources we're alerting on
echo "Checking for FluxCD resources that might need monitoring:"
grep -i "customresource_kind=" packages/system/monitoring-agents/alerts/flux.yaml | sort -u

Length of output: 1277

Script:

#!/bin/bash
# Search for Flux-related configuration files and documentation
echo "=== Searching for Flux configuration files ==="
fd -e yaml -e yml . | xargs grep -l "flux" 2>/dev/null

echo -e "\n=== Searching for Flux CRD references in docs ==="
rg -i "kind.*\.(flux|fluxcd)" -A 1

echo -e "\n=== Searching for Flux controller deployments ==="
fd -e yaml -e yml . | xargs grep -l "fluxcd" 2>/dev/null

Length of output: 5523

Script:

#!/bin/bash
# Check Flux CRDs in the operator templates
echo "=== Checking Flux CRDs in operator templates ==="
cat packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml 2>/dev/null || \
cat packages/system/fluxcd-operator/charts/flux-operator/crds/*.yaml 2>/dev/null

echo -e "\n=== Current monitored resources ==="
grep -A 1 "alert:" packages/system/monitoring-agents/alerts/flux.yaml | grep -v "alert:" | sort -u

Length of output: 33243

Script:

#!/bin/bash
# Search for Flux core CRDs in the repository
echo "=== Searching for Flux core CRDs ==="
fd -e yaml -e yml . | xargs grep -l "kind: CustomResourceDefinition" | xargs grep -l "fluxcd.io" 2>/dev/null

echo -e "\n=== Searching for Flux controller deployments ==="
fd -e yaml -e yml . | xargs grep -B1 "image:.*fluxcd" 2>/dev/null

Length of output: 423

packages/core/platform/bundles/paas-full.yaml (3)

54-54: LGTM! Dependencies correctly updated.

The dependency change to cert-manager-crds is appropriate, as it ensures CRDs are installed before cert-manager while maintaining indirect dependencies on cilium and kubeovn through the CRDs release.

75-81: Verify privileged access requirements for monitoring agents.

The new monitoring-agents release is well-structured with appropriate dependencies and namespace alignment. However, please verify if privileged access is necessary for all monitoring agents.

Let's check the monitoring agents' permissions:

✅ Verification successful

Based on the search results, I can now verify the privileged access requirements for the monitoring agents. Looking at the monitoring-agents chart components:

node-exporter requires:

hostNetwork: true
hostPID: true
Not privileged (explicitly set privileged: false in PSP)
Needs access to host paths for monitoring

metrics-server requires:

hostNetwork: true
hostPID: true
privileged: true in PSP

kube-state-metrics:

hostNetwork: false
hostPID: false
privileged: false
Limited capabilities

fluent-bit:

hostNetwork: false
privileged: false
Needs host path access for logs

Privileged access is only required for metrics-server component, other agents operate with minimal privileges

The privileged flag in the release is justified as metrics-server needs privileged access to function properly. However, the other monitoring agents run with restricted privileges and only the necessary host access permissions for their monitoring functions.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify monitoring agents' permissions
# Expected: Find RBAC definitions and container security contexts

# Search for RBAC and security context definitions
rg -A 10 "kind: (Role|ClusterRole|SecurityContext)" -g "monitoring-agents*"

Length of output: 171

Script:

#!/bin/bash
# Let's try a different approach to find monitoring agents configuration
# First, let's locate the chart directory
fd -t d "cozy-monitoring-agents"

# Then search for any security-related configurations
rg -g "*.y*ml" "securityContext|privileged:|capabilities:|hostPath:|hostNetwork:|hostPID:"

Length of output: 123835

44-49: LGTM! Verify CRD installation order.

The new cert-manager-crds release is well-structured with appropriate dependencies and namespace alignment with cert-manager.

Let's verify the CRD installation order in the chart:

✅ Verification successful

Based on the output, I can now verify the CRD installation order. The results show:

The cert-manager-crds chart exists and contains the necessary CRD definitions
The dependency chain in paas-full.yaml shows:
- cert-manager-crds depends on [cilium, kubeovn]
- cert-manager depends on [cert-manager-crds]
- cert-manager-issuers depends on [cilium, kubeovn, cert-manager]
The HelmRelease manifests confirm:
- cert-manager-crds HelmRelease depends on cilium
- cert-manager HelmRelease depends on cert-manager-crds

Installation order is correctly defined

The CRD installation order is properly structured with cert-manager-crds installed before cert-manager, and all required networking dependencies are in place. The dependencies ensure CRDs are available before the cert-manager controller starts.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify cert-manager CRDs are defined correctly
# Expected: Find CRD definitions in the cert-manager-crds chart

# Search for CRD definitions in the chart
fd -e yaml -e yml . | xargs rg -l "kind: CustomResourceDefinition.*cert-manager"

Length of output: 171

Script:

#!/bin/bash
# Let's try a different approach to verify the CRD installation order

# 1. First, let's check if the cozy-cert-manager-crds chart exists
fd "cozy-cert-manager-crds"

# 2. Let's also check the content of the paas-full.yaml to see the complete dependency chain
cat packages/core/platform/bundles/paas-full.yaml

# 3. Let's search for any cert-manager related files that might contain CRD information
fd -t f -e yaml -e yml . | grep -i "cert-manager"

Length of output: 11213

Script:

#!/bin/bash
# Let's verify the CRD content and installation order

# Check the CRD templates in cert-manager-crds chart
cat packages/system/cert-manager-crds/charts/cert-manager/templates/crds.yaml

# Check if cert-manager deployment has any CRD dependencies
cat packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml

# Verify the helm release definitions
cat packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
cat packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

Length of output: 959255

packages/system/monitoring-agents/charts/metrics-server/CHANGELOG.md (4)

19-21: LGTM! Well-documented addition with proper PR reference.

The added feature is clearly described with appropriate linking to the source PR and author attribution.

23-27: LGTM! Clear documentation of version updates and changes.

The changes are well documented with proper version links, PR references, and author attributions. The updates to both Metrics Server and addonResizer images, along with the deployment templating change, justify the version increment.

29-33: LGTM! Well-documented fixes with clear problem statements.

The fixes address important issues and are properly documented with PR references and author attributions.

155-155: LGTM! Properly formatted release link.

The release link for version 3.12.2 follows the established pattern and maintains consistency with previous versions.

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusrules.yaml (2)

1-1: LGTM! Source URL is correctly updated.

The source URL accurately reflects the version v0.77.1 of prometheus-operator, providing clear traceability for the CRD definition.

10-11: Verify version consistency across related CRDs.

The version updates look correct:

controller-gen.kubebuilder.io/version: v0.16.1
operator.prometheus.io/version: 0.77.1

Let's verify these versions are consistent across other related CRDs.

✅ Verification successful

Versions are consistent across all related CRDs

The verification confirms that all CRDs in the prometheus-operator-crds templates have matching versions:

controller-gen.kubebuilder.io/version: v0.16.1
operator.prometheus.io/version: 0.77.1

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check version consistency across prometheus-operator CRDs
# Expected: All CRDs should have the same version annotations

echo "Checking controller-gen version consistency..."
rg -l "controller-gen.kubebuilder.io/version" packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/ | while read -r file; do
  echo "=== $file ==="
  rg "controller-gen.kubebuilder.io/version: v0.16.1" "$file" || echo "Version mismatch!"
done

echo -e "\nChecking operator version consistency..."
rg -l "operator.prometheus.io/version" packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/ | while read -r file; do
  echo "=== $file ==="
  rg "operator.prometheus.io/version: 0.77.1" "$file" || echo "Version mismatch!"
done

Length of output: 4430

packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl (4)

1-35: LGTM: Core cert-manager templates follow Helm best practices

The implementation correctly handles:

Kubernetes name length limitations
Name overrides and truncation
Service account creation with proper defaults

37-73: LGTM: Webhook templates maintain backward compatibility

Good practice maintaining compatibility with v0.9 deployment selectors through fixed naming. The implementation correctly handles name truncation with space reserved for the "-webhook" suffix.

75-107: LGTM: Cainjector templates maintain consistency with webhook pattern

Implementation correctly follows the established pattern while maintaining backward compatibility and proper name length management.

109-141: LGTM: Startupapicheck templates maintain consistency

Implementation correctly follows the established pattern for naming and service account handling.

packages/system/monitoring-agents/values.yaml (3)

Line range hint 1-20: Configuration looks good!

The metrics-server configuration has appropriate defaults and security settings.

Line range hint 1-307: Verify impact of removed monitoring components.

The AI summary indicates that fluent-bit and victoria-metrics-k8s-stack sections were removed. Please ensure:

Alternative log collection mechanism is in place
Metrics storage and querying capabilities are handled by other components

Let's verify the monitoring stack dependencies:

✅ Verification successful

Monitoring stack changes are properly handled

Based on the verification results:

Logging is handled by Fluent-bit (found in charts/fluent-bit with complete configuration)
Metrics collection and storage are managed through:
- metrics-server for core Kubernetes metrics
- vmagent configured to write to Victoria Metrics (remoteWrite configured)
- kube-state-metrics for extended Kubernetes metrics
- node-exporter for system metrics

The removal of victoria-metrics-k8s-stack section is compensated by the individual components present in the configuration. The monitoring capabilities are maintained through a more streamlined setup.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for alternative monitoring components
# Expected results: Find references to alternative logging and metrics components

# Check for alternative logging solutions
echo "Checking for logging solutions..."
fd -t f -e yaml -e yml | xargs rg -l 'kind:\s*(Logging|LogCollection|FluentBit|Vector|Loki)'

# Check for alternative metrics solutions
echo "Checking for metrics solutions..."
fd -t f -e yaml -e yml | xargs rg -l 'kind:\s*(VictoriaMetrics|Prometheus|OpenTelemetry|MetricsServer)'

Length of output: 989

Script:

#!/bin/bash
# Let's check for specific monitoring components in the values file and related configurations

# Check for victoria metrics components
echo "Checking victoria metrics components..."
rg -l "victoria" packages/system/monitoring-agents/

# Check for logging components
echo "Checking logging components..."
rg -l "fluent-bit|loki|vector" packages/system/monitoring-agents/

# Check for metrics collection configuration
echo "Checking metrics collection..."
rg "metrics-server:|vmagent:|serviceMonitor:" packages/system/monitoring-agents/values.yaml -A 5

# Check for related helm charts
echo "Checking helm charts..."
fd . packages/system/monitoring-agents/charts/

Length of output: 15974

Line range hint 22-301: Verify API versions for Flux CD resources.

The kube-state-metrics configuration is comprehensive and well-structured. However, some Flux CD resources are using older API versions (e.g., v1beta2, v1beta3).

Let's verify if these API versions are still current:

✅ Verification successful

Based on the search results, I can now generate the final response:

API versions in kube-state-metrics configuration are current and correct

The API versions used in the kube-state-metrics configuration align with the actual usage in the repository:

source.toolkit.fluxcd.io/v1 is the current version being used for source controllers
helm.toolkit.fluxcd.io/v2 is the current version for helm controllers
The beta versions (v1beta2, v1beta3) are used only for specific resources that haven't reached v1 stability yet (image, notification components)

The configuration correctly matches the Flux CD components' API versions as evidenced by their usage across the repository's HelmReleases and other resources.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for newer API versions of Flux CD resources
# Expected results: No newer API versions available for the configured resources

# Check available API versions for Flux CD resources
kubectl api-resources --api-group=source.toolkit.fluxcd.io -o wide
kubectl api-resources --api-group=kustomize.toolkit.fluxcd.io -o wide
kubectl api-resources --api-group=helm.toolkit.fluxcd.io -o wide
kubectl api-resources --api-group=notification.toolkit.fluxcd.io -o wide
kubectl api-resources --api-group=image.toolkit.fluxcd.io -o wide

Length of output: 989

Script:

#!/bin/bash
# Let's try a different approach to verify Flux CD API versions by checking the repository for any Flux CD documentation or CRDs

# Search for Flux CD related files and their API versions
rg -A 1 "apiVersion:\s*(source|kustomize|helm|notification|image)\.toolkit\.fluxcd\.io" --type yaml

# Also check for any Flux CD version information in documentation
fd -t f "README.md" | xargs rg -i "flux\s+version|fluxcd"

Length of output: 7436

packages/system/monitoring-agents/charts/kube-state-metrics/templates/deployment.yaml (1)

304-311: LGTM! Consider adding value validation.

The addition of template processing for nodeSelector and tolerations enhances flexibility for multi-environment deployments. The implementation follows Helm best practices.

Consider adding value validation in your values schema to prevent injection of invalid node selectors or tolerations. This can be done using a JSON schema in values.schema.json.

Let's verify the template processing:

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md (1)

1-106: LGTM! The changelog follows good practices.

The changelog:

Maintains consistent formatting
Includes release dates and version badges
Properly tracks breaking changes
Documents version updates chronologically

🧰 Tools

🪛 LanguageTool

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

packages/system/monitoring-agents/charts/metrics-server/README.md (1)

36-36: LGTM! Clear documentation update for PSP behavior.

The updated description accurately reflects that PodSecurityPolicy resources will only be created for Kubernetes versions before 1.25, aligning with Kubernetes' deprecation timeline.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md (2)

1-3: LGTM!

Version and badge updates are properly formatted.

196-1056: LGTM!

The new table format for parameters is well-structured and improves documentation readability. Each parameter is clearly documented with its type, default value, and description.

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-probes.yaml (2)

Line range hint 1-11: Version updates look good.

The CRD has been updated with the latest versions:

Source updated to prometheus-operator v0.77.1
Controller-gen version updated to v0.16.1
Operator version updated to 0.77.1

🧰 Tools

🪛 yamllint

[error] 8-8: syntax error: could not find expected ':'

(syntax)

403-403: OAuth2 proxy configuration updates are properly documented.

The changes correctly document version requirements for proxy-related features:

noProxy requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0
proxyConnectHeader requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0
proxyFromEnvironment requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0
proxyUrl description has been clarified

Let's verify the version compatibility with the current Prometheus deployment:

Also applies to: 436-436, 443-443, 446-446

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-podmonitors.yaml (3)

Line range hint 1-11: LGTM: Version updates are properly documented

The version updates from v0.76.0 to v0.77.1 and controller-gen version update to v0.16.1 are properly documented in both the header comment and annotations.

🧰 Tools

🪛 yamllint

[error] 8-8: syntax error: could not find expected ':'

(syntax)

547-548: LGTM: Improved field description

The description update for the proxyURL field improves clarity while maintaining the same functionality.

Line range hint 504-544: Breaking Change: New version requirements for proxy-related fields

The proxy-related fields (noProxy, proxyConnectHeader, proxyFromEnvironment) now require either:

Prometheus >= v2.43.0 or
Alertmanager >= 0.25.0

Let's verify the Prometheus/Alertmanager versions in use:

packages/system/cert-manager-crds/charts/cert-manager/values.yaml (1)

308-322: Well-configured security contexts across all components

The security context settings follow best practices for all components (controller, webhook, and CA injector):

Running as non-root
Using read-only root filesystem
Dropping all capabilities
Preventing privilege escalation

Also applies to: 674-688, 1041-1055

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml (2)

10-11: Version updates look good!

The version updates are consistent:

controller-gen.kubebuilder.io/version updated to v0.16.1
operator.prometheus.io/version updated to 0.77.1

456-456: Verify Prometheus/Alertmanager version compatibility

The new proxy-related fields (noProxy, proxyConnectHeader, proxyFromEnvironment) all require Prometheus >= v2.43.0 or Alertmanager >= 0.25.0. Please ensure your deployment meets these version requirements.

Also applies to: 489-489, 496-496

packages/system/cert-manager-crds/charts/cert-manager/values.schema.json (1)

1982-1986: Review default webhook secure port.

The default securePort of 10250 might conflict with kubelet which commonly uses this port. Consider:

Using a different default port
Adding a warning in the description about potential conflicts
Documenting port requirements more explicitly

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl (2)

7-9: Consider Handling Empty Image Tags More Explicitly

When the image tag $tag is empty, it's being set to $Chart.AppVersion. Ensure that this behavior is intended and that $Chart.AppVersion is the correct fallback. If not, consider setting a default tag or raising an error.

Verify that $Chart.AppVersion is set correctly in the chart metadata.

23-25: Ensure Registry Defaulting Works as Intended

The current handling of the image registry might lead to unexpected results if the registry is not specified. Verify that the default values are correctly applied to avoid issues with image references.

Run the following script to check for occurrences where the registry might not be properly set:

This script will help identify any values files where the registry might be unset.

✅ Verification successful

Let me generate another script to check the actual template implementation and its usage since the previous script failed due to missing yq tool. We need to verify how the registry defaulting is implemented and used.

Based on the analysis of the template implementation and values files, I can now provide a final response:

Registry Defaulting Implementation is Correct and Safe

The registry defaulting implementation in _image.tpl is properly structured with a safe fallback chain:

First tries .app.image.registry
Falls back to ($Values.global).image.registry
Finally defaults to empty string ""

The empty string default is safe because:

When no registry is specified, the image reference will be correct (just repository:tag)
When registry is specified at either app or global level, it's properly prefixed
The values files show consistent structure supporting this pattern

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if '.app.image.registry' and 'global.image.registry' are set in the values files.

# Find all values.yaml files excluding subcharts
fd values.yaml --exclude 'charts' | while read -r file; do
  echo "Checking $file"
  # Check if '.app.image.registry' is set
  app_registry=$(yq eval '.app.image.registry // empty' "$file")
  # Check if 'global.image.registry' is set
  global_registry=$(yq eval '.global.image.registry // empty' "$file")
  if [[ -z "$app_registry" && -z "$global_registry" ]]; then
    echo "Warning: Registry not set in $file"
  fi
done

Length of output: 37018

Script:

#!/bin/bash
# Check the template implementation and its usage

# First, let's see the full template file content
echo "=== Content of _image.tpl ==="
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl

# Then check for files using this template
echo -e "\n=== Files using this template ==="
rg -l "include.*victoria-metrics-common.*image" packages/system/victoria-metrics-operator

# Finally check the values files structure
echo -e "\n=== Values files structure ==="
find packages/system/victoria-metrics-operator -name "values.yaml" -exec echo "=== {} ===" \; -exec cat {} \;

Length of output: 10853

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl (2)

70-70: Validate the use of dig function for $path

At line 70, the dig function is used:

{{- $path = dig "http.pathPrefix" $path ($spec.extraArgs | default dict) -}}

Ensure that the dig function correctly retrieves the http.pathPrefix from $spec.extraArgs. If http.pathPrefix may not exist, consider providing a default value to avoid potential issues.

Please double-check the configurations to ensure http.pathPrefix is set where necessary.

44-44: Ensure $isSecure is correctly updated

In line 44, $isSecure is updated based on ($spec.extraArgs).tls:

{{- $isSecure = (eq ($spec.extraArgs).tls "true") | default $isSecure -}}

Consider verifying that ($spec.extraArgs).tls correctly reflects the intended configuration. If tls can have values other than "true", ensure that the comparison and defaulting logic accurately capture the secure state.

Run the following script to check occurrences of tls settings:

This will help confirm that tls settings are consistently defined as "true" or "false".

✅ Verification successful

TLS configuration handling is correctly implemented

The code correctly handles the TLS configuration through extraArgs.tls:

The $isSecure variable is properly defaulted when extraArgs.tls is not set
The value is consistently used across the template to:
- Set appropriate ports (443 for TLS, 80 for non-TLS)
- Configure protocol scheme (https/http)
The implementation is used consistently in both vm.host and vm.url template definitions

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the values of 'tls' in 'extraArgs' across configurations.

# Test: Search for 'tls' in 'extraArgs' and list their values.
rg 'extraArgs.*tls' -A 2 -g '*.yaml'

Length of output: 38

Script:

#!/bin/bash
# Let's check the template file and its context to understand how $isSecure and extraArgs are used
cat "packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl"

Length of output: 2786

Script:

#!/bin/bash
# Let's also search for any tls configuration in yaml files using a broader pattern
rg "tls:" -A 3 -g "*.yaml" "packages/system/victoria-metrics-operator"

Length of output: 1698

Script:

#!/bin/bash
# Let's check if there are any other references to extraArgs in the templates
rg "extraArgs" -A 2 "packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/"

Length of output: 2596

coderabbitai · 2024-11-04T11:48:49Z

packages/system/monitoring-agents/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml

+networkPolicy:
+  enabled: true
+  ingress:
+  - ports:
+    - port: 9100


⚠️ Potential issue

Fix indentation and enhance network policy security.

The network policy configuration needs improvements in both structure and security:

The indentation for the ports array appears incorrect

The current configuration allows unrestricted access to port 9100

Apply this diff to fix the indentation and enhance security:

networkPolicy: enabled: true ingress: - ports: - - port: 9100 + - port: 9100 + protocol: TCP + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring

This change:

Fixes the YAML indentation

Specifies TCP protocol explicitly

Restricts access to pods from the monitoring namespace only

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

networkPolicy:

enabled: true

ingress:

- ports:

- port: 9100

networkPolicy:

enabled: true

ingress:

- ports:

- port: 9100

protocol: TCP

from:

- namespaceSelector:

matchLabels:

kubernetes.io/metadata.name: monitoring

coderabbitai · 2024-11-04T11:48:49Z

packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.pspEnabled }}
+{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}


💡 Codebase verification

PSP version check needs to be standardized across charts

The version check for PSP deprecation is inconsistently implemented across charts:

metrics-server: semverCompare "<1.25-0"

prometheus-node-exporter: Only checks API version availability

kube-state-metrics: Only checks API version availability

fluent-bit: semverCompare "<=1.25-0"

ingress-nginx: semverCompare "<1.25.0-0"

cert-manager: No version check

redis: No version check visible

Issues:

Inconsistent version comparison patterns (<1.25-0 vs <=1.25-0 vs <1.25.0-0)

Some charts only rely on API version checks which may not be sufficient

Some charts have no version checks at all

🔗 Analysis chain

LGTM: Proper handling of PSP deprecation.

The condition correctly handles the PSP deprecation in Kubernetes 1.25+ while maintaining backward compatibility.

Let's verify the Kubernetes version handling:

PSP deprecation check needs to be added to other charts

Several other charts in the repository still use PodSecurityPolicy without the Kubernetes version check:

prometheus-node-exporter

kube-state-metrics

fluent-bit

ingress-nginx (multiple PSPs)

cert-manager (multiple PSPs)

kubeapps/redis

Let's verify their conditions:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash # Description: Verify PSP-related configurations across the repository # Test 1: Check for any other PSP definitions that might need similar version checks rg -g '*.yaml' -g '*.yml' 'kind:\s*PodSecurityPolicy' -A 5 # Test 2: Check for documentation mentioning PSP or Pod Security rg -g 'README.md' -g '*.md' -i 'pod\s*security\s*(policy|admission)'

Length of output: 10949

Script:

#!/bin/bash # Check the conditional statements in PSP files rg -g '*.yaml' -g '*.yml' '{{.*if' -B2 -A1 packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp.yaml packages/system/monitoring-agents/charts/kube-state-metrics/templates/podsecuritypolicy.yaml packages/system/monitoring-agents/charts/fluent-bit/templates/psp.yaml packages/system/ingress-nginx/charts/ingress-nginx/templates/*psp.yaml packages/system/cert-manager/charts/cert-manager/templates/*psp.yaml packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/psp.yaml

Length of output: 930

Script:

#!/bin/bash # Check the conditional statements in PSP files with fixed regex rg -g '*.yaml' -g '*.yml' '{{-?\s*if' -B2 -A1 \ packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp.yaml \ packages/system/monitoring-agents/charts/kube-state-metrics/templates/podsecuritypolicy.yaml \ packages/system/monitoring-agents/charts/fluent-bit/templates/psp.yaml \ packages/system/ingress-nginx/charts/ingress-nginx/templates/*psp.yaml \ packages/system/cert-manager/charts/cert-manager/templates/*psp.yaml \ packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/psp.yaml # Also check for any PSP-related values in values.yaml files rg -g 'values.yaml' 'psp|podSecurityPolicy' \ packages/system/monitoring-agents/charts/prometheus-node-exporter \ packages/system/monitoring-agents/charts/kube-state-metrics \ packages/system/monitoring-agents/charts/fluent-bit \ packages/system/ingress-nginx/charts/ingress-nginx \ packages/system/cert-manager/charts/cert-manager \ packages/system/dashboard/charts/kubeapps/charts/redis

Length of output: 2473

Script:

#!/bin/bash # Check the template files directly with cat to see their conditional statements for file in \ packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp.yaml \ packages/system/monitoring-agents/charts/kube-state-metrics/templates/podsecuritypolicy.yaml \ packages/system/monitoring-agents/charts/fluent-bit/templates/psp.yaml \ packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-psp.yaml \ packages/system/cert-manager/charts/cert-manager/templates/psp.yaml \ packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/psp.yaml; do echo "=== $file ===" head -n 5 "$file" 2>/dev/null echo done

Length of output: 5837

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

coderabbitai · 2024-11-04T11:48:49Z

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1


🛠️ Refactor suggestion

Consider adding a failure threshold for retries.

The current configuration sets unlimited retries (retries: -1) for both install and upgrade remediation. This could lead to infinite retry loops if there's a persistent issue.

install: createNamespace: true remediation: - retries: -1 + retries: 5 + failureThreshold: 300 upgrade: remediation: - retries: -1 + retries: 5 + failureThreshold: 300

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

install:

createNamespace: true

remediation:

retries: -1

upgrade:

remediation:

retries: -1

install:

createNamespace: true

remediation:

retries: 5

failureThreshold: 300

upgrade:

remediation:

retries: 5

failureThreshold: 300

coderabbitai · 2024-11-04T11:48:49Z

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

+{{- if .Values.addons.monitoringAgents.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-cozy-victoria-metrics-operator
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}


⚠️ Potential issue

Fix typo in cluster label name.

There's a typo in the target cluster label key: coztstack.io should be cozystack.io.

- coztstack.io/target-cluster-name: {{ .Release.Name }} + cozystack.io/target-cluster-name: {{ .Release.Name }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

{{- if .Values.addons.monitoringAgents.enabled }}

apiVersion: helm.toolkit.fluxcd.io/v2

kind: HelmRelease

metadata:

name: {{ .Release.Name }}-cozy-victoria-metrics-operator

labels:

cozystack.io/repository: system

coztstack.io/target-cluster-name: {{ .Release.Name }}

{{- if .Values.addons.monitoringAgents.enabled }}

apiVersion: helm.toolkit.fluxcd.io/v2

kind: HelmRelease

metadata:

name: {{ .Release.Name }}-cozy-victoria-metrics-operator

labels:

cozystack.io/repository: system

cozystack.io/target-cluster-name: {{ .Release.Name }}

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

coderabbitai · 2024-11-04T11:48:50Z

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}


⚠️ Potential issue

Fix typo in label key.

There's a typo in the label key: coztstack.io should be cozystack.io.

labels: cozystack.io/repository: system - coztstack.io/target-cluster-name: {{ .Release.Name }} + cozystack.io/target-cluster-name: {{ .Release.Name }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

cozystack.io/repository: system

coztstack.io/target-cluster-name: {{ .Release.Name }}

cozystack.io/repository: system

cozystack.io/target-cluster-name: {{ .Release.Name }}

coderabbitai · 2024-11-04T11:48:51Z

...perator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl

+      {{- $tag = (printf "%s-%s" $tag .) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- $image := tpl (printf "%s:%s" .app.image.repository $tag) . -}}


⚠️ Potential issue

Template Function Usage for Image String

Using tpl to render the image string can introduce risks if the repository or tag contains unexpected template expressions. Ensure that the values for .app.image.repository and $tag are sanitized or trusted.

Consider removing tpl if it's not necessary:

-{{- $image := tpl (printf "%s:%s" .app.image.repository $tag) . -}} +{{- $image := printf "%s:%s" .app.image.repository $tag -}}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

{{- $image := tpl (printf "%s:%s" .app.image.repository $tag) . -}}

{{- $image := printf "%s:%s" .app.image.repository $tag -}}

coderabbitai · 2024-11-04T11:48:51Z

...rator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl

+{{- define "vm.host" -}}
+  {{- $fqdn := (include "vm.fqdn" .) -}}
+  {{- $port := 80 -}}
+  {{- $isSecure := ternary false true (empty .appSecure) -}}


⚠️ Potential issue

Correct the logic for $isSecure assignment

The ternary function usage in line 31 seems inverted:

{{- $isSecure := ternary false true (empty .appSecure) -}}

This assigns $isSecure to true when .appSecure is empty, which is counterintuitive. Typically, when .appSecure is not empty, we expect $isSecure to be true.

Reverse the true and false values in the ternary function to fix the logic:

- {{- $isSecure := ternary false true (empty .appSecure) -}} + {{- $isSecure := ternary true false (empty .appSecure) -}}

This change ensures that $isSecure is true when .appSecure is provided.

coderabbitai · 2024-11-04T11:48:52Z

...rator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl

+      {{- end -}}
+    {{- end -}}
+    {{- $isSecure = (eq ($spec.extraArgs).tls "true") | default $isSecure -}}
+    {{- $port = (ternary 443 80 $isSecure) -}}


⚠️ Potential issue

Correct port assignment based on $isSecure

In line 45, the port assignment appears inverted:

{{- $port = (ternary 443 80 $isSecure) -}}

This assigns port 80 when $isSecure is true, which contradicts standard conventions where secure connections use port 443.

Swap the port numbers in the ternary function:

- {{- $port = (ternary 443 80 $isSecure) -}} + {{- $port = (ternary 80 443 $isSecure) -}}

This ensures that port 443 is used for secure connections.

coderabbitai · 2024-11-04T11:48:52Z

...rator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl

+      {{- end -}}
+    {{- end -}}
+    {{- $isSecure = (eq ($spec.extraArgs).tls "true") | default $isSecure -}}
+    {{- $proto = (ternary "https" "http" $isSecure) -}}


⚠️ Potential issue

Correct protocol assignment based on $isSecure

The protocol assignment in line 69 is inverted:

{{- $proto = (ternary "https" "http" $isSecure) -}}

This sets $proto to "http" when $isSecure is true, which is opposite of the expected behavior.

Swap the protocols in the ternary function:

- {{- $proto = (ternary "https" "http" $isSecure) -}} + {{- $proto = (ternary "http" "https" $isSecure) -}}

This correction assigns "https" as the protocol when $isSecure is true.

coderabbitai · 2024-11-04T11:48:52Z

...rator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl

+{{- define "vm.fqdn" -}}
+  {{- $name := (include "vm.service" .) -}}
+  {{- if hasKey . "appIdx" -}}
+    {{- $name = (printf "%s-%d.%s" $name .appIdx $name) -}}


⚠️ Potential issue

Fix self-referential concatenation of $name variable

At line 17, the assignment of $name references itself in a way that can lead to redundant and incorrect service names. By concatenating $name with itself, the resulting service name may be improperly formatted.

Apply this diff to correct the assignment:

- {{- $name = (printf "%s-%d.%s" $name .appIdx $name) -}} + {{- $name = (printf "%s-%d" $name .appIdx) -}}

This fix ensures that $name includes the original name and .appIdx without unnecessary repetition.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

{{- $name = (printf "%s-%d.%s" $name .appIdx $name) -}}

{{- $name = (printf "%s-%d" $name .appIdx) -}}

coderabbitai

Actionable comments posted: 26

🧹 Outside diff range and nitpick comments (46)

packages/system/monitoring-agents/charts/fluent-bit/ci/ci-values.yaml (1)
8-8: LGTM! Consider adding a comment to document the CI-specific setting.

The addition of deterministicUid: true for CI environment is appropriate as it ensures consistent dashboard UIDs, which is beneficial for testing and debugging.

Consider adding a comment to explain why this value differs from the default:
dashboards:
  enabled: true
+  # Set to true in CI for consistent dashboard UIDs across test runs
  deterministicUid: true
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md (1)

7-7: Enhance the feature documentation with more details.

The new feature documentation is too brief. Consider adding:

Description of how to use the feature

Example usage

Impact on existing configurations

Any limitations or considerations
packages/system/cert-manager-crds/Makefile (1)
3-8: Consider enhancing the update target with version pinning and error handling.

The update target effectively manages cert-manager chart updates, but could benefit from some improvements:
 update:
+	@echo "Updating cert-manager CRDs..."
 	rm -rf charts
-	helm repo add jetstack https://charts.jetstack.io
+	helm repo add jetstack https://charts.jetstack.io || exit 1
 	helm repo update jetstack
-	helm pull jetstack/cert-manager --untar --untardir charts
+	helm pull jetstack/cert-manager --version v1.13.2 --untar --untardir charts || exit 1
-	rm -f -- `find charts/cert-manager/templates -maxdepth 1 -mindepth 1 | grep -v 'crds.yaml\|_helpers.tpl'`
+	# Keep only CRDs and helpers
+	find charts/cert-manager/templates -maxdepth 1 -mindepth 1 ! -name 'crds.yaml' ! -name '_helpers.tpl' -delete
+	@echo "Update completed successfully"
Suggested improvements:

Pin the cert-manager version for reproducible builds

Add error handling for helm commands

Make the cleanup command more readable

Add status messages for better visibility
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml (1)

Line range hint 1-15: LGTM on the formatting changes, but consider future-proofing the PSP implementation.

The template structure and RBAC configuration look correct. However, there are some important considerations:

The policy/v1beta1 API version for PodSecurityPolicy is deprecated:

Kubernetes 1.21: Deprecated

Kubernetes 1.25: Removed

Pod Security Policies (PSP) are being replaced by Pod Security Standards (PSS)

Consider implementing a migration strategy to Pod Security Standards (PSS) or Pod Security Admission. This could involve:

Adding support for both PSP and PSS during transition

Using OPA Gatekeeper or Kyverno as alternative policy engines

Implementing Pod Security Standards via namespace labels

Would you like assistance in planning this migration?

packages/system/monitoring-agents/charts/kube-state-metrics/Chart.yaml (1)

26-26: Consider documenting the version bump rationale.

Since this is part of adding metrics agents, it would be helpful to document why this specific version was chosen, especially if it contains features needed for the metrics agents implementation.

Consider adding a comment in the PR description or commit message explaining the rationale for this version bump and any specific features or fixes it brings that are relevant to the metrics agents implementation.
packages/system/monitoring-agents/templates/vmagent.yaml (1)
13-13: Consider adding reliability configurations for remote write.

The remote write configuration could benefit from additional reliability settings:

Queue configuration for handling backpressure

Retry configuration for handling endpoint unavailability

TLS/authentication settings if required

Consider adding these configurations:
  remoteWrite:
  - url: {{ .Values.vmagent.remoteWrite.url | quote }}
+   remoteWriteSettings:
+     maxDiskUsagePerURL: 1GB
+     maxBlockSize: 5MB
+     flushInterval: 5s
+   queues:
+     - name: default
+       capacity: 10000
+       maxSamplesPerSend: 5000
+   retrySettings:
+     maxRetries: 5
+     minRetryDelay: 1s
+     maxRetryDelay: 30s
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.yaml (1)

4-4: Document the usage of the name prefix extraction feature.

While the changelog entry indicates a new feature for extracting name prefix from fullnameOverride, it would be helpful to add documentation explaining how to use this feature, including examples and any limitations.

Would you like me to help create documentation for this feature in the README or values file?
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/networkpolicy.yaml (1)
15-20: Consider enhancing the default NetworkPolicy security.

The implementation provides good flexibility with custom ingress rules. However, the default ingress rule could be more restrictive.

Consider adding a default namespaceSelector to limit traffic to specific namespaces (e.g., monitoring namespace) when no custom ingress rules are provided:
    {{- else }}
    - ports:
      - port: {{ .Values.service.port }}
+     namespaceSelector:
+       matchLabels:
+         kubernetes.io/metadata.name: monitoring
This would ensure that by default, only pods from the monitoring namespace can access the node-exporter metrics.
packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml (2)
27-31: Consider limiting retry attempts.

Setting unlimited retries (retries: -1) for both installation and upgrade remediation could potentially cause resource exhaustion if there are persistent failures. Consider setting a reasonable upper limit.
  install:
    createNamespace: true
    remediation:
-      retries: -1
+      retries: 5
  upgrade:
    remediation:
-      retries: -1
+      retries: 5
10-19: Consider adding resource constraints and values overrides.

The HelmRelease configuration could benefit from:

Resource limits and requests to prevent resource exhaustion

Values overrides to customize the operator's behavior

Would you like me to provide an example configuration with recommended resource limits and common configuration values?
packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml (2)
Line range hint 7-8: Fix typo in label name

There's a typo in the label: coztstack.io should be cozystack.io to maintain consistency with other labels.
  labels:
    cozystack.io/repository: system
-   coztstack.io/target-cluster-name: {{ .Release.Name }}
+   cozystack.io/target-cluster-name: {{ .Release.Name }}
Line range hint 1-48: Consider adding resource constraints

While the configuration is well-structured, consider adding resource requests and limits for the cert-manager deployment through the values override to ensure proper resource management and prevent potential resource exhaustion.

Example addition to values override:
resources:
  requests:
    memory: "128Mi"
    cpu: "100m"
  limits:
    memory: "512Mi"
    cpu: "500m"
packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml (1)
24-30: Consider setting a finite retry limit.

The current configuration uses unlimited retries (-1) for both installation and upgrade remediation. This could lead to infinite retry loops in case of persistent failures, potentially masking underlying issues.

Consider setting a reasonable finite limit, for example:
  install:
    createNamespace: true
    remediation:
-      retries: -1
+      retries: 5
  upgrade:
    remediation:
-      retries: -1
+      retries: 5
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/NOTES.txt (2)
Line range hint 1-29: LGTM! Consider some minor improvements.

The NOTES.txt template provides clear instructions for different service types and security configurations. Consider these optional improvements:

Add apiVersion: rbac.authorization.k8s.io/v1 to the role permissions example

Include both IP and hostname scenarios in the LoadBalancer section using .status.loadBalancer.ingress[0].hostname
 rules:
+  apiVersion: rbac.authorization.k8s.io/v1
   - apiGroups: [ "" ]
     resources: ["services/{{ template "prometheus-node-exporter.fullname" . }}"]
     verbs:
       - get
Line range hint 15-17: Consider using a templated port value.

The port number (9100) is hardcoded in the ClusterIP section. Consider using the service port from values for consistency:
   export POD_NAME=$(kubectl get pods --namespace {{ template "prometheus-node-exporter.namespace" . }} -l "app.kubernetes.io/name={{ template "prometheus-node-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:9100 to use your application"
-  kubectl port-forward --namespace {{ template "prometheus-node-exporter.namespace" . }} $POD_NAME 9100
+  echo "Visit http://127.0.0.1:{{ .Values.service.port }} to use your application"
+  kubectl port-forward --namespace {{ template "prometheus-node-exporter.namespace" . }} $POD_NAME {{ .Values.service.port }}
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl (2)
1-12: Consider making the default naming style explicit

The template handles "managed" and "plain" styles explicitly, but the default case is implicit. Consider adding an else case with a comment explaining the default style choice for better maintainability.
  {{- if eq .style "managed" -}}
    {{- $nameTpl = "vm.managed.fullname" }}
  {{- else if eq .style "plain" -}}
    {{- $nameTpl = "vm.plain.fullname" }}
+ {{- else -}}
+   {{- /* Default to standard VM naming convention */ -}}
+   {{- $nameTpl = "vm.fullname" }}
  {{- end -}}
1-73: Consider implementing template testing and documentation

While the templates are well-structured, consider the following architectural improvements:

Add template unit tests using Helm's test framework to verify URL generation, FQDN construction, and edge cases

Include documentation comments explaining the expected input parameters and their types

Consider creating a values schema to validate the required configuration structure

These improvements would enhance maintainability and reduce the likelihood of misuse.
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_enterprise.tpl (1)

16-29: Consider more intuitive template names while maintaining good implementation.

The implementation is solid with comprehensive error handling and documentation links. However, the template names could be more intuitive:

vm.enterprise.disabled could be vm.enterprise.license.missing

vm.enterprise.only could be vm.enterprise.license.validate

This would make the purpose of each template more immediately clear to other developers.

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml (1)

56-63: Review security implications of host path mounts

The configuration mounts host paths /var/log and /var/lib/docker/containers directly. While necessary for log collection, this requires careful security consideration.

Consider:

Adding security context configurations to limit privileges

Using read-only mounts where possible (already done for containers)

Adding pod security policy or OPA policies to restrict which pods can mount these paths
packages/apps/kubernetes/values.schema.json (1)
84-85: Consider clarifying the description for better understanding.

The current description combines multiple concepts in a single sentence, which might be harder to understand.

Consider this clearer format:
-            "description": "Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage",
+            "description": "Enables MonitoringAgents for collecting logs (fluentbit) and metrics (vmagents). When tenant monitoring is enabled, data is sent to tenant storage; otherwise, it is sent to root storage",
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl (1)
89-115: Consider enhancing the error message for empty keys

The command-line argument handling is well-implemented with proper support for boolean flags and array values. However, the error message for empty keys could be more descriptive.

Consider updating the error message to be more specific:
-      {{- fail "Empty key in command line args is not allowed" -}}
+      {{- fail "Command line argument key cannot be empty. Please provide a valid argument name." -}}
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/CHANGELOG.md (2)

7-13: Consider enhancing the change description.

While the entry follows the correct format, the feature description could be more detailed to help users understand:

The purpose and benefits of this feature

How to use the new functionality

Any potential impact on existing configurations

Line range hint 1-6: Consider documenting planned changes in the TODO section.

The "Next release" section contains a TODO placeholder. If there are any planned changes or known upcoming features, consider documenting them here to help with release planning and user awareness.
packages/system/monitoring-agents/alerts/flux.yaml (2)
Line range hint 64-75: Fix duration mismatch in alert description

The alert description states "not ready for more than 15 minutes" but the alert triggers after 5 minutes (for: 5m). This inconsistency could cause confusion.

Apply this diff to fix the inconsistency:
      expr: gotk_resource_info{customresource_kind="HelmChart", ready!="True"} > 0
-     for: 5m
+     for: 15m
Or alternatively, update the description to match the 5-minute duration:
      annotations:
        summary: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has failed"
-       description: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready for more than 15 minutes."
+       description: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready for more than 5 minutes."
Line range hint 76-139: Consider adding alert grouping labels

The suspended state alerts are well-structured and consistent. Consider adding a type: suspended label to help with alert routing and filtering.

Example enhancement for all suspended alerts:
      labels:
        severity: warning
        service: fluxcd
+       type: suspended
        exported_instance: '{{ $labels.exported_namespace }}/{{ $labels.name }}'
This would make it easier to:

Route all suspension alerts to specific notification channels

Filter and group alerts in monitoring dashboards

Apply common handling policies to all suspension alerts
packages/core/platform/bundles/paas-full.yaml (1)
185-185: Fix comma spacing in dependencies list

The dependencies list needs consistent spacing after commas.

Apply this formatting fix:
-  dependsOn: [cilium,kubeovn,cert-manager-issuers]
+  dependsOn: [cilium, kubeovn, cert-manager-issuers]
🧰 Tools

🪛 yamllint

[warning] 185-185: too few spaces after comma

(commas)

[warning] 185-185: too few spaces after comma

(commas)
packages/system/monitoring-agents/charts/metrics-server/CHANGELOG.md (1)

17-18: Add the release date for version 3.12.2

The release date is currently marked as "TBC". Please update this with the actual release date following the format used in other entries (YYYY-MM-DD).
packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl (2)
153-162: Consider adding nil checks in the labels template.

The template might fail if .Values.global is nil when attempting to access .Values.global.commonLabels.

Consider adding a nil check:
 {{- define "labels" -}}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- if eq .Values.creator "helm" }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
-{{- if .Values.global.commonLabels}}
+{{- if and .Values.global .Values.global.commonLabels}}
 {{ toYaml .Values.global.commonLabels }}
 {{- end }}
 {{- end -}}
182-188: Consider enhancing image URL template validation.

While the template handles the basic cases, it might benefit from additional validation:

Empty repository validation

Registry URL format validation

Digest format validation

Consider adding validation:
 {{- define "image" -}}
 {{- $defaultTag := index . 1 -}}
 {{- with index . 0 -}}
+{{- if not .repository }}
+{{- fail "ERROR: image repository must not be empty" }}
+{{- end }}
 {{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
 {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
 {{- end }}
 {{- end }}
packages/system/monitoring-agents/charts/kube-state-metrics/templates/deployment.yaml (1)
304-311: Add validation and documentation for template expressions.

While the tpl function enables powerful templating capabilities, it's important to:

Document the supported template expressions

Add validation for the template input

Provide examples in the values.yaml file

Example documentation for values.yaml:
nodeSelector:
  # Supports templating. Examples:
  # kubernetes.io/os: '{{ .Values.targetOs }}'
  # node-role.kubernetes.io/: '{{ .Values.nodeRole }}'

tolerations:
  # Supports templating. Examples:
  # - key: '{{ .Values.tolerationKey }}'
  #   operator: Equal
  #   value: '{{ .Values.tolerationValue }}'
  #   effect: NoSchedule
packages/system/monitoring-agents/charts/prometheus-node-exporter/values.yaml (2)
129-136: LGTM! Consider enhancing the documentation.

The networkPolicy configuration looks good, allowing for both default service port ingress and custom policies.

Consider adding an example of a custom ingress policy in the comments to make it more user-friendly:
# Example custom ingress:
# ingress:
# - from:
#   - namespaceSelector:
#       matchLabels:
#         name: monitoring
#   ports:
#   - port: 9100
Line range hint 479-508: Consider adding recommended resource values for VPA.

The VPA configuration is well-structured but could benefit from including recommended resource values to help users better understand typical resource requirements for node-exporter.

Consider adding comments with recommended values based on typical node-exporter resource usage:
verticalPodAutoscaler:
  # ... existing config ...
  
  # Recommended values based on typical node-exporter resource usage
  # maxAllowed:
  #   cpu: 100m      # Typically sufficient for most scenarios
  #   memory: 50Mi   # Base memory requirement
  # minAllowed:
  #   cpu: 10m       # Minimum to ensure basic functionality
  #   memory: 20Mi   # Minimum memory requirement
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md (1)
12-12: Improve clarity of the breaking change description.

The description of the property change could be clearer with proper punctuation:
-replaced `crd.enabled` property to `crds.plain`. Instead of disabling CRDs it selects if CRDs should be rendered from template or as plain CRDs
+replaced `crd.enabled` property with `crds.plain`. Instead of disabling CRDs, it selects if CRDs should be rendered from template or as plain CRDs
🧰 Tools

🪛 LanguageTool

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md (1)
137-137: Fix grammar: "this commands" should be "these commands".
-Get the pods lists by running this commands:
+Get the pods lists by running these commands:
🧰 Tools

🪛 LanguageTool

[grammar] ~137-~137: Did you mean “these”?
Context: ... Get the pods lists by running this commands: console kubectl get pods ...

(THIS_TOOLS)
packages/system/monitoring-agents/charts/fluent-bit/dashboards/fluent-bit.json (2)

1562-1562: LGTM: Deterministic dashboard UID implementation.

The implementation of a deterministic dashboard UID is a good practice that:

Prevents dashboard duplication across reinstalls

Maintains consistent dashboard URLs

Allows for predictable dashboard management

Consider documenting the following operational aspects in the chart's README:

The purpose of the deterministic UID feature

The behavior when deterministicUid is enabled/disabled

The impact on existing dashboard instances when enabling this feature

🧰 Tools

🪛 Biome

[error] 1562-1562: Expected a property but instead found '{'.

Expected a property here.

(parse)

[error] 1562-1562: Property key must be double quoted

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found printf

Remove printf

(parse)

[error] 1562-1562: expected : but instead found "\"%s\""

Remove ""%s""

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found "%s-%s"

Remove "%s-%s"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Release

Remove Release

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Namespace

Remove Namespace

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found include

Remove include

(parse)

[error] 1562-1562: expected : but instead found "fluent-bit.fullname"

Remove "fluent-bit.fullname"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: expected , but instead found "null"

Remove "null"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Values

Remove Values

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found dashboards

Remove dashboards

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found deterministicUid

Remove deterministicUid

(parse)

[error] 1562-1562: expected : but instead found }

Remove }

(parse)

Line range hint 1-1561: LGTM: Well-structured monitoring dashboard.

The dashboard provides comprehensive monitoring coverage including:

Input/Output metrics for bytes and records

Error rates and retries

Filter operations

Resource usage (CPU/Memory)

Consider adding:

Tooltips or descriptions for panels to help users understand the metrics

Links to Fluent Bit documentation for deeper metric explanations

🧰 Tools

🪛 Biome

[error] 1561-1561: expected , but instead found fluent

Remove fluent

(parse)

[error] 1561-1561: Minus must be followed by a digit

(parse)

[error] 1561-1561: expected , but instead found bit

Remove bit

(parse)

[error] 1561-1561: unexpected character .

(parse)

[error] 1561-1561: expected , but instead found fullname

Remove fullname

(parse)

[error] 1561-1561: expected : but instead found " . }}"

Remove " . }}"

(parse)

[error] 1562-1562: Expected a property but instead found '{'.

Expected a property here.

(parse)

[error] 1562-1562: Property key must be double quoted

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found printf

Remove printf

(parse)

[error] 1562-1562: expected : but instead found "\"%s\""

Remove ""%s""

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found "%s-%s"

Remove "%s-%s"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Release

Remove Release

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Namespace

Remove Namespace

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found include

Remove include

(parse)

[error] 1562-1562: expected : but instead found "fluent-bit.fullname"

Remove "fluent-bit.fullname"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: expected , but instead found "null"

Remove "null"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Values

Remove Values

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found dashboards

Remove dashboards

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found deterministicUid

Remove deterministicUid

(parse)

[error] 1562-1562: expected : but instead found }

Remove }

(parse)

packages/system/cert-manager-crds/charts/cert-manager/values.yaml (1)

71-84: Review CRDs configuration for production readiness.

The CRDs configuration looks good with keep: true preventing accidental deletion. However, for production environments, consider the following recommendations:

Document the CRD upgrade process in your deployment procedures

Consider enabling CRDs installation (crds.enabled: true) in development environments for easier setup
packages/system/cert-manager-crds/charts/cert-manager/README.md (5)
1-7: Documentation structure looks good, but could be enhanced.

Consider adding a table of contents at the beginning of the document to help users navigate through the extensive configuration options more easily.

21-33: Consider enhancing the installation instructions.

The installation commands are correct but could be improved:

Add a note about checking the latest version instead of hardcoding v1.16.1

Consider adding verification steps after installation
 ```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+# Replace <version> with the latest version from https://cert-manager.io/docs/installation/supported-releases/
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/<version>/cert-manager.crds.yaml
+
+# Verify the CRDs are installed
+$ kubectl get crds | grep 'cert-manager.io'
<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 Markdownlint</summary>

22-22: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

</details>

</details>

---

`407-416`: **Fix formatting and language issues.**

Several minor formatting issues need to be addressed:
1. Replace bare URLs with proper Markdown links
2. Fix "eg." to "e.g." for proper abbreviation
3. Fix article usage ("a HTTP" should be "an HTTP")

```diff
-ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
+For more information, see [Certificate Request Approval](https://cert-manager.io/docs/concepts/certificaterequest/#approval)
🧰 Tools

🪛 LanguageTool

[formatting] ~415-~415: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...rt-manager. To disable the auto-approval, because eg. you are using approver-policy, you ...

(COMMA_BEFORE_BECAUSE)

[uncategorized] ~415-~415: The abbreviation “e.g.” (= for example) requires two periods.
Context: .... To disable the auto-approval, because eg. you are using approver-policy, you can ...

(E_G)

🪛 Markdownlint

407-407: null
Bare URL used

(MD034, no-bare-urls)

416-416: null
Bare URL used

(MD034, no-bare-urls)

1963-1980: Enhance security context documentation.

The security context documentation is good but could be improved by:

Adding references to Pod Security Standards documentation

Explaining the security implications of changing these defaults
 ### Default Security Contexts

-The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
+The default pod-level and container-level security contexts adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies. These defaults are carefully chosen to provide maximum security while maintaining functionality. Modifying these values may impact the security posture of your deployment.
+
+For more information about Kubernetes security contexts, see:
+- [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
+- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
191-204: Highlight high availability best practices more prominently.

The high availability recommendations are currently embedded within the configuration documentation. Consider adding a dedicated "Production Best Practices" section that consolidates all recommendations.

For example, add a new section that covers:

Recommended replica counts for production

Resource requests and limits

Pod disruption budgets

Node affinity and anti-affinity rules

Monitoring and alerting configuration
packages/system/cert-manager-crds/charts/cert-manager/values.schema.json (1)

6-176: Consider enhancing property validations.

While the core structure is well-organized with good descriptions and defaults, consider adding:

Pattern validations for fields like nameOverride and fullnameOverride to ensure they follow Kubernetes naming conventions

Minimum/maximum constraints for numeric fields like replicaCount

Enum validations for fields with known value sets
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl (2)
22-22: Unnecessary use of tpl function in image construction

The use of the tpl function is unnecessary here since neither .app.image.repository nor $tag contain templating directives that need evaluation. This adds unnecessary complexity to the template rendering process.

Consider simplifying the code by removing tpl:
-{{- $image := tpl (printf "%s:%s" .app.image.repository $tag) . -}}
+{{- $image := printf "%s:%s" .app.image.repository $tag -}}
5-6: Simplify variable assignments for $Chart and $Values

The use of default to fallback to .Chart and .Values may be redundant since these values should be consistently available in the Helm templating context.

Consider simplifying the assignments:
-{{- $Chart := (.helm).Chart | default .Chart -}}
-{{- $Values := (.helm).Values | default .Values -}}
+{{- $Chart := .Chart -}}
+{{- $Values := .Values -}}
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl (1)

82-113: Refactor to eliminate code duplication between vm.managed.fullname and vm.plain.fullname

The functions vm.managed.fullname (lines 82-97) and vm.plain.fullname (lines 98-113) share similar logic with minor differences in handling prefixes and suffixes. Refactoring these functions to utilize a shared helper function or to parameterize the differences would improve maintainability and reduce code duplication.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 57e90b7 and 92ff25b.

⛔ Files ignored due to path filters (4)

packages/apps/vm-instance/logos/vmi.svg is excluded by !**/*.svg
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.lock is excluded by !**/*.lock
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.lock is excluded by !**/*.lock
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (82)

.pre-commit-config.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml (1 hunks)
packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml (1 hunks)
packages/apps/kubernetes/values.schema.json (1 hunks)
packages/apps/kubernetes/values.yaml (1 hunks)
packages/apps/vm-instance/Chart.yaml (1 hunks)
packages/core/installer/values.yaml (1 hunks)
packages/core/platform/bundles/distro-full.yaml (2 hunks)
packages/core/platform/bundles/distro-hosted.yaml (3 hunks)
packages/core/platform/bundles/paas-full.yaml (3 hunks)
packages/core/platform/bundles/paas-hosted.yaml (2 hunks)
packages/system/cert-manager-crds/.helmignore (1 hunks)
packages/system/cert-manager-crds/Chart.yaml (1 hunks)
packages/system/cert-manager-crds/Makefile (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/README.md (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/values.schema.json (1 hunks)
packages/system/cert-manager-crds/charts/cert-manager/values.yaml (1 hunks)
packages/system/cert-manager-crds/values.yaml (1 hunks)
packages/system/cert-manager/values.yaml (1 hunks)
packages/system/monitoring-agents/Chart.yaml (1 hunks)
packages/system/monitoring-agents/alerts/flux.yaml (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/Chart.yaml (2 hunks)
packages/system/monitoring-agents/charts/fluent-bit/ci/ci-values.yaml (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/dashboards/fluent-bit.json (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/templates/NOTES.txt (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/templates/vpa.yaml (1 hunks)
packages/system/monitoring-agents/charts/fluent-bit/values.yaml (1 hunks)
packages/system/monitoring-agents/charts/kube-state-metrics/Chart.yaml (1 hunks)
packages/system/monitoring-agents/charts/kube-state-metrics/templates/deployment.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/CHANGELOG.md (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/Chart.yaml (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/README.md (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/deployment.yaml (2 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/rolebinding-nanny.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/service.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/templates/servicemonitor.yaml (1 hunks)
packages/system/monitoring-agents/charts/metrics-server/values.yaml (2 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/Chart.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/NOTES.txt (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/networkpolicy.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/rbac-configmap.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/serviceaccount.yaml (1 hunks)
packages/system/monitoring-agents/charts/prometheus-node-exporter/values.yaml (1 hunks)
packages/system/monitoring-agents/templates/apiserver-scrape.yaml (1 hunks)
packages/system/monitoring-agents/templates/cadvisor-scrape.yaml (1 hunks)
packages/system/monitoring-agents/templates/etcd-scrape.yaml (1 hunks)
packages/system/monitoring-agents/templates/kubelet-scrape.yaml (2 hunks)
packages/system/monitoring-agents/templates/namespaces.yaml (1 hunks)
packages/system/monitoring-agents/templates/vmagent.yaml (1 hunks)
packages/system/monitoring-agents/values.yaml (2 hunks)
packages/system/monitoring/charts/metrics-server/RELEASE.md (0 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml (2 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-podmonitors.yaml (4 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-probes.yaml (4 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusrules.yaml (2 hunks)
packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml (4 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.yaml (3 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md (4 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl (3 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/RELEASE_NOTES.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_changelog.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_index.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/crds/Chart.yaml (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/CHANGELOG.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.yaml (2 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_enterprise.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_ingress.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl (2 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/NOTES.txt (1 hunks)
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl (3 hunks)

⛔ Files not processed due to max files limit (20)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/cleanup.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/cluster_role.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/crb.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/crd.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/crd_clusterrole.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/deployment.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/pdb.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/rb.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/role.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/role_binding.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/service.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/service_account.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/service_scrape.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/uninstall_hook.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/webhook.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/values.yaml
packages/system/victoria-metrics-operator/values.yaml
scripts/installer.sh
scripts/migrations/6

💤 Files with no reviewable changes (1)

packages/system/monitoring/charts/metrics-server/RELEASE.md

✅ Files skipped from review due to trivial changes (22)

packages/apps/vm-instance/Chart.yaml
packages/core/installer/values.yaml
packages/system/cert-manager-crds/.helmignore
packages/system/cert-manager-crds/Chart.yaml
packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml
packages/system/cert-manager-crds/values.yaml
packages/system/cert-manager/values.yaml
packages/system/monitoring-agents/Chart.yaml
packages/system/monitoring-agents/charts/fluent-bit/templates/NOTES.txt
packages/system/monitoring-agents/charts/fluent-bit/templates/vpa.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/Chart.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/rbac-configmap.yaml
packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/serviceaccount.yaml
packages/system/monitoring-agents/templates/apiserver-scrape.yaml
packages/system/monitoring-agents/templates/cadvisor-scrape.yaml
packages/system/monitoring-agents/templates/etcd-scrape.yaml
packages/system/monitoring-agents/templates/kubelet-scrape.yaml
packages/system/monitoring-agents/templates/namespaces.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_changelog.md
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/_index.md
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/crds/Chart.yaml
packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_ingress.tpl

🧰 Additional context used

🪛 yamllint

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/core/platform/bundles/paas-full.yaml

[warning] 185-185: too few spaces after comma

(commas)

[warning] 185-185: too few spaces after comma

(commas)

packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🪛 LanguageTool

packages/system/cert-manager-crds/charts/cert-manager/README.md

[style] ~34-~34: Consider a shorter alternative to avoid wordiness.
Context: ...sion v1.16.1 jetstack/cert-manager ``` In order to begin issuing certificates, you will ne...

(IN_ORDER_TO_PREMIUM)

[style] ~97-~97: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...o/v1.ACMEChallengeSolverHTTP01Ingress). For example, secretTemplate in CertificateS...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

[typographical] ~147-~147: If you want to indicate numerical ranges or time ranges, consider using an en dash.
Context: ... verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose. #### *...

(DASH_RULE)

[grammar] ~157-~157: Did you mean “LED” (= diode, light)?
Context: ...l attempting to acquire leadership of a led but unrenewed leader slot. This is effe...

(LED)

[typographical] ~296-~296: It seems that a comma is missing.
Context: ...the services are installed into. If not set then they use the namespace of the rele...

(IF_NOT_COMMA)

[uncategorized] ~303-~303: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...o these annotations (some resources use eg. "cainjector.name" which resolves to the...

(E_G)

[formatting] ~415-~415: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...rt-manager. To disable the auto-approval, because eg. you are using approver-policy, you ...

(COMMA_BEFORE_BECAUSE)

[uncategorized] ~415-~415: The abbreviation “e.g.” (= for example) requires two periods.
Context: .... To disable the auto-approval, because eg. you are using approver-policy, you can ...

(E_G)

[style] ~531-~531: To form a complete sentence, be sure to include a subject or ‘there’.
Context: ...ch they should be applied to ClusterIP. Can be IPv4 and/or IPv6. #### **podDnsPoli...

(MISSING_IT_THERE)

[style] ~548-~548: To form a complete sentence, be sure to include a subject.
Context: ...iases for cert-manager-controller pods. May be useful when performing ACME DNS-01 s...

(MISSING_IT_THERE)

[misspelling] ~573-~573: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...e HTTP_PROXY environment variable where a HTTP proxy is required. #### **https_p...

(EN_A_VS_AN)

[misspelling] ~577-~577: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ... HTTPS_PROXY environment variable where a HTTP proxy is required. #### **no_prox...

(EN_A_VS_AN)

[misspelling] ~581-~581: Use “an” instead of ‘a’ if the following word starts with a vowel sound, e.g. ‘an article’, ‘an hour’.
Context: ...the NO_PROXY environment variable where a HTTP proxy is required, but certain dom...

(EN_A_VS_AN)

[style] ~654-~654: Consider a shorter alternative to avoid wordiness.
Context: ...oller Pod. This is enabled by default, in order to enable the clock-skew liveness probe th...

(IN_ORDER_TO_PREMIUM)

[style] ~674-~674: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...ager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonit...

(CAN_NOT_PREMIUM)

[style] ~959-~959: To form a complete sentence, be sure to include a subject.
Context: ...minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or...

(MISSING_IT_THERE)

[style] ~965-~965: To form a complete sentence, be sure to include a subject.
Context: ...ximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or...

(MISSING_IT_THERE)

[style] ~1175-~1175: To form a complete sentence, be sure to include a subject or ‘there’.
Context: ...ch they should be applied to ClusterIP. Can be IPv4 and/or IPv6. #### **webhook.ima...

(MISSING_IT_THERE)

[formatting] ~1249-~1249: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...S EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot com...

(COMMA_BEFORE_BECAUSE)

[style] ~1258-~1258: This phrase is redundant. Consider using “outside”.
Context: ...seful if you want to expose the webhook outside of the cluster. In some cases, the control...

(OUTSIDE_OF)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md

[grammar] ~137-~137: Did you mean “these”?
Context: ... Get the pods lists by running this commands: console kubectl get pods ...

(THIS_TOOLS)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/RELEASE_NOTES.md

[uncategorized] ~8-~8: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

🪛 Markdownlint

packages/system/cert-manager-crds/charts/cert-manager/README.md

22-22: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

59-59: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

68-68: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

1988-1988: null
Dollar signs used before commands without showing output

(MD014, commands-show-output)

407-407: null
Bare URL used

(MD034, no-bare-urls)

416-416: null
Bare URL used

(MD034, no-bare-urls)

627-627: null
Bare URL used

(MD034, no-bare-urls)

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md

96-96: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

101-101: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

111-111: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

117-117: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

125-125: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

131-131: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

96-96: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

101-101: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

111-111: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

117-117: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

125-125: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

131-131: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

🪛 Biome

packages/system/monitoring-agents/charts/fluent-bit/dashboards/fluent-bit.json

[error] 1562-1562: Expected a property but instead found '{'.

Expected a property here.

(parse)

[error] 1562-1562: Property key must be double quoted

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found printf

Remove printf

(parse)

[error] 1562-1562: expected : but instead found "\"%s\""

Remove ""%s""

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found "%s-%s"

Remove "%s-%s"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Release

Remove Release

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Namespace

Remove Namespace

(parse)

[error] 1562-1562: unexpected character (

(parse)

[error] 1562-1562: expected , but instead found include

Remove include

(parse)

[error] 1562-1562: expected : but instead found "fluent-bit.fullname"

Remove "fluent-bit.fullname"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: unexpected character )

(parse)

[error] 1562-1562: expected , but instead found "null"

Remove "null"

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found Values

Remove Values

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found dashboards

Remove dashboards

(parse)

[error] 1562-1562: unexpected character .

(parse)

[error] 1562-1562: expected , but instead found deterministicUid

Remove deterministicUid

(parse)

[error] 1562-1562: expected : but instead found }

Remove }

(parse)

🔇 Additional comments (105)

packages/system/cert-manager-crds/Makefile (2)

1-1: LGTM!

Including the common package.mk for shared make rules is the correct approach.

5-6: Verify Jetstack repository configuration.

Let's ensure the Jetstack repository is properly configured and accessible.

✅ Verification successful

The Jetstack repository configuration is valid and properly documented

The Makefile is using the official Jetstack Helm repository (https://charts.jetstack.io) which is the correct source for cert-manager charts. This is verified by:

The repository URL matches the official documentation in charts/cert-manager/README.md
The repository is used to pull cert-manager v1.16.1 which is a stable release
The Chart.yaml and values.yaml confirm this is the expected source for all cert-manager components

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify Jetstack helm repository configuration
# Expected: Repository should be accessible and contain cert-manager chart

# Test: Check if repository is accessible
helm repo add jetstack https://charts.jetstack.io
helm search repo jetstack/cert-manager --output json | jq -r '.[0].version'

Length of output: 273

Script:

#!/bin/bash
# Let's examine the Makefile and related files to understand the context and dependencies

# Check the Makefile content
cat packages/system/cert-manager-crds/Makefile

# Look for any related configuration files
fd -t f "values.yaml|Chart.yaml" packages/system/cert-manager-crds/

# Search for any documentation about cert-manager setup
fd -t f "README" packages/system/cert-manager-crds/

Length of output: 760

Script:

#!/bin/bash
# Let's examine the Chart.yaml and README to understand the versioning and setup requirements

# Check the Chart.yaml content
cat packages/system/cert-manager-crds/Chart.yaml

# Check the README content
cat packages/system/cert-manager-crds/charts/cert-manager/README.md

# Check if there are any alternative sources or mirrors mentioned
rg -i "jetstack|cert-manager" packages/system/cert-manager-crds/ -A 2 -B 2

Length of output: 277404

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/NOTES.txt (2)

5-5: LGTM! Improved URL formatting.

Removing the trailing period from the URL is correct as it prevents potential issues when users copy/paste the URL.

2-2: LGTM! Verify the template function.

The change to use {{ include "vm.namespace" . }} improves template consistency and maintainability.

Let's verify the template function exists:

✅ Verification successful

I can now provide a final response since I found the vm.namespace template definition in the helpers file. This template is used by the NOTES.txt file and is properly defined.

Template function exists and works as expected

The vm.namespace template function is properly defined in the chart's _helpers.tpl and follows Helm best practices by:

Using a namespace override if specified in values
Falling back to global namespace override if set
Using the release namespace as final fallback
Including version validation for Helm compatibility

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the vm.namespace template function exists
# Expected: Find the template function definition

# Search for the vm.namespace template function definition
rg -A 5 '_namespace[[:space:]]*:=' packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates

Length of output: 121

Script:

#!/bin/bash
# Let's try different approaches to find the template function:

# 1. Search for namespace template in _helpers.tpl which is common for Helm charts
fd -g '_helpers.tpl' -x cat {} 

# 2. Search for any file containing "vm.namespace" definition
rg -l "vm\.namespace"

# 3. Search for namespace-related template definitions with broader pattern
rg "namespace:[[:space:]]*{{" packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates

Length of output: 170900

Script:

#!/bin/bash
# Let's check the _helpers.tpl file directly since we found it in the search results
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl

# Also check the common helpers since it was found in the search
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl

Length of output: 11806

packages/system/monitoring-agents/charts/metrics-server/templates/rolebinding-nanny.yaml (1)

7-7: LGTM! Good improvement in namespace handling.

The change from a hardcoded namespace to using {{ .Release.Namespace }} is a good practice that:

Improves flexibility by allowing deployment to any namespace
Ensures consistency between the RoleBinding's namespace and its subject's namespace
Reduces the risk of cross-namespace permission issues

packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml (2)

1-1: LGTM: Good practice on K8s version handling!

The condition correctly prevents PSP creation on Kubernetes 1.25+ where PSPs are removed, while maintaining compatibility with older versions.

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

Line range hint 1-29: Review security implications of privileged PSP.

The PSP grants extensive privileges including:

All capabilities (allowedCapabilities: '*')
Privileged mode
Host namespace access (PID, IPC, Network)
All volume types
Unrestricted user/group execution

While metrics-server might require some elevated permissions, consider if all these privileges are necessary.

Let's verify the minimal required permissions:

Consider implementing the principle of least privilege by:

Documenting why each privileged permission is needed
Restricting permissions to only those required
Using Pod Security Standards (PSS) in K8s 1.25+ as a replacement for PSP

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/monitoring-agents/charts/metrics-server/templates/service.yaml (1)

22-22: LGTM! Good addition of explicit protocol declaration.

Adding the appProtocol field is a good practice as it:

Improves service mesh integration capabilities
Enhances clarity for security auditing
Aligns with Kubernetes best practices for protocol declaration

packages/system/monitoring-agents/charts/kube-state-metrics/Chart.yaml (1)

26-26: Version bump looks good, but let's verify the changelog.

The minor version bump from 5.25.1 to 5.26.0 seems appropriate for adding new features.

Let's verify the changelog and release notes for this version:

packages/system/monitoring-agents/templates/vmagent.yaml (2)

Line range hint 19-24: Clarify the status of stateful storage configuration.

The commented storage configuration suggests this might be needed in the future. Consider:

Whether stateful storage is required for your use case
If the commented configuration represents the final intended values

Would you like assistance in determining the storage requirements based on your metrics volume and retention needs?

7-8: Verify required external labels configuration.

The external labels are critical for metrics identification and multi-tenancy. Ensure that .Values.vmagent.externalLabels.cluster and .Values.vmagent.externalLabels.tenant are properly defined in the values file and have appropriate validation.

✅ Verification successful

External labels are properly configured with default values

The verification shows that external labels are well-defined:

Default values exist in packages/system/monitoring-agents/values.yaml:
- cluster: cozystack
- tenant: tenant-root
Values are properly overridden in the HelmRelease template:
- cluster: {{ .Release.Name }}
- tenant: {{ $targetTenant }}

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the existence and structure of values configuration
# Expected: Find the values definition for vmagent external labels

# Search for vmagent values definition
echo "Searching for vmagent values definition..."
fd -e yaml -e yml | xargs rg -l "vmagent:" | xargs rg -A 10 "externalLabels:"

Length of output: 1640

packages/system/monitoring-agents/charts/fluent-bit/Chart.yaml (2)

27-27: LGTM! Chart version bump is appropriate

The patch version increment (0.47.7 -> 0.47.10) aligns well with the nature of the changes, following semantic versioning principles for backward compatible updates.

4-4: Verify Fluent Bit v3.1.9 availability

The version update looks good, but let's verify that this version exists and is stable.

Also applies to: 6-6

✅ Verification successful

Fluent Bit v3.1.9 version verified successfully

The version tag v3.1.9 exists in the official Fluent Bit repository, confirming it's a valid and released version.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify if Fluent Bit v3.1.9 exists in the official repository
# Expected: Should find the v3.1.9 tag

# Check if the version tag exists in the Fluent Bit repository
gh api \
  -H "Accept: application/vnd.github+json" \
  repos/fluent/fluent-bit/git/refs/tags/v3.1.9

Length of output: 438

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/Chart.yaml (1)

28-28: LGTM on version bump.

The version increment from 0.0.5 to 0.0.16 follows semantic versioning and appropriately reflects the addition of new features.

.pre-commit-config.yaml (2)

13-13: LGTM: Markdownlint-cli version update is appropriate.

The update to v0.42.0 is a reasonable minor version bump that maintains existing functionality while potentially including bug fixes and improvements.

11-11: Verify the necessity of the --unsafe flag for YAML validation.

While the --unsafe flag is often necessary for Kubernetes manifests with custom resource definitions, it bypasses some YAML safety checks. Please ensure this change is required by confirming:

Which specific YAML constructs in your repository require unsafe parsing
Whether this can be limited to specific paths instead of applying globally

Let's check for YAML files with custom tags that might require unsafe parsing:

✅ Verification successful

Let's examine the actual content of some of these files to understand the YAML constructs that require unsafe parsing.

The --unsafe flag is justified for this repository

The repository contains multiple YAML files that require unsafe parsing:

Helm charts with complex templating using {{...}} syntax
CRDs (Custom Resource Definitions) with Kubernetes-specific tags
Chart.yaml files with YAML multi-line strings using | indicators
Backup scripts embedded in YAML with shell commands and templating

These YAML constructs are standard in Kubernetes manifests and Helm charts, and the --unsafe flag is required to properly validate them. The usage is appropriate given the repository's content and purpose.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find YAML files with custom tags that might require unsafe parsing
# Look for common Kubernetes custom tags and other non-standard YAML constructs

echo "Searching for YAML files with custom tags..."
rg -l '!!\w+|![\w/]+|!!binary|!!merge|<<:|&\w+' --type yaml

Length of output: 2232

Script:

#!/bin/bash
# Check content of a few representative files to understand the YAML constructs
echo "=== Checking Chart.yaml files ==="
cat packages/system/monitoring-agents/charts/metrics-server/Chart.yaml

echo -e "\n=== Checking CRD example ==="
head -n 20 packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshots.yaml

echo -e "\n=== Checking template with potential anchors ==="
cat packages/apps/postgres/templates/backup-script.yaml

Length of output: 4025

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml (2)

38-38: Document breaking changes for major version bump

The chart version has been bumped from 14.0.0 to 15.0.0, indicating breaking changes. Please ensure these changes are documented in the chart's CHANGELOG.md or release notes.

#!/bin/bash
# Description: Check if breaking changes are documented

# Test: Look for CHANGELOG.md or similar files
fd -t f "CHANGELOG.md|BREAKING_CHANGES.md|UPGRADE.md" packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/

# Test: Check if there's any documentation about version 15.0.0
rg -i "15\.0\.0|breaking changes" packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/

13-13: Verify breaking changes in Prometheus Operator v0.77.1

The appVersion bump from v0.76.0 to v0.77.1 might introduce breaking changes in CRD schemas. Please ensure compatibility with existing resources.

✅ Verification successful

Let me try another approach to verify the changes between these versions.

Let me try one final verification to check for CRD changes.

Based on the verification results, I can now provide a final response:

No breaking changes detected in Prometheus Operator v0.77.1

The changes between v0.76.0 and v0.77.1 are minimal and include:

Updated controller-gen version from v0.15.0 to v0.16.1
Minor documentation formatting improvements
No structural changes to CRD schemas

The major version bump in the chart (15.0.0) appears to be related to internal chart restructuring rather than breaking changes in the Prometheus Operator CRDs themselves.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for breaking changes in the Prometheus Operator release notes
# between v0.76.0 and v0.77.1

# Test: Search for breaking changes in release notes
gh release view prometheus-operator/prometheus-operator/v0.77.1 | grep -i "breaking\|migration"
gh release view prometheus-operator/prometheus-operator/v0.77.0 | grep -i "breaking\|migration"

Length of output: 342

Script:

#!/bin/bash
# Check the CRD files for any structural changes between the current and previous versions
fd -t f '\.yaml$' packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/templates/ -x cat {} | grep -i "version\|kind\|group"

# Look for any upgrade notes or documentation
fd -t f 'README.md|NOTES.txt' packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/ -x cat {}

# Check git history for any relevant commit messages
git log -p packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml | grep -A 10 -B 10 "version: 15.0.0"

Length of output: 3219

Script:

#!/bin/bash
# Check for CRD-related changes in the commit history
git log -p --since="6 months ago" packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/ | grep -B 5 -A 5 "CustomResourceDefinition\|CRD\|monitoring.coreos.com"

# Check if there are any CRD files in the chart
fd -t f -e yaml . packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/

# Look for any version-specific documentation
rg -i "v0.77|breaking" packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/

Length of output: 19285

packages/system/monitoring-agents/charts/metrics-server/Chart.yaml (2)

3-10: LGTM! Well-documented changelog entries.

The changelog entries are clear, properly formatted, and include links to relevant GitHub releases. They effectively communicate the changes made in this version.

12-12: Version updates look appropriate.

The version bumps follow semantic versioning:

App version update to 0.7.2 aligns with the new metrics-server release
Chart version increment to 3.12.2 is appropriate for these non-breaking changes

Let's verify the metrics-server version compatibility:

Also applies to: 32-32

✅ Verification successful

Version 0.7.2 of metrics-server is verified and valid

The GitHub API response confirms that v0.7.2 tag exists in the kubernetes-sigs/metrics-server repository, validating that this is an official and available version. The version update in the Chart.yaml is appropriate and safe to use.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the metrics-server version exists and is not deprecated
# Expected: Should find the v0.7.2 tag in the metrics-server repository

gh api \
  -H "Accept: application/vnd.github+json" \
  repos/kubernetes-sigs/metrics-server/git/refs/tags/v0.7.2

Length of output: 477

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.yaml (2)

15-15: Version bump requires changelog verification.

The version updates (appVersion: v0.47.2 → v0.48.4, chart version: 0.34.5 → 0.36.0) are significant. Let's ensure they're properly documented.

#!/bin/bash
# Description: Verify version documentation
# Test 1: Check changelog entries for new versions
rg -A 5 "0\.36\.0|v0\.48\.4" packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md

# Test 2: Verify version compatibility in related files
rg "0\.34\.5|0\.36\.0" packages/system/victoria-metrics-operator/

Also applies to: 43-43

4-4: Verify the impact of CRD handling changes.

The change from crd.enabled to crds.plain represents a significant architectural shift in how CRDs are managed. This change could impact existing deployments and upgrade paths.

Let's verify the documentation and related changes:

✅ Verification successful

Based on the analysis of the code and configuration files, I can now provide a final response:

CRD handling change is a controlled enhancement with backward compatibility

The change from crd.enabled to crds.plain is a well-documented enhancement that:

Provides more flexibility in CRD management by allowing templated or plain CRD rendering
Maintains backward compatibility through the crds.plain: false default setting
Is properly documented in the changelog
Has proper implementation in the values.yaml with crds.plain: false as default

The change represents an improvement in CRD management rather than a breaking change, and the implementation ensures a smooth upgrade path.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for related CRD configuration changes and documentation
# Test 1: Look for CRD-related changes in values.yaml
rg -A 5 "crds\.plain|crd\.enabled" packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/values.yaml

# Test 2: Check for upgrade instructions in documentation
rg -A 5 "upgrade|migration" packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md

Length of output: 2649

Script:

#!/bin/bash
# Let's check for CRD-related changes in values.yaml and templates
rg -l "crds:" packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/

# Check content of values.yaml for CRD configuration
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/values.yaml

# Check for any CRD-related templates
fd . packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/ -t f -e yaml -x cat {}

Length of output: 34028

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml (2)

1-41: Overall implementation looks good!

The HelmRelease configuration follows best practices and properly integrates with the monitoring stack. The conditional deployment and dependency management are well implemented.

🧰 Tools

🪛 yamllint

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

32-41: Verify existence of dependent HelmReleases.

The configuration depends on several other HelmReleases. Let's verify their existence in the cluster.

✅ Verification successful

Dependencies configuration is valid and properly referenced

The verification confirms:

Both dependent HelmReleases (cilium and cert-manager-crds) exist in the repository
No circular dependencies detected - other components depend on victoria-metrics-operator, but not vice versa
The self-dependency check is safely guarded by a conditional

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for the existence of dependent HelmReleases

# Search for referenced HelmReleases in the repository
echo "Searching for dependent HelmRelease definitions..."
rg --type yaml "kind: HelmRelease" --with-filename | grep -E "cilium|cert-manager-crds"

# Search for any potential circular dependencies
echo -e "\nChecking for circular dependencies..."
rg --type yaml -A 5 "dependsOn.*victoria-metrics-operator"

Length of output: 4251

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml (2)

46-47: LGTM: Proper dependency ordering

The addition of cert-manager-crds as a dependency is correct and ensures proper installation order, as CRDs should be installed before the main cert-manager components.

Line range hint 1-48: Verify monitoring integration

Since this PR adds metrics agents, we should verify that cert-manager metrics are properly configured and exposed.

✅ Verification successful

Let me gather more specific information about cert-manager metrics configuration.

Let me check the content of the ServiceMonitor configuration to verify its completeness.

Metrics integration is properly configured

The cert-manager deployment has comprehensive metrics configuration:

ServiceMonitor resource is available and configurable via .Values.prometheus.servicemonitor
Metrics port (9402) and path (/metrics) are exposed in the deployment
Prometheus annotations are set for service discovery
Service exists to expose the metrics endpoint

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for ServiceMonitor or PodMonitor configurations in the cert-manager chart
echo "Checking for monitoring configurations..."
ast-grep --pattern 'kind: ServiceMonitor' 
ast-grep --pattern 'kind: PodMonitor'

# Check for metrics-related configurations
echo "Checking for metrics configurations..."
rg -l 'metrics' --type yaml

Length of output: 22451

Script:

#!/bin/bash
# Check cert-manager values and templates for metrics configuration
echo "Checking cert-manager metrics configuration..."
rg -A 5 "metrics" packages/system/cert-manager/charts/cert-manager/values.yaml
rg -A 5 "metrics" packages/system/cert-manager/charts/cert-manager/templates/

# Check for ServiceMonitor in cert-manager templates
echo -e "\nChecking for ServiceMonitor in cert-manager..."
rg -l "ServiceMonitor" packages/system/cert-manager/charts/cert-manager/templates/

Length of output: 1967

Script:

#!/bin/bash
# Check the ServiceMonitor configuration for cert-manager
echo "Checking ServiceMonitor configuration..."
cat packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml

# Check if there's a corresponding Service for metrics
echo -e "\nChecking Service configuration..."
rg -A 10 "Service" packages/system/cert-manager/charts/cert-manager/templates/service.yaml

Length of output: 2468

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml (3)

31-36: LGTM! Values override configuration is well-structured.

The conditional values override configuration follows best practices by using a Secret for storing sensitive configuration data.

45-54: LGTM! Secret configuration is well-implemented.

The conditional Secret resource is properly implemented using stringData for the values override.

38-44: Verify dependency chain configuration.

The dependencies look correct, but let's verify the dependency chain to ensure proper deployment order.

#!/bin/bash
# Description: Verify the dependency chain configuration
# Expected: Find related HelmReleases and their dependencies

# Search for related HelmReleases
echo "Searching for related HelmReleases..."
rg -A 10 "kind: HelmRelease" --type yaml | rg -B 10 "name: .*cilium"

# Search for potential circular dependencies
echo "Checking for potential circular dependencies..."
rg -l "dependsOn.*cert-manager-crds" --type yaml

packages/apps/kubernetes/values.yaml (2)

64-71: LGTM! The new monitoringAgents section follows consistent patterns.

The structure matches other addon configurations with proper YAML formatting, documentation style, and default values.

67-68: Verify the conditional storage routing behavior.

The comment indicates that metrics/logs are sent to either tenant or root storage based on tenant monitoring status. Let's verify this logic is implemented correctly.

✅ Verification successful

Let me gather more specific information about the monitoring agents configuration.

Let me check the template logic that determines the target tenant for routing.

Let me try one final search with different patterns to find the routing logic.

The routing behavior is correctly implemented

The implementation confirms the documented behavior. The routing is determined by the namespace annotation namespace.cozystack.io/monitoring which is stored in $targetTenant. This value is then used consistently to:

Configure vmagent's remote write URL to the tenant's storage (vminsert-shortterm.{{ $targetTenant }}.svc)
Add tenant labels to logs in fluent-bit configuration
Route logs to the tenant's log storage (vlogs-generic.{{ $targetTenant }}.svc)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for the implementation of storage routing logic for monitoring agents

# Test 1: Look for tenant monitoring configuration
echo "Searching for tenant monitoring configuration..."
rg -l "tenant.*monitoring" --type yaml

# Test 2: Look for storage destination configuration in monitoring agents
echo "Searching for storage destination configuration..."
rg -l "storage.*destination" --type yaml

# Test 3: Look for the actual implementation of conditional routing
echo "Searching for conditional routing implementation..."
ast-grep --pattern 'if $tenant_monitoring {
  $$$
  storage $$$
  $$$
}'

Length of output: 526

Script:

#!/bin/bash
# Search for monitoring agents configuration and routing logic

# Look for monitoring agents configuration with context
echo "Searching for monitoring agents configuration..."
rg -A 10 "monitoringAgents:" --type yaml

# Look for fluentbit configuration
echo "Searching for fluentbit configuration..."
rg -A 10 "fluentbit:" --type yaml

# Look for vmagent configuration
echo "Searching for vmagent configuration..."
rg -A 10 "vmagent:" --type yaml

# Look for any storage routing related configuration
echo "Searching for storage routing patterns..."
rg -A 5 "(tenant|root).*storage" --type yaml

Length of output: 4378

Script:

#!/bin/bash
# Search for template logic that determines target tenant

# Look for template logic in monitoring-agents.yaml with more context
echo "Searching for target tenant determination logic..."
rg -B 10 -A 10 "\$targetTenant" packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

# Look for any tenant monitoring condition
echo "Searching for tenant monitoring condition..."
rg -B 5 -A 5 "if.*tenant.*monitoring|tenant.*monitoring.*if" packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

Length of output: 447

Script:

#!/bin/bash
# Search for monitoring-agents template and configuration

# Get full content of monitoring-agents template
echo "Content of monitoring-agents.yaml:"
cat packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

# Look for any conditional statements in the template
echo "Searching for conditional logic in monitoring-agents template..."
rg -B 5 -A 5 "{{.*if.*}}|{%-*if.*%}" packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

# Look for tenant-related variables or settings
echo "Searching for tenant-related settings..."
rg -B 3 -A 3 "tenant" packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

Length of output: 4324

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_service.tpl (2)

14-26: LGTM! Well-structured FQDN generation

The template correctly implements Kubernetes DNS naming conventions and properly handles both stateful and stateless deployments.

51-73: 🛠️ Refactor suggestion

Refactor duplicated logic and improve path handling

The template has two main issues:

It duplicates the spec traversal logic from vm.host
Path handling could lead to double slashes in URLs

Consider these improvements:

  {{- define "vm.url" -}}
    {{- $host := (include "vm.host" .) -}}
    {{- $Values := (.helm).Values | default .Values -}}
    {{- $proto := "http" -}}
-   {{- $path := .appRoute | default "/" -}}
+   {{- $path := .appRoute | default "" -}}
+   {{- $path = trimSuffix "/" (trimPrefix "/" $path) -}}
+   {{- if $path -}}
+     {{- $path = printf "/%s" $path -}}
+   {{- else -}}
+     {{- $path = "/" -}}
+   {{- end -}}
    {{- $isSecure := ternary false true (empty .appSecure) -}}
    {{- if .appKey -}}
-     {{- $appKey := ternary (list .appKey) .appKey (kindIs "string" .appKey) -}}
-     {{- $spec := $Values -}}
-     {{- range $ak := $appKey -}}
-       {{- if index $spec $ak -}}
-         {{- $spec = (index $spec $ak) -}}
-       {{- end -}}
-       {{- if and (kindIs "map" $spec) (hasKey $spec "spec") -}}
-         {{- $spec = $spec.spec -}}
-       {{- end -}}
-     {{- end -}}
+     {{- $spec := (include "vm.getSpec" (dict "spec" $Values "appKey" .appKey)) -}}
      {{- $isSecure = (eq ($spec.extraArgs).tls "true") | default $isSecure -}}
      {{- $proto = (ternary "https" "http" $isSecure) -}}
-     {{- $path = dig "http.pathPrefix" $path ($spec.extraArgs | default dict) -}}
+     {{- with dig "http.pathPrefix" "" ($spec.extraArgs | default dict) -}}
+       {{- $prefix := trimSuffix "/" (trimPrefix "/" .) -}}
+       {{- if $prefix -}}
+         {{- $path = printf "/%s%s" $prefix $path -}}
+       {{- end -}}
+     {{- end -}}
    {{- end -}}
    {{- printf "%s://%s%s" $proto $host $path -}}
  {{- end -}}

This refactoring:

Extracts the duplicated spec traversal into a shared helper template
Properly handles path normalization to prevent double slashes
Makes path prefix handling more robust

packages/core/platform/bundles/distro-hosted.yaml (4)

17-22: LGTM: Well-structured cert-manager CRDs release configuration.

The new release for cert-manager CRDs follows best practices by:

Using a dedicated release for CRDs
Placing it in the same namespace as cert-manager
Having no dependencies, ensuring CRDs are installed first

27-27: LGTM: Correct dependency configuration for cert-manager.

The dependency on cert-manager-crds is appropriate and follows the recommended installation order where CRDs must be installed before the operator.

115-115: No changes detected in external-dns configuration.

The dependsOn array remains unchanged.

48-54: Verify security implications of privileged monitoring agents.

The monitoring-agents release requires privileged access. While the dependency on the monitoring release is correct, we should ensure:

The privileged access is strictly necessary
The scope of privileges is minimized
Security implications are documented

✅ Verification successful

Based on the search results, I can now provide a comprehensive response about the security implications of privileged monitoring agents:

Privileged access is justified but security measures are in place

The privileged access for monitoring-agents is necessary and properly secured:

The chart includes several components with explicit security configurations:
- node-exporter runs with privileged: false
- fluent-bit runs with privileged: false and explicitly disallows privilege escalation
- metrics-server requires privileged access for core metrics collection
The scope is properly minimized through:
- Namespace isolation in cozy-monitoring namespace
- Dependency on the core monitoring stack
- Pod Security Policies that restrict capabilities where possible
- Non-privileged components run with minimal permissions
The security implications are documented in the component configurations and follow standard Kubernetes security practices for monitoring agents that require system-level access for metrics collection.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any security-related documentation or configurations
echo "Checking for security documentation..."
fd -t f "README|SECURITY" -X grep -l "monitoring.*(agent|privilege|security)"

echo "Checking Helm chart for security configurations..."
fd -t f "values.yaml" -p "*monitoring-agents*" -X grep -A 5 "security\|privileged"

Length of output: 467

Script:

#!/bin/bash
# Let's try a different approach to find security-related configurations

# Search for monitoring agents chart directory
echo "Finding monitoring agents chart location..."
fd -t d "cozy-monitoring-agents"

# Look for any security-related documentation in the repository
echo -e "\nSearching for security documentation mentioning monitoring agents..."
rg -i "monitoring.*(agent|privilege|security)" -g "!{*.lock,*.sum,*.mod}"

# Search for privilege-related configurations in yaml files
echo -e "\nSearching for privilege configurations in yaml files..."
rg -i "privileged:|security:" -g "*.{yaml,yml}" -A 5

# Look specifically for monitoring agent configurations
echo -e "\nSearching for monitoring agent configurations..."
rg "monitoring-agents" -g "*.{yaml,yml}" -A 5

Length of output: 122409

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_enterprise.tpl (3)

1-13: Well-structured value access with robust fallbacks!

The template definitions for license values implement a thorough fallback mechanism:

First tries helm-specific values
Falls back to global values
Defaults to empty string to prevent nil values

36-56: Secure and well-structured volume definitions!

The volume and mount templates implement good security practices:

Proper conditional checks prevent empty volume creation
ReadOnly mount for license files
Consistent secret mounting pattern

62-74: Verify template output formatting.

While the flag generation logic is well-implemented with good style support, please verify that the template generates properly formatted output without unexpected whitespace or indentation issues.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl (2)

8-8: LGTM! Good improvement in documentation linking.

The change from a relative path to an absolute URL for the prerequisites documentation is a good improvement. It ensures users always have access to the most up-to-date requirements regardless of where they're viewing the documentation.

73-73: Verify the existence and documentation of the referenced templates.

The changes introduce several template inclusions:

{{ include "chart.installSection" . }}
{{ include "chart.uninstallSection" . }}
{{ include "chart.helmDocs" . }}
{{ template "chart.valuesTableHtml" . }}

While this standardization is good for maintainability, we should ensure these templates are properly set up.

Let's verify the existence of these templates:

Also applies to: 88-90, 98-98

✅ Verification successful

The referenced templates are part of helm-docs built-in templates

The templates referenced in the README.md.gotmpl:

{{ include "chart.installSection" . }}
{{ include "chart.uninstallSection" . }}
{{ include "chart.helmDocs" . }}
{{ template "chart.valuesTableHtml" . }}

are standard built-in templates provided by the helm-docs tool itself, which is listed as a prerequisite in the README.md.gotmpl file:

Prerequisites: Install the follow packages: git, kubectl, helm, helm-docs.

These templates are not expected to be found in the repository as they are part of the helm-docs binary, which generates standardized documentation for Helm charts.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for the existence of the referenced templates
# Expected: Find files containing these template definitions

echo "Searching for template definitions..."
rg --type-add 'gotmpl:*.gotmpl' --type-add 'tpl:*.tpl' -t gotmpl -t tpl \
  -e 'define.*chart\.installSection' \
  -e 'define.*chart\.uninstallSection' \
  -e 'define.*chart\.helmDocs' \
  -e 'define.*chart\.valuesTableHtml'

Length of output: 295

Script:

#!/bin/bash
# Let's try a broader search to understand the template structure
# First, let's find all template-related files
echo "=== Finding template files ==="
fd -e gotmpl -e tpl

# Then search for any chart-related template definitions
echo -e "\n=== Searching for chart-related templates ==="
rg --type-add 'gotmpl:*.gotmpl' --type-add 'tpl:*.tpl' -t gotmpl -t tpl 'define.*"chart\.'

# Also check if these might be coming from a helm dependency
echo -e "\n=== Checking Chart.yaml for dependencies ==="
find . -name Chart.yaml -exec cat {} \;

Length of output: 72105

Script:

#!/bin/bash
# Let's check for helm-docs related files and templates
echo "=== Checking for helm-docs templates ==="
fd -e gotmpl -e tpl -e md '(README|NOTES|_helpers)' packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/

# Let's also check if these templates might be coming from a helm-docs dependency
echo -e "\n=== Checking for helm-docs in package.json or go.mod ==="
find packages/system/victoria-metrics-operator -name "package.json" -o -name "go.mod" -exec cat {} \;

Length of output: 1071

Script:

#!/bin/bash
# Let's check the content of these template files to understand where the referenced templates are defined
echo "=== Checking content of README.md.gotmpl ==="
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md.gotmpl

echo -e "\n=== Checking content of _helpers.tpl files ==="
echo "Main helpers:"
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl
echo -e "\nCommon helpers:"
cat packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl

Length of output: 15630

Script:

#!/bin/bash
# Let's check for helm-docs related files in the repository root and parent directories
echo "=== Checking for helm-docs templates in repository ==="
fd -e gotmpl -e tpl '(chart\.|helm-docs)' 

# Let's also check if these templates might be coming from helm-docs itself
echo -e "\n=== Checking for helm-docs binary and its templates ==="
which helm-docs 2>/dev/null || echo "helm-docs not found in PATH"

Length of output: 372

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml (2)

28-34: Review timeout and remediation settings

The 300s timeout might be insufficient for large clusters
Infinite retries (-1) could cause resource exhaustion in case of persistent failures

Consider:

Increasing the timeout to 600s
Setting a finite retry limit (e.g., 5) with exponential backoff

45-50: Consider security and reliability improvements for vmagent configuration

The remote write endpoint uses unencrypted HTTP
The service URL assumes a specific naming convention which might not be portable across different environments

Consider:

Using HTTPS for remote write endpoint
Making the service URL configurable via values.yaml
Adding connection retry and buffering configurations for reliability

✅ Verification successful

Let me generate additional scripts to gather more context about the monitoring setup and configuration patterns.

Based on the search results, I can see that HTTP is commonly used for internal service communication within the cluster, particularly for monitoring components. Let me verify if there are any security compensating controls or if this is a standard practice in the codebase.

Let me check the service configuration and network architecture for the monitoring components to make a final assessment.

Based on the gathered information, I can now provide a final assessment of the security considerations for the vmagent configuration.

HTTP usage is acceptable for internal cluster communication

The vminsert endpoint is:

Used only for internal cluster communication within the cozy-monitoring namespace
Part of the standard monitoring stack deployment pattern
Protected by Kubernetes network isolation by default, as it's a ClusterIP service

While HTTPS would add an extra layer of security, using HTTP for internal cluster communication between monitoring components is a common and accepted practice when:

Communication is contained within the cluster
Components are in the same namespace
Network policies and service mesh (if present) provide additional isolation

The service URL pattern is also standard for Kubernetes service discovery and doesn't require additional configuration.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if similar configurations use HTTPS
rg 'url:.*http://' --type yaml

Length of output: 2161

Script:

#!/bin/bash
# Check for any HTTPS configurations in monitoring components
rg 'url:.*https://' --type yaml

# Check for TLS/certificate configurations in monitoring components
rg -i 'tls:|certificate:|ssl:' --type yaml -A 3

# Look for any values.yaml files that might contain configurable URL patterns
fd 'values.yaml' --exec grep -l "url:" {}

Length of output: 132936

Script:

#!/bin/bash
# Check if there are any network policies or security configurations for vminsert
rg -A 5 'vminsert.*network|vminsert.*security' --type yaml

# Check if service is only accessible within cluster
rg 'type:\s+ClusterIP.*vminsert' --type yaml -B 5

# Look for any documentation about security architecture
fd -g 'README*' -X grep -l 'security\|network'

Length of output: 1851

Script:

#!/bin/bash
# Check vminsert service configuration
rg -A 10 'kind:\s+Service.*vminsert' --type yaml

# Check if vminsert is part of a monitoring namespace or has specific network isolation
rg -B 5 'namespace:.*monitoring' --type yaml

# Look for any network policies related to monitoring
rg -A 10 'kind:\s+NetworkPolicy.*monitoring' --type yaml

Length of output: 13576

packages/core/platform/bundles/paas-hosted.yaml (3)

27-27: LGTM! Correct dependency on CRDs.

The dependency on cert-manager-crds ensures proper installation order, which is critical for cert-manager functionality.

17-22: LGTM! Verify CRD installation order.

The cert-manager-crds release is correctly defined with no dependencies, ensuring it can be installed first. The namespace alignment with cert-manager is good practice.

Let's verify the CRD installation ordering in the cluster:

✅ Verification successful

✅ Installation order is correctly defined

The verification shows that across all bundle configurations (paas-hosted.yaml, distro-hosted.yaml, paas-full.yaml, distro-full.yaml), the cert-manager components follow the correct installation order:

cert-manager-crds is defined first with no dependencies or only infrastructure dependencies
cert-manager depends on cert-manager-crds
cert-manager-issuers depends on cert-manager

This confirms that the CRD installation ordering in the reviewed code is properly structured, ensuring that custom resource definitions are available before the cert-manager deployment.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that cert-manager-crds HelmRelease is installed before cert-manager
# Expected: cert-manager-crds should appear before cert-manager in the installation order

rg -A 5 "kind: HelmRelease.*cert-manager"

Length of output: 241

Script:

#!/bin/bash
# Let's try a different approach to verify the installation order by searching for cert-manager related entries in YAML files
rg -A 10 "name: cert-manager" --type yaml

Length of output: 9073

48-54: Review security implications of privileged monitoring agents.

While the release configuration is structurally correct, the privileged: true flag warrants attention:

Please verify the security implications of running monitoring agents with elevated privileges
Consider documenting the specific permissions required by these agents

Let's check for any security-related configurations:

Consider implementing the principle of least privilege by:

Documenting why privileged access is needed
Limiting the scope of privileges to only what's necessary
Using security contexts at the container level instead of privileged mode where possible

✅ Verification successful

Privileged flag is necessary for monitoring-agents functionality

The privileged flag is justified for the monitoring-agents release based on the following findings:

The monitoring agents require privileged access to collect system-level metrics:
- Node metrics collection requires hostPID and hostNetwork access
- Kubelet metrics collection needs secure communication with node components
- Container runtime metrics require privileged access to system resources
Security controls are in place:
- RBAC configurations are properly defined for each component
- ServiceAccounts are used with specific role bindings
- Individual components like node-exporter use the principle of least privilege where possible
The privileged access is scoped to monitoring functionality only, with specific scraping configurations for:
- Kubelet metrics
- Node metrics
- Container metrics
- Kubernetes state metrics

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Look for security contexts and RBAC configurations
# Expected: Find security-related configurations for monitoring agents

# Check for SecurityContexts, RBAC rules, or ServiceAccounts
rg -A 10 "securityContext|ServiceAccount|Role|ClusterRole" "monitoring-agents"

# Check for any privileged container definitions
rg -A 5 "privileged: true" "monitoring-agents"

Length of output: 241

Script:

#!/bin/bash
# Let's try a broader search for monitoring agents related configurations
# Search for any YAML files containing monitoring-agents
fd -e yaml -e yml | xargs rg -l "monitoring-agents"

# Search for cozy-monitoring-agents chart or related configurations
fd -e yaml -e yml | xargs rg -l "cozy-monitoring-agents"

# Look for any security-related configurations in monitoring or cozy-monitoring namespace
fd -e yaml -e yml | xargs rg -A 5 "namespace: cozy-monitoring"

# Search for privileged flag usage across YAML files
fd -e yaml -e yml | xargs rg -A 5 "privileged: true"

Length of output: 34944

Script:

#!/bin/bash
# Let's examine the monitoring-agents chart to understand its requirements
fd -e yaml "monitoring-agents" packages/system/monitoring-agents | xargs cat

# Look for any security-related configurations in the chart
fd . packages/system/monitoring-agents -t f | xargs rg -l "security|rbac|ServiceAccount"

# Check for any documentation about security requirements
fd "README|SECURITY" packages/system/monitoring-agents

Length of output: 4400

Script:

#!/bin/bash
# Let's examine the specific RBAC and security configurations
# Check the contents of key security files
cat packages/system/monitoring-agents/charts/prometheus-node-exporter/templates/psp.yaml
cat packages/system/monitoring-agents/charts/metrics-server/templates/psp.yaml

# Check the values files for security configurations
cat packages/system/monitoring-agents/values.yaml

# Look at the monitoring agents' specific scraping configurations
cat packages/system/monitoring-agents/templates/kubelet-scrape.yaml
cat packages/system/monitoring-agents/templates/node-exporter-scrape.yaml

Length of output: 16233

packages/apps/kubernetes/values.schema.json (2)

79-92: LGTM! Schema structure follows established patterns.

The monitoringAgents configuration follows the consistent pattern used by other addons, making it intuitive and maintainable.

78-97: Verify schema usage across the codebase.

Let's ensure the schema is being used correctly in related files.

✅ Verification successful

Schema usage is correctly aligned with implementation

The verification shows the schema is being used appropriately across the codebase:

The values.yaml structure matches the schema definition with monitoringAgents.enabled and monitoringAgents.valuesOverride
The schema is correctly referenced in HelmRelease templates:
- monitoring-agents.yaml uses the configuration for conditional deployment
- victoria-metrics-operator.yaml also respects the enabled flag
No inconsistencies found between schema and implementations

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the schema usage and related configurations

# Test 1: Check if values.yaml matches this schema structure
echo "Checking values.yaml for monitoringAgents configuration..."
rg -A 10 "monitoringAgents:" "packages/apps/kubernetes/values.yaml"

# Test 2: Look for HelmRelease configurations using these values
echo "Checking HelmRelease configurations..."
rg -A 10 "monitoringAgents" "packages/apps/kubernetes/templates/helmreleases/"

# Test 3: Check for any example configurations
echo "Checking example configurations..."
fd -e yaml -e yml | xargs rg "monitoringAgents:"

Length of output: 3221

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_pod.tpl (4)

14-19: LGTM: Platform detection implementation is robust

The OpenShift detection logic is well-implemented using proper API version checking and includes good defensive programming with null coalescing.

71-85: LGTM: Probe configuration is well-structured

The probe-related templates handle health checks, HTTPS scheme selection, and port configuration correctly. The path prefix handling is particularly well done with proper trimming of trailing slashes.

2-6: LGTM: Port extraction logic is robust

The port extraction implementation correctly handles both default values and regex-based port number extraction from flag values.

26-36: Security context handling looks correct but warrants verification

The security context adaptation logic is well-implemented with proper handling of OpenShift compatibility modes. The selective omission of security fields (fsGroup, runAsUser, runAsGroup) is correctly handled.

Let's verify the security context adaptation across the codebase:

✅ Verification successful

Security context adaptation is correctly implemented and safe

The security context adaptation logic in the vm.securityContext template function is well-implemented and follows best practices:

The function correctly handles OpenShift compatibility by:
- Properly omitting fsGroup, runAsUser, and runAsGroup fields when required
- Supporting both force and auto adaptation modes
- Preserving seLinuxOptions when explicitly set
The codebase scan shows consistent usage of security contexts across various workloads, with:
- Proper pod and container level security contexts
- Safe defaults for non-root execution where possible
- Appropriate handling of privileged containers only where required
The OpenShift adaptation is specifically targeted at security fields that need platform-specific handling, while preserving other security settings.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify security context usage consistency
# Look for other security context definitions that might need similar adaptation

# Search for securityContext definitions in yaml/helm templates
rg -t yaml -t gotmpl 'securityContext:' -A 5

# Search for potential direct references to the fields we're omitting
rg -t yaml -t gotmpl 'fsGroup:|runAsUser:|runAsGroup:'

Length of output: 163

Script:

#!/bin/bash
# Search for security context definitions in helm templates and yaml files
# Using find and grep instead of rg due to file type limitations
find . -type f \( -name "*.yaml" -o -name "*.yml" -o -name "*.tpl" \) -exec grep -l "securityContext:" {} \; | while read -r file; do
    echo "=== $file ==="
    grep -A 5 "securityContext:" "$file"
done

# Search for specific security fields we're omitting
find . -type f \( -name "*.yaml" -o -name "*.yml" -o -name "*.tpl" \) -exec grep -l -E "fsGroup:|runAsUser:|runAsGroup:" {} \; | while read -r file; do
    echo "=== $file ==="
    grep -E "fsGroup:|runAsUser:|runAsGroup:" "$file"
done

Length of output: 168067

packages/core/platform/bundles/distro-full.yaml (3)

44-44: LGTM! The dependency change is correct.

The dependency update ensures that cert-manager CRDs are installed before the main cert-manager deployment, which is the correct order of operations.

34-39: LGTM! The cert-manager-crds release configuration looks good.

The configuration follows the established pattern and is correctly placed before the main cert-manager release. The namespace and dependency configuration are appropriate.

Let's verify the chart existence and its version compatibility:

✅ Verification successful

The cert-manager-crds chart reference is correctly configured

The chart cozy-cert-manager-crds exists in the repository at packages/system/cert-manager-crds and matches the reference in the bundle configuration. The version being a placeholder is a standard practice as it's set during the build process.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the chart reference and its version
fd -t f "Chart.yaml" | xargs grep -l "cozy-cert-manager-crds"

Length of output: 104

Script:

#!/bin/bash
# Let's verify the chart details and its version
cat packages/system/cert-manager-crds/Chart.yaml

Length of output: 194

65-71: Please verify the security implications of privileged access.

The configuration looks good, but since this release requires privileged access:

Ensure this is documented in the chart's README
Verify the specific permissions required by the monitoring agents

Let's check the documentation and permissions:

packages/system/monitoring-agents/charts/metrics-server/values.yaml (2)

32-32: LGTM! Clear documentation about PSP behavior.

The added comment provides valuable clarity about PodSecurityPolicy behavior in newer Kubernetes versions, which is particularly important during cluster upgrades.

133-133: Verify addon-resizer version compatibility.

The image tag update from 1.8.20 to 1.8.21 appears to be a minor version bump.

Let's verify this is the latest stable version and check for any breaking changes:

✅ Verification successful

Version update is documented and compatible

Based on the Chart.yaml annotations, this version update to addon-resizer 1.8.21 is explicitly documented and intentional. The change is part of the chart's official release notes, indicating it has been properly tested and verified for compatibility with the metrics-server chart version 3.12.2 and metrics-server v0.7.2.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the addon-resizer version and its release notes
# Expected: Latest version information and any breaking changes

# Check the latest tags for the addon-resizer
gh api \
  -H "Accept: application/vnd.github+json" \
  repos/kubernetes/autoscaler/tags \
  --jq '.[] | select(.name | contains("addon-resizer")) | .name' \
  | head -n 5

Length of output: 157

Script:

#!/bin/bash
# Let's try a different approach by checking the git history and any related documentation
# for this version change

# Check git history for changes related to this version
git log -p -- packages/system/monitoring-agents/charts/metrics-server/values.yaml | grep -A 5 -B 5 "tag:"

# Look for any documentation or changelog files
fd changelog -i
fd release.md -i
fd releases.md -i

# Check if there's a Chart.yaml that might have dependency information
fd Chart.yaml --exec cat {}

Length of output: 657

Script:

#!/bin/bash
# Let's check the metrics-server chart for any compatibility information
# and version constraints

# Check the Chart.yaml file for the metrics-server chart
cat packages/system/monitoring-agents/charts/metrics-server/Chart.yaml

# Check if there are any README files that might contain version information
find packages/system/monitoring-agents/charts/metrics-server -type f -name "README*" -exec cat {} \;

# Look for any values schema or documentation
find packages/system/monitoring-agents/charts/metrics-server -type f -name "values.schema.json" -exec cat {} \;

Length of output: 28663

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/templates/_helpers.tpl (8)

6-8: LGTM! Good improvement in context handling.

The introduction of $Chart and $Values variables with fallback to root context enhances template reusability and flexibility.

11-15: LGTM! Well-structured cleanup hook annotations.

The template correctly defines the necessary Helm hook annotations for cleanup operations.

23-35: LGTM! Good refactoring with maintained K8s conventions.

The changes improve context handling while preserving the important K8s naming conventions (63 character limit).

42-43: LGTM! Consistent with the established pattern.

The change maintains consistency with other template functions' context handling approach.

50-55: LGTM! Consistent context handling for service account.

The changes maintain the existing logic while improving context handling consistency.

62-62: LGTM! Consistent label handling.

The changes ensure consistent release name handling while maintaining K8s labeling best practices.

Also applies to: 64-64, 75-75, 77-77

83-87: LGTM! Improved function naming and metadata handling.

The rename to vm-operator.crds.annotations better reflects its purpose, and the added Helm metadata annotations improve resource tracking.

Line range hint 101-121: Consider reviewing the certificate validity period.

While the changes improve context handling and DNS name generation, the 10-year validity period (3650 days) for certificates might be too long from a security perspective. Consider reducing this to align with industry best practices (typically 1-2 years).

packages/system/monitoring-agents/charts/metrics-server/templates/deployment.yaml (2)

14-15: LGTM! Improved handling of revisionHistoryLimit.

The new implementation properly handles empty values and follows Helm best practices for optional numerical parameters.

36-38: LGTM! Verify custom scheduler security implications.

The implementation correctly handles optional scheduler configuration. However, since custom scheduler assignment can impact pod scheduling security, please ensure this aligns with your cluster's security policies and requirements.

Let's check for any security-related configurations or policies in the repository:

✅ Verification successful

Based on the search results, I can see that:

The schedulerName field in values.yaml is empty by default:

packages/system/monitoring-agents/charts/metrics-server/values.yaml:schedulerName: ""

The implementation follows standard Kubernetes practices for optional scheduler configuration.
There are no security policies or restrictions specifically related to custom scheduler usage in the metrics-server configuration.
The change is consistent with how scheduler configuration is handled across other components in the repository.

Custom scheduler configuration is safe to use as implemented

The implementation is secure because:

It follows Kubernetes best practices by making scheduler configuration optional
The default empty value ensures standard scheduler behavior
The configuration is properly scoped to just the metrics-server deployment
No security policies in the codebase restrict custom scheduler usage

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for scheduler-related security policies or configurations
rg -g '*.yaml' -g '*.yml' -i 'scheduler|podsecuritypolicy|psp' --type yaml

Length of output: 88030

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/CHANGELOG.md (1)

7-113: LGTM! Consistent formatting maintained.

The changelog maintains consistent formatting across all entries, following the established pattern of:

Version number
Release date
Helm version badge
Change descriptions

packages/system/monitoring-agents/alerts/flux.yaml (1)

Line range hint 1-139: Verify alert configuration consistency

Let's verify that the alert configuration patterns are consistent with other VMRules in the repository.

✅ Verification successful

Based on the extensive output from examining the alert configurations across the repository, I can now provide a final response:

Alert configurations follow consistent patterns across monitoring rules

The Flux-related alerts in this file follow consistent patterns with other alerts in the monitoring system:

Standard severity levels (major/warning) aligned with other components
Consistent label structure with service, severity, and exported_instance
Similar annotation format with summary and description fields
Appropriate alert timing (5m) matching other critical system alerts
Proper metric selection using gotk_resource_info

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other VMRule configurations to compare alert patterns
echo "Searching for other VMRule configurations..."
fd -e yaml -e yml | xargs grep -l "kind: VMRule" | while read -r file; do
    echo "=== $file ==="
    # Extract and show alert configurations for comparison
    yq '.spec.groups[].rules[] | select(.alert)' "$file" 2>/dev/null
done

Length of output: 10361

Script:

#!/bin/bash
# Let's try a different approach to extract and compare alert configurations
echo "=== Checking alert patterns in VMRules ==="
fd -e yaml -e yml | xargs grep -l "kind: VMRule" | while read -r file; do
    echo "=== File: $file ==="
    # Extract key alert configuration patterns
    echo "Alert Patterns:"
    grep -A 4 "alert:" "$file" || true
    echo "Label Patterns:"
    grep -A 3 "labels:" "$file" || true
    echo "Annotation Patterns:"
    grep -A 2 "annotations:" "$file" || true
    echo "---"
done

Length of output: 159506

packages/core/platform/bundles/paas-full.yaml (2)

44-49: LGTM: Well-structured separation of cert-manager CRDs

The separation of cert-manager CRDs into a dedicated release and updating the cert-manager dependency chain is a good practice. This ensures proper installation order and follows the Kubernetes best practice of managing CRDs separately.

Also applies to: 54-54

75-81: Review security implications of privileged monitoring agents

The monitoring-agents release is marked as privileged, which grants elevated permissions. While the dependency on the monitoring release is logical, please ensure:

The privileged flag is absolutely necessary
The scope of privileges is minimal
Security implications are documented

Let's check the related monitoring agents configuration:

packages/system/monitoring-agents/charts/metrics-server/CHANGELOG.md (2)

155-155: LGTM!

The release link for version 3.12.2 follows the established format and is correctly placed in the changelog.

19-33: LGTM!

The changelog entries are well-organized, comprehensive, and accurately reflect all the changes made across various files. Each entry includes:

Clear description of the change
Reference to the relevant PR
Proper attribution to contributors

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusrules.yaml (2)

1-1: Version updates look consistent.

The version updates in the source URL and annotations are aligned:

Source URL updated to v0.77.1
controller-gen version updated to v0.16.1
operator version updated to 0.77.1

Let's verify the version compatibility with other components:

Also applies to: 10-11

✅ Verification successful

Version consistency verified across prometheus-operator CRDs

All prometheus-operator CRDs are consistently updated:

All CRDs use operator.prometheus.io/version: 0.77.1
All CRDs use controller-gen.kubebuilder.io/version: v0.16.1
All source URLs reference v0.77.1
Chart's appVersion matches at v0.77.1

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for version consistency across related CRDs and potential breaking changes

# Test 1: Check if other prometheus-operator CRDs are using the same version
echo "Checking version consistency across prometheus-operator CRDs..."
rg -l "operator.prometheus.io/version" | xargs rg "operator.prometheus.io/version: "

# Test 2: Check if there are any other references to the old version that might need updating
echo "Checking for any remaining references to old version 0.76.0..."
rg "0.76.0"

# Test 3: Look for Chart.yaml files that might need version updates
echo "Checking related Chart.yaml files for version references..."
fd "Chart.yaml" "packages/system/victoria-metrics-operator" | xargs rg "version: "

Length of output: 4192

Script:

#!/bin/bash
# Let's check for version consistency specifically in prometheus-operator CRDs
echo "Checking prometheus-operator CRD versions..."
fd . packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/ -e yaml | xargs rg "operator.prometheus.io/version|controller-gen.kubebuilder.io/version" -A 1

# Check the appVersion in prometheus-operator-crds Chart.yaml
echo "Checking prometheus-operator-crds Chart.yaml version..."
cat packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/Chart.yaml | rg "appVersion|version:"

# Check source URLs in CRDs to verify version consistency
echo "Checking source URLs in CRDs..."
fd . packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/ -e yaml | xargs rg "https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/"

Length of output: 3923

Line range hint 1-150: Verify prometheus-operator compatibility.

The CRD schema remains unchanged, but it's important to verify compatibility between:

The prometheus-operator version (0.77.1)
Your victoria-metrics-operator version
Your monitoring stack version

Let's check the compatibility:

✅ Verification successful

Prometheus Operator CRDs are compatible with Victoria Metrics Operator

Based on the gathered information:

The victoria-metrics-operator (v0.48.4) includes built-in prometheus-operator converter functionality which is enabled by default (disable_prometheus_converter: false)
The prometheus-operator CRDs (v0.77.1) are from a stable release and follow standard Kubernetes API conventions
The victoria-metrics-operator chart explicitly includes these CRDs as a dependency, indicating intentional compatibility

The CRD schema remains unchanged and the victoria-metrics-operator's prometheus converter ensures compatibility between prometheus-operator CRDs and victoria-metrics-operator's functionality.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check victoria-metrics-operator and monitoring stack versions

# Test 1: Look for victoria-metrics-operator version in Chart.yaml
echo "Checking victoria-metrics-operator version..."
fd "Chart.yaml" "packages/system/victoria-metrics-operator" -x cat {}

# Test 2: Check if there are any version constraints or dependencies
echo "Checking for version constraints..."
fd "requirements.yaml|Chart.yaml" "packages/system/victoria-metrics-operator" -x rg "version|dependencies" {}

Length of output: 4192

Script:

#!/bin/bash
# Let's check for compatibility information and version constraints

# Check for any compatibility matrices or version requirements in READMEs
echo "Checking READMEs for compatibility information..."
fd "README.md" "packages/system/victoria-metrics-operator" -x rg -A 5 -B 5 "compatibility|version|prometheus" {}

# Check for any version-related information in values files
echo "Checking values files for version configurations..."
fd "values.yaml" "packages/system/victoria-metrics-operator" -x rg "version|prometheus" {}

# Check Chart.lock for exact dependency versions
echo "Checking Chart.lock for dependency versions..."
fd "Chart.lock" "packages/system/victoria-metrics-operator" -x cat {}

Length of output: 6561

🧰 Tools

🪛 yamllint

[error] 8-8: syntax error: could not find expected ':'

(syntax)

packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl (4)

1-35: LGTM: Common templates follow Helm best practices.

The implementation correctly handles name generation, truncation for Kubernetes limits, and service account creation with proper fallbacks.

75-107: LGTM: Cainjector templates are well-structured.

The implementation correctly handles naming conventions and maintains compatibility with existing deployments.

108-141: LGTM: Startupapicheck templates follow established patterns.

The implementation maintains consistency with other components while properly handling naming conventions.

60-62: Consider enhancing the CA reference template's robustness.

The CA reference template directly concatenates values without checking for potential edge cases like:

Missing namespace
Invalid characters in the namespace or name

Let's verify the usage of this template:

Consider adding validation:

 {{- define "webhook.caRef" -}}
-{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
+{{- $ns := template "cert-manager.namespace" -}}
+{{- $name := printf "%s-ca" (include "webhook.fullname" .) -}}
+{{- if and $ns $name -}}
+{{- printf "%s/%s" $ns $name -}}
+{{- else -}}
+{{- fail "webhook.caRef: namespace and name must not be empty" -}}
+{{- end -}}

packages/system/monitoring-agents/values.yaml (2)

Line range hint 1-20: LGTM: Well-structured metrics-server configuration

The configuration follows best practices with:

Appropriate metric resolution
Secure kubelet configuration
Reasonable PV sizing for victoria-logs
Disabled unnecessary components to optimize resource usage

Line range hint 21-300: Comprehensive Flux monitoring configuration with performance consideration

The kube-state-metrics configuration provides extensive monitoring coverage for Flux resources with well-structured metric definitions. While this will provide excellent visibility into your GitOps operations, consider monitoring the performance impact.

Let's verify the resource types being monitored are all available in your cluster:

✅ Verification successful

API versions in kube-state-metrics configuration are aligned with Flux v2

The configuration correctly uses the stable and beta API versions for Flux v2 custom resources:

Source controllers: v1 for stable APIs (GitRepository, HelmRepository, HelmChart) and v1beta2 for evolving APIs (Bucket, OCIRepository)
Helm controller: v2 for HelmRelease
Kustomize controller: v1 for Kustomization
Notification controller: Mixed v1/v1beta3 as per current Flux versions
Image automation: Consistent v1beta2 across all resources

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that all monitored CRDs are present in the cluster
# Note: This helps ensure we're not monitoring non-existent resources

# Extract unique API groups from the configuration
echo "Checking for monitored API groups in the configuration:"
rg "group: .*\.toolkit\.fluxcd\.io" "packages/system/monitoring-agents/values.yaml" -o | sort -u

Length of output: 383

Script:

#!/bin/bash
# Let's verify the API versions used in the configuration match the actual CRD versions

# Check for version references in the configuration
echo "API versions specified in the configuration:"
rg "version: v[0-9].*beta[0-9]|version: v[0-9]" "packages/system/monitoring-agents/values.yaml" -o | sort -u

# Check for any potential version mismatches or inconsistencies
echo -e "\nChecking for potential version inconsistencies per API group:"
for group in "source" "helm" "kustomize" "notification" "image"; do
    echo -e "\n$group.toolkit.fluxcd.io group versions:"
    rg "group: $group\.toolkit\.fluxcd\.io" -A 2 "packages/system/monitoring-agents/values.yaml"
done

Length of output: 3133

packages/system/monitoring-agents/charts/fluent-bit/values.yaml (1)

185-185: Document the purpose of deterministicUid and verify dashboard handling.

The addition of deterministicUid: false is valid, but please consider:

Add a comment explaining the purpose and impact of this field, especially since it differs between environments (false in main values, true in CI).
Ensure existing dashboards are properly handled during upgrades when UIDs are non-deterministic.

Let's verify the dashboard configuration in other monitoring agents:

Add a comment above the field:

 dashboards:
   enabled: false
   labelKey: grafana_dashboard
   labelValue: 1
   annotations: {}
   namespace: ""
+  # -- Controls whether dashboard UIDs should be deterministic (true) or randomly generated (false)
   deterministicUid: false

✅ Verification successful

Dashboard UID configuration is consistent and well-structured

The deterministicUid configuration is properly implemented:

Main values default to false for production use
CI values explicitly set to true for testing stability
No other monitoring agents have dashboard configurations that could conflict

The original review suggestion to document the field is still valid, but the configuration is otherwise correct and follows best practices.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if other monitoring agents have similar dashboard UID configuration
fd --type f "values.yaml" "packages/system/monitoring-agents" --exec rg -l "deterministicUid"

# Check for any existing dashboard configuration
fd --type f "values.yaml" "packages/system/monitoring-agents" --exec rg -A 5 "dashboards:"

Length of output: 472

Script:

#!/bin/bash
# Let's check the full context of dashboard configurations in both files
echo "=== values.yaml ==="
rg -A 10 "dashboards:" packages/system/monitoring-agents/charts/fluent-bit/values.yaml

echo -e "\n=== ci/ci-values.yaml ==="
rg -A 10 "dashboards:" packages/system/monitoring-agents/charts/fluent-bit/ci/ci-values.yaml

# Check if there are any other monitoring agents with dashboard configurations
echo -e "\n=== Other monitoring agents ==="
fd --type f "values.yaml" "packages/system/monitoring-agents" --exclude "fluent-bit" --exec rg -A 5 "dashboards:"

Length of output: 710

packages/system/monitoring-agents/charts/kube-state-metrics/templates/deployment.yaml (1)

304-311: LGTM with verification needed.

The introduction of the tpl function for nodeSelector and tolerations adds valuable templating flexibility. However, please verify that existing configurations remain compatible with this change.

Let's verify the template rendering with some common use cases:

✅ Verification successful

The change to use tpl function is safe and verified.

The verification shows that:

The values.yaml has empty default values for both nodeSelector and tolerations, making this a non-breaking change
The template syntax is consistent with other similar sections (like affinity and topologySpreadConstraints)
The indentation is correctly preserved at 8 spaces

The addition of the tpl function enhances flexibility by allowing template expressions in nodeSelector and tolerations while maintaining backward compatibility with existing static values.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify template rendering for nodeSelector and tolerations

# Test 1: Check if any existing values files contain nodeSelector or tolerations
echo "Checking existing values files..."
rg -l 'nodeSelector:|tolerations:' --type yaml

# Test 2: Look for any current usage of template expressions in these fields
echo "Checking for existing template expressions..."
rg '{{.*}}' --type yaml -C2 -g '*values*.yaml' | grep -E 'nodeSelector:|tolerations:'

Length of output: 11347

Script:

#!/bin/bash
# Let's check the values.yaml and any other configuration files for nodeSelector and tolerations
# specifically in the kube-state-metrics chart

echo "Checking kube-state-metrics values and configurations..."
cat packages/system/monitoring-agents/charts/kube-state-metrics/values.yaml

echo -e "\nChecking for any template expressions in deployment.yaml..."
cat packages/system/monitoring-agents/charts/kube-state-metrics/templates/deployment.yaml | grep -A 5 -B 5 'nodeSelector\|tolerations'

Length of output: 18951

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/CHANGELOG.md (1)

1-106: Well-structured and comprehensive changelog.

The changelog follows best practices with:

Clear version numbering
Release dates
Version badges
Detailed descriptions of changes
Breaking changes clearly marked
Deprecation notices

🧰 Tools

🪛 LanguageTool

[uncategorized] ~12-~12: Possible missing comma found.
Context: ...y to crds.plain. Instead of disabling CRDs it selects if CRDs should be rendered f...

(AI_HYDRA_LEO_MISSING_COMMA)

packages/system/monitoring-agents/charts/metrics-server/README.md (1)

36-36: LGTM! Clear documentation update for PSP compatibility.

The updated description accurately reflects that Pod Security Policy resources will not be created on Kubernetes 1.25+, which aligns with the PSP deprecation timeline.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/README.md (4)

1-1: LGTM: Version badge update is consistent.

The version badge has been correctly updated to 0.36.0.

8-8: LGTM: Documentation link update improves accessibility.

The link to prerequisites has been updated to point to the official documentation, which is more maintainable and accessible.

96-135: LGTM: Installation instructions are well-structured.

The installation section has been improved with:

Clear separation between HTTPS and OCI repository instructions
Consistent use of 'vmo' as the release name
Step-by-step commands for different installation methods

🧰 Tools

🪛 Markdownlint

96-96: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

101-101: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

111-111: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

117-117: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

125-125: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

131-131: Expected: asterisk; Actual: dash
Unordered list style

(MD004, ul-style)

96-96: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

101-101: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

111-111: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

117-117: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

125-125: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

131-131: Expected: 0; Actual: 2
Unordered list indentation

(MD007, ul-indent)

196-1056: LGTM: Parameters table is comprehensive and well-structured.

The added table provides clear documentation of all configurable parameters with their types, default values, and descriptions. The table includes helpful links to external documentation where applicable.

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-probes.yaml (3)

10-11: LGTM: Version updates are consistent.

The version updates look good:

controller-gen.kubebuilder.io/version: v0.16.1
operator.prometheus.io/version: 0.77.1

446-446: Documentation improvement for proxyUrl field.

The description for the proxyUrl field has been improved with clearer formatting and consistent use of backticks for field names.

403-403: Enhanced OAuth2 proxy configuration with clear version requirements.

The additions of noProxy, proxyConnectHeader, and proxyFromEnvironment fields are well-documented with clear version requirements (Prometheus >= v2.43.0 or Alertmanager >= 0.25.0). This improves proxy configuration flexibility while maintaining backward compatibility.

Let's verify the version compatibility:

Also applies to: 436-436, 443-443

✅ Verification successful

Proxy configuration version requirements are correctly documented

The CRD documentation accurately reflects the version requirements for the new proxy-related fields:

noProxy
proxyConnectHeader
proxyFromEnvironment

All fields consistently specify the requirement of "Prometheus >= v2.43.0 or Alertmanager >= 0.25.0" in their descriptions, which matches the version mentioned in the review comment. The implementation aligns with the documented version constraints.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the prometheus-operator version in the repository matches the minimum required version

# Look for version references in Chart.yaml files
fd "Chart.yaml" | xargs rg "version.*0\.(7[7-9]|[8-9][0-9])\." -A 2

Length of output: 67

Script:

#!/bin/bash
# Let's check for version references in Chart.yaml and values.yaml files
fd "Chart.yaml|values.yaml" | xargs rg "prometheus.*version|alertmanager.*version" -i

# Also check for any version constraints in CRD files
fd "crd.*\.yaml" | xargs rg "version.*[2-9]\.[0-9]+\.[0-9]+" -A 2

Length of output: 3585

Script:

#!/bin/bash
# Let's specifically check for the proxy-related configurations and their version requirements
fd "crd-probes.yaml" | xargs rg "noProxy|proxyConnectHeader|proxyFromEnvironment" -B 2 -A 5

Length of output: 1243

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-podmonitors.yaml (2)

10-11: LGTM: Version updates are properly documented

The metadata annotations have been correctly updated to reflect:

New controller-gen version: v0.16.1
New operator version: v0.77.1

504-504: Verify OAuth2 proxy feature compatibility

The OAuth2 proxy-related fields have been updated with clear version requirements. However, we should ensure that the deployment environment meets these minimum version requirements:

noProxy, proxyConnectHeader, proxyFromEnvironment: Requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0

Also applies to: 537-537, 544-544, 547-548

packages/system/cert-manager-crds/charts/cert-manager/values.yaml (3)

1230-1251: LGTM! ACME Solver configuration is appropriate.

The image configuration and pull policy are correctly set.

1261-1288: LGTM! Startup API Check configuration follows best practices.

The security contexts, timeout, and backoff limit are appropriately configured.

1432-1455: LGTM! Extra objects and creator settings are appropriate.

The configuration is suitable for a Helm chart deployment.

packages/system/victoria-metrics-operator/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml (3)

1-1: LGTM: Version updates look correct

The version updates are consistent:

Updated source URL to v0.77.1
Updated controller-gen to v0.16.1
Updated operator version to 0.77.1

Also applies to: 10-11

499-500: LGTM: Description update for proxyUrl

The description for proxyUrl field has been updated for better clarity.

456-456: Verify Prometheus/Alertmanager version compatibility

New proxy-related features (noProxy, proxyConnectHeader, proxyFromEnvironment) require specific version requirements:

Prometheus >= v2.43.0 or
Alertmanager >= 0.25.0

Also applies to: 489-489, 496-496

packages/system/cert-manager-crds/charts/cert-manager/values.schema.json (2)

1-5: LGTM! Schema structure follows best practices.

The schema is well-structured with proper JSON Schema Draft-07 reference and root organization.

1-2135: Overall schema structure is robust and well-documented.

The schema provides a comprehensive configuration framework for cert-manager with:

Clear component separation
Secure defaults
Detailed descriptions
Proper type definitions

While there are suggestions for improvements, the current implementation is solid and production-ready.

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl (2)

1-80: Good implementation of name generation functions with proper validations

The functions vm.namespace, vm.validate.args, and vm.fullname are well-structured and correctly handle namespace determination, argument validation, and full name generation with appropriate checks and defaults. This enhances the robustness of the Helm chart templating.

182-190: Ensure consistent labeling in vm.selectorLabels function

In the vm.selectorLabels function, the label app is set using the output of vm.app.name. Ensure that vm.app.name reliably returns a non-empty value to prevent potential issues with label selectors.

Consider running the following script to verify that all instances of vm.app.name produce the expected application name:

coderabbitai · 2024-11-04T11:57:30Z

packages/system/monitoring-agents/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml

+networkPolicy:
+  enabled: true
+  ingress:
+  - ports:
+    - port: 9100


🛠️ Refactor suggestion

Enhance NetworkPolicy security configuration

While enabling NetworkPolicy is good, the current configuration allows ingress from any source to port 9100. Consider restricting access to specific pods/namespaces that need to scrape node-exporter metrics (e.g., Prometheus).

Here's a more secure configuration:

networkPolicy: enabled: true ingress: - ports: - port: 9100 + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + policyTypes: + - Ingress

This configuration:

Only allows access from Prometheus pods in the monitoring namespace

Explicitly declares policy type

Maintains the principle of least privilege

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

networkPolicy:

enabled: true

ingress:

- ports:

- port: 9100

networkPolicy:

enabled: true

ingress:

- ports:

- port: 9100

from:

- namespaceSelector:

matchLabels:

kubernetes.io/metadata.name: monitoring

podSelector:

matchLabels:

app.kubernetes.io/name: prometheus

policyTypes:

- Ingress

coderabbitai · 2024-11-04T11:57:30Z

...cs-operator/charts/victoria-metrics-operator/charts/victoria-metrics-common/RELEASE_NOTES.md


-**Release date:** 2024-08-26
+**Release date:** 2024-10-15


⚠️ Potential issue

Update the release date to a past date.

The release date is set to October 15, 2024, which is in the future. Release dates should reflect when the changes were actually released.

-**Release date:** 2024-10-15 +**Release date:** 2023-11-14

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

**Release date:** 2024-10-15

**Release date:** 2023-11-14

coderabbitai · 2024-11-04T11:57:30Z

packages/system/monitoring-agents/charts/metrics-server/templates/servicemonitor.yaml

@@ -10,7 +10,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
-  jobLabel: {{ .Release.Name }}
+  jobLabel: app.kubernetes.io/instance


💡 Codebase verification

Standardize jobLabel in grafana-operator ServiceMonitor to use app.kubernetes.io/instance

Found inconsistent jobLabel usage in grafana-operator's ServiceMonitor which still uses {{ .Release.Name }} while other ServiceMonitors have been standardized to use app.kubernetes.io/instance. This should be updated for consistency across the monitoring stack.

packages/system/grafana-operator/charts/grafana-operator/templates/servicemonitor.yaml: Update jobLabel from {{ .Release.Name }} to app.kubernetes.io/instance

🔗 Analysis chain

LGTM! Good improvement in label standardization.

The change from {{ .Release.Name }} to app.kubernetes.io/instance follows Kubernetes recommended labels and provides better consistency for service discovery.

Let's verify the impact on existing metrics collection:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash # Description: Check for any other ServiceMonitor resources that might be affected by this change # and verify consistency in jobLabel usage across monitoring resources # Search for other ServiceMonitor resources rg -l 'kind:\s*ServiceMonitor' --type yaml # Check for existing usage of Release.Name in job labels rg 'jobLabel.*Release\.Name' --type yaml # Check for consistent usage of app.kubernetes.io/instance rg 'jobLabel.*app\.kubernetes\.io/instance' --type yaml

Length of output: 3362

coderabbitai · 2024-11-04T11:57:31Z

packages/system/victoria-metrics-operator/charts/victoria-metrics-operator/Chart.yaml

+- condition: crds.plain
+  name: crds
+  repository: ""
+  version: 0.0.*


🛠️ Refactor suggestion

Review the new CRDs dependency configuration.

The addition of a conditional CRDs dependency with an empty repository and version "0.0.*" needs careful consideration:

Empty repository field might cause issues

Version pattern "0.0.*" is very permissive

Consider:

Explicitly specifying the repository URL

Using a more specific version constraint

- condition: crds.plain name: crds - repository: "" + repository: "https://victoriametrics.github.io/helm-charts" - version: 0.0.* + version: ~0.0.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- condition: crds.plain

name: crds

repository: ""

version: 0.0.*

- condition: crds.plain

name: crds

repository: "https://victoriametrics.github.io/helm-charts"

version: ~0.0.1

coderabbitai · 2024-11-04T11:57:31Z

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

+  name: {{ .Release.Name }}-cozy-victoria-metrics-operator
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}


⚠️ Potential issue

Fix typo in label key.

There's a typo in the label key: coztstack.io should be cozystack.io.

- coztstack.io/target-cluster-name: {{ .Release.Name }} + cozystack.io/target-cluster-name: {{ .Release.Name }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

coztstack.io/target-cluster-name: {{ .Release.Name }}

cozystack.io/target-cluster-name: {{ .Release.Name }}

coderabbitai · 2024-11-04T11:57:33Z

packages/system/cert-manager-crds/charts/cert-manager/values.schema.json

+    "helm-values.webhook.timeoutSeconds": {
+      "default": 30,
+      "description": "The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see\n[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).\n\nThe default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be \"context deadline exceeded\", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.",
+      "type": "number"
+    },


🛠️ Refactor suggestion

Add validation for timeoutSeconds range.

While the description mentions the valid range (1-30 seconds), add explicit validation:

"timeoutSeconds": { "default": 30, "description": "The number of seconds the API server should wait...", + "minimum": 1, + "maximum": 30, "type": "number" }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"helm-values.webhook.timeoutSeconds": {

"default": 30,

"description": "The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see\n[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).\n\nThe default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be \"context deadline exceeded\", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.",

"type": "number"

},

"helm-values.webhook.timeoutSeconds": {

"default": 30,

"description": "The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see\n[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).\n\nThe default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be \"context deadline exceeded\", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.",

"minimum": 1,

"maximum": 30,

"type": "number"

},

coderabbitai · 2024-11-04T11:57:33Z

...perator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl

+    {{- end -}}
+  {{- end -}}
+  {{- $image := tpl (printf "%s:%s" .app.image.repository $tag) . -}}
+  {{- with .app.image.registry | default (($Values.global).image).registry | default "" -}}


⚠️ Potential issue

Correct syntax for accessing global image registry value

There is an extra set of parentheses in the expression (($Values.global).image).registry which could cause a template rendering error.

Apply this diff to correct the syntax:

-{{- with .app.image.registry | default (($Values.global).image).registry | default "" -}} +{{- with .app.image.registry | default $Values.global.image.registry | default "" -}}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

{{- with .app.image.registry | default (($Values.global).image).registry | default "" -}}

{{- with .app.image.registry | default $Values.global.image.registry | default "" -}}

coderabbitai · 2024-11-04T11:57:34Z

...perator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_image.tpl

+    {{- if eq (include "vm.enterprise.disabled" .) "false" -}}
+      {{- if $variant }}
+        {{- $variant = printf "enterprise-%s" $variant }}
+      {{- else }}
+        {{- $variant = "enterprise" }}
+      {{- end }}
+    {{- end -}}


⚠️ Potential issue

Potential logical issue with $variant when vm.enterprise.disabled is true

Currently, the $variant may still be appended to the $tag even when vm.enterprise.disabled is "true", if .app.image.variant is set. This might lead to unintended image tags when the enterprise features are disabled.

To ensure $variant is only modified and appended when enterprise features are enabled, consider enclosing the $variant assignment and $tag modification within the enterprise check:

{{- $variant := .app.image.variant }} {{- if eq (include "vm.enterprise.disabled" .) "false" -}} {{- if $variant }} {{- $variant = printf "enterprise-%s" $variant }} {{- else }} {{- $variant = "enterprise" }} {{- end }} {{- end -}} -{{- with $variant -}} +{{- if $variant -}} {{- $tag = (printf "%s-%s" $tag $variant) -}} -{{- end -}} +{{- end -}}

Committable suggestion skipped: line range outside the PR's diff.

coderabbitai · 2024-11-04T11:57:34Z

...rator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl

+    {{- else if (dig $Chart.Name "fullnameOverride" "" ($Values.global)) -}}
+      {{- $fullname = (dig $Chart.Name "fullnameOverride" "" ($Values.global)) -}}
+    {{- else if ($Values.global).fullnameOverride -}}


⚠️ Potential issue

Potential syntax error in dig function usage

In line 60, the usage of the dig function may have incorrect argument order. The dig function expects the map as the first argument, followed by the keys. The current code:

{{- else if (dig $Chart.Name "fullnameOverride" "" ($Values.global)) -}}

should be updated to:

{{- else if (dig ($Values.global) $Chart.Name "fullnameOverride") -}}

This ensures that the fullnameOverride is correctly retrieved from the global values.

Apply this diff to fix the issue:

-{{- else if (dig $Chart.Name "fullnameOverride" "" ($Values.global)) -}} +{{- else if (dig ($Values.global) $Chart.Name "fullnameOverride") -}}

coderabbitai · 2024-11-04T11:57:34Z

...rator/charts/victoria-metrics-operator/charts/victoria-metrics-common/templates/_helpers.tpl

+    {{- default (include "vm.fullname" .) $Values.serviceAccount.name }}
+  {{- else -}}
+    {{- default "default" $Values.serviceAccount.name -}}
+  {{- end }}


⚠️ Potential issue

Incorrect usage of the default function leading to potential logic errors

In lines 126 and 128, the default function's arguments appear to be in the wrong order. The syntax of default is default <defaultValue> <value>, where it returns <value> if it's non-empty; otherwise, it returns <defaultValue>.

Current code:

{{- default (include "vm.fullname" .) $Values.serviceAccount.name }}

Should be:

{{- default $Values.serviceAccount.name (include "vm.fullname" .) }}

Similarly for line 128:

{{- default "default" $Values.serviceAccount.name -}}

Should be:

{{- default $Values.serviceAccount.name "default" -}}

This correction ensures that the service account name is correctly assigned based on the provided serviceAccount.name value or defaults appropriately.

Apply these diffs to fix the issue:

-{{- default (include "vm.fullname" .) $Values.serviceAccount.name }} +{{- default $Values.serviceAccount.name (include "vm.fullname" .) }}

-{{- default "default" $Values.serviceAccount.name -}} +{{- default $Values.serviceAccount.name "default" -}}

coderabbitai

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)

packages/system/monitoring-agents/templates/vmagent.yaml (2)
19-24: Review resource allocation for VMAgent.

The resource limits and requests look reasonable for a basic setup, but consider the following:

Memory limit (500Mi) provides headroom for spikes

Memory request (200Mi) is conservative

CPU request (50m) is minimal but should be sufficient for basic scraping

Consider adjusting these values based on:

Number of targets being scraped

Scraping interval

Data volume

Line range hint 27-33: Consider enabling stateful mode for data persistence.

The commented statefulMode configuration suggests this feature was considered. For production environments, enabling this with appropriate storage configuration would provide better reliability and data persistence.
-  #statefulMode: true
-  #statefulStorage:
-  #  volumeClaimTemplate:
-  #    spec:
-  #      resources:
-  #          requests:
-  #            storage: 20Gi
+  statefulMode: true
+  statefulStorage:
+    volumeClaimTemplate:
+      spec:
+        resources:
+          requests:
+            storage: 20Gi
packages/extra/monitoring/templates/vm/vmcluster.yaml (1)
Line range hint 9-11: Consider adding resource specifications for vminsert and vmstorage components.

While vmselect now has proper resource constraints, vminsert and vmstorage components still have undefined resource specifications (resources: {}). This could lead to resource contention issues in a production environment.

Consider adding similar resource specifications for these components:
  vminsert:
    replicaCount: 2
-   resources: {}
+   resources:
+     limits:
+       memory: 800Mi
+     requests:
+       cpu: 100m
+       memory: 400Mi
  vmstorage:
    replicaCount: 2
+   resources:
+     limits:
+       memory: 2000Mi
+     requests:
+       cpu: 200m
+       memory: 1000Mi
    storage:
The suggested values are based on typical VictoriaMetrics deployment patterns, but should be adjusted based on your specific workload and monitoring requirements.

Also applies to: 31-33
packages/apps/redis/templates/redisfailover.yaml (1)

Line range hint 15-22: Consider reviewing memory allocation strategy.

The current configuration shows:

Memory requests: 400Mi

Memory limits: 1000Mi

This 2.5x difference between requests and limits could lead to resource allocation issues if multiple Redis instances hit their limits simultaneously on the same node. Consider:

Reducing the gap between requests and limits for more predictable resource usage

Documenting the reasoning for this wide range if it's intentionally set this way

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 92ff25b and 676db03.

📒 Files selected for processing (3)

packages/apps/redis/templates/redisfailover.yaml (1 hunks)
packages/extra/monitoring/templates/vm/vmcluster.yaml (1 hunks)
packages/system/monitoring-agents/templates/vmagent.yaml (1 hunks)

🔇 Additional comments (4)

packages/system/monitoring-agents/templates/vmagent.yaml (2)

13-13: Verify remote write URL configuration.

The remote write URL is now templated, which is good for flexibility. However, ensure proper URL validation is in place.

#!/bin/bash
# Check if the remote write URL is properly defined in the values file
rg "vmagent:\s*\n.*remoteWrite:" packages/system/monitoring-agents/values.yaml

7-8: Verify template values for external labels.

The external labels are now properly templated, but we need to ensure these values are properly defined in the values file.

✅ Verification successful

Based on the values.yaml content found, I can now generate the final response since I found the required information about the vmagent configuration.

External labels are properly defined in values file

The external labels cluster and tenant are correctly defined in the values file:

vmagent:
  externalLabels:
    cluster: cozystack
    tenant: tenant-root

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the required values are defined in the values file
rg -A 5 "vmagent:\s*\n.*externalLabels:" packages/system/monitoring-agents/values.yaml

Length of output: 272

Script:

#!/bin/bash
# Let's try a different approach to find values.yaml content
fd values.yaml packages/system/monitoring-agents/ --exec cat {}

Length of output: 65539

packages/extra/monitoring/templates/vm/vmcluster.yaml (1)

15-20: LGTM! Resource specifications for vmselect are well-balanced.

The memory limit (1000Mi) and request (500Mi) maintain a healthy 1:2 ratio, while the CPU request (100m) is reasonable for the query frontend component.

packages/apps/redis/templates/redisfailover.yaml (1)

39-39: LGTM: Formatting change only.

The line break addition in the exporter section improves readability while maintaining the same configuration.

scripts/migrations/6

kvaps · 2024-11-04T17:30:53Z

also please add into migrations:

# we remove monitoring, because we renamed it to monitoring-agents
kubectl delete hr -n cozy-monitoring monitoring

Since you renamed monitoring to monitoring-agents, we need to remove previus release

kvaps · 2024-11-04T17:31:51Z

Migrations package has missing:

# Write version to cozystack-version config
kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f-

in the end, without this like it will run in infinity loop

coderabbitai

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

packages/core/platform/bundles/paas-hosted.yaml (1)
22-22: Remove trailing whitespace.
-  
+
🧰 Tools

🪛 yamllint

[error] 22-22: trailing spaces

(trailing-spaces)
packages/core/platform/bundles/paas-full.yaml (2)
44-49: Good separation of cert-manager CRDs!

Excellent practice separating the CRDs into their own release. This approach:

Prevents potential race conditions during upgrades

Allows for better lifecycle management of CRDs

Follows the Kubernetes operator pattern best practices

191-191: Add spaces after commas in dependency list.

Fix the formatting to maintain consistency with the rest of the file:
-  dependsOn: [cilium,kubeovn,cert-manager-issuers]
+  dependsOn: [cilium, kubeovn, cert-manager-issuers]
🧰 Tools

🪛 yamllint

[warning] 191-191: too few spaces after comma

(commas)

[warning] 191-191: too few spaces after comma

(commas)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 676db03 and e1953b1.

📒 Files selected for processing (2)

packages/core/platform/bundles/paas-full.yaml (4 hunks)
packages/core/platform/bundles/paas-hosted.yaml (3 hunks)

🧰 Additional context used

🪛 yamllint

packages/core/platform/bundles/paas-full.yaml

[warning] 191-191: too few spaces after comma

(commas)

[warning] 191-191: too few spaces after comma

(commas)

packages/core/platform/bundles/paas-hosted.yaml

[error] 22-22: trailing spaces

(trailing-spaces)

🔇 Additional comments (4)

packages/core/platform/bundles/paas-hosted.yaml (2)

17-22: LGTM! Proper CRD management setup.

The addition of cert-manager-crds as a separate release and making cert-manager depend on it follows best practices for CRD management in Kubernetes.

Also applies to: 33-33

🧰 Tools

🪛 yamllint

[error] 22-22: trailing spaces

(trailing-spaces)

Line range hint 17-60: Verify dependency chain integrity.

The changes introduce new components into a complex dependency chain. Let's verify the dependency order:

cert-manager-crds → cert-manager → cert-manager-issuers
victoria-metrics-operator → monitoring → monitoring-agents

The chain looks valid, but let's verify there are no circular dependencies:

#!/bin/bash
# Extract and analyze dependency relationships
echo "Analyzing dependency relationships..."
rg -l 'dependsOn:' --type yaml | xargs awk '/name:|dependsOn:/{print}' | \
  grep -v '[][]' | \
  sed 's/name: /source: /; s/dependsOn: /target: /' | \
  grep -v '^[[:space:]]*$'

packages/core/platform/bundles/paas-full.yaml (2)

60-60: LGTM! Correct dependency chain.

The dependency update ensures cert-manager CRDs are installed before the main cert-manager component, which is the correct order of operations.

81-87: Verify migration steps for monitoring component rename.

The configuration looks correct, but this change requires a specific migration process:

The old monitoring component needs to be removed:

kubectl delete hr -n cozy-monitoring monitoring

The version needs to be updated:

kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f-

Please ensure these migration steps are documented in the upgrade guide to prevent deployment issues.

coderabbitai · 2024-11-04T17:45:41Z

packages/core/platform/bundles/paas-hosted.yaml

+- name: monitoring-agents
+  releaseName: monitoring-agents
+  chart: cozy-monitoring-agents
+  namespace: cozy-monitoring
+  privileged: true
+  dependsOn: [monitoring]
+


💡 Codebase verification

Remove dependency on 'monitoring' release as it's being deprecated

The dependency on 'monitoring' release needs to be removed since:

The 'monitoring' component is being renamed to 'monitoring-agents'

The PR comments indicate the old 'monitoring' release will be deleted

Multiple bundle files still reference the deprecated 'monitoring' dependency:

packages/core/platform/bundles/paas-hosted.yaml

packages/core/platform/bundles/distro-full.yaml

packages/core/platform/bundles/distro-hosted.yaml

packages/core/platform/bundles/paas-full.yaml

🔗 Analysis chain

Verify migration path for monitoring component rename.

While the addition of monitoring-agents looks correct, there are some migration considerations:

The PR comments mention removing the old monitoring release:

kubectl delete hr -n cozy-monitoring monitoring

The current setup shows monitoring-agents depending on monitoring. Is this intentional during migration, or should this dependency be removed since the monitoring component is being renamed?

Let's check if there are any other components depending on the monitoring release:

Let me try a different search strategy to specifically find dependencies on the 'monitoring' release.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash # Search for any other dependencies on 'monitoring' release rg -l 'dependsOn.*monitoring' --type yaml

Length of output: 24784

Script:

#!/bin/bash # Search for explicit dependencies on 'monitoring' release in yaml files rg 'dependsOn:.*\bmonitoring\b' --type yaml -A 1

Length of output: 551

coderabbitai

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (1)

scripts/migrations/6 (1)
1-15: Add namespace existence verification

The script assumes the existence of required namespaces but should verify them first.

Add these checks at the beginning of the script:
 #!/bin/sh
 # Migration 6 --> 7
 
+# Verify required namespaces exist
+for ns in cozy-cert-manager cozy-monitoring cozy-system; do
+  if ! kubectl get namespace $ns >/dev/null 2>&1; then
+    echo "Required namespace $ns does not exist"
+    exit 1
+  fi
+done
+
 # Rest of the script...

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between e1953b1 and 0892ddb.

📒 Files selected for processing (1)

scripts/migrations/6 (1 hunks)

🔇 Additional comments (1)

scripts/migrations/6 (1)

4-9: ⚠️ Potential issue

Fix variable name in cert-manager CRDs annotations

There's a critical error in the annotation command where $kubeovn_crds is used instead of $certmanager_crds. Additionally, the error handling could be improved.

Apply this diff to fix the issues:

 # Delete cert-manager crds labels and annotations
 certmanager_crds=$(kubectl get crd -o name | grep '\.cert-manager\.io$')
 if [ -n "$certmanager_crds" ]; then
-  kubectl annotate $certmanager_crds meta.helm.sh/release-namespace=cozy-cert-manager meta.helm.sh/release-name=cert-manager-crds
-  kubectl label $certmanager_crds app.kubernetes.io/managed-by=Helm
+  if ! kubectl annotate $certmanager_crds meta.helm.sh/release-namespace=cozy-cert-manager meta.helm.sh/release-name=cert-manager-crds; then
+    echo "Failed to annotate cert-manager CRDs"
+    exit 1
+  fi
+  if ! kubectl label $certmanager_crds app.kubernetes.io/managed-by=Helm; then
+    echo "Failed to label cert-manager CRDs"
+    exit 1
+  fi
 fi

Likely invalid or redundant comment.

coderabbitai · 2024-11-04T17:55:57Z

scripts/migrations/6

+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f-


🛠️ Refactor suggestion

Improve error handling for version update

The version update command should verify the success of the operation.

Apply this diff:

# Write version to cozystack-version config -kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f- +if ! kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f -; then + echo "Failed to update cozystack-version ConfigMap" + exit 1 +fi +echo "Successfully updated version to 7"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

# Write version to cozystack-version config

kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f-

# Write version to cozystack-version config

if ! kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml | kubectl apply -f -; then

echo "Failed to update cozystack-version ConfigMap"

exit 1

fi

echo "Successfully updated version to 7"

coderabbitai · 2024-11-04T17:55:58Z

scripts/migrations/6

+# Remove monitoring, because it is renamed to monitoring-agents
+kubectl get hr -n cozy-monitoring monitoring && kubectl delete hr -n cozy-monitoring monitoring


🛠️ Refactor suggestion

Improve error handling for monitoring removal

The current command could fail silently if the deletion fails. Let's make it more robust.

Apply this diff:

# Remove monitoring, because it is renamed to monitoring-agents -kubectl get hr -n cozy-monitoring monitoring && kubectl delete hr -n cozy-monitoring monitoring +if kubectl get hr -n cozy-monitoring monitoring >/dev/null 2>&1; then + if ! kubectl delete hr -n cozy-monitoring monitoring; then + echo "Failed to delete monitoring HelmRelease" + exit 1 + fi + echo "Successfully removed monitoring HelmRelease" +fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

# Remove monitoring, because it is renamed to monitoring-agents

kubectl get hr -n cozy-monitoring monitoring && kubectl delete hr -n cozy-monitoring monitoring

# Remove monitoring, because it is renamed to monitoring-agents

if kubectl get hr -n cozy-monitoring monitoring >/dev/null 2>&1; then

if ! kubectl delete hr -n cozy-monitoring monitoring; then

echo "Failed to delete monitoring HelmRelease"

exit 1

fi

echo "Successfully removed monitoring HelmRelease"

fi

kvaps

LGTM

add metrics agents

92ff25b

klinch0 requested a review from kvaps as a code owner November 4, 2024 11:27

dosubot bot added the size:XXL This PR changes 1000+ lines, ignoring generated files. label Nov 4, 2024

dosubot bot added the enhancement New feature or request label Nov 4, 2024

coderabbitai bot reviewed Nov 4, 2024

View reviewed changes

remove cpu limits

676db03

coderabbitai bot reviewed Nov 4, 2024

View reviewed changes

kvaps requested changes Nov 4, 2024

View reviewed changes

scripts/migrations/6 Outdated Show resolved Hide resolved

Merge branch 'main' into feature/patch12-add-client-monitoring

e1953b1

coderabbitai bot reviewed Nov 4, 2024

View reviewed changes

fix migrations

0892ddb

coderabbitai bot reviewed Nov 4, 2024

View reviewed changes

kvaps added 2 commits November 4, 2024 18:57

fix bundles

83353e6

improve e2e

384b2b9

kvaps approved these changes Nov 4, 2024

View reviewed changes

dosubot bot added the lgtm This PR has been approved by a maintainer label Nov 4, 2024

kvaps merged commit 3c27a1e into aenix-io:main Nov 4, 2024
1 check failed

		@@ -1,4 +1,4 @@
		{{- if .Values.rbac.pspEnabled }}
		{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}

		cozystack.io/repository: system
		coztstack.io/target-cluster-name: {{ .Release.Name }}

	{{- $image := tpl (printf "%s:%s" .app.image.repository $tag) . -}}
	{{- $image := printf "%s:%s" .app.image.repository $tag -}}

	{{- $name = (printf "%s-%d.%s" $name .appIdx $name) -}}
	{{- $name = (printf "%s-%d" $name .appIdx) -}}

	coztstack.io/target-cluster-name: {{ .Release.Name }}
	cozystack.io/target-cluster-name: {{ .Release.Name }}

	{{- with .app.image.registry \| default (($Values.global).image).registry \| default "" -}}
	{{- with .app.image.registry \| default $Values.global.image.registry \| default "" -}}

		# Write version to cozystack-version config
		kubectl create configmap -n cozy-system cozystack-version --from-literal=version=7 --dry-run=client -o yaml \| kubectl apply -f-

		# Remove monitoring, because it is renamed to monitoring-agents
		kubectl get hr -n cozy-monitoring monitoring && kubectl delete hr -n cozy-monitoring monitoring

-# Remove monitoring, because it is renamed to monitoring-agents
-kubectl get hr -n cozy-monitoring monitoring && kubectl delete hr -n cozy-monitoring monitoring
+# Remove monitoring, because it is renamed to monitoring-agents
+if kubectl get hr -n cozy-monitoring monitoring >/dev/null 2>&1; then
+  if ! kubectl delete hr -n cozy-monitoring monitoring; then
+    echo "Failed to delete monitoring HelmRelease"
+    exit 1
+  fi
+  echo "Successfully removed monitoring HelmRelease"
+fi

add metrics agents #461

add metrics agents #461

Conversation

klinch0 commented Nov 4, 2024 • edited by coderabbitai bot Loading

Summary by CodeRabbit

coderabbitai bot commented Nov 4, 2024 • edited Loading

Review failed

Walkthrough

Changes

Possibly related PRs

Suggested labels

Suggested reviewers

Poem

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

kvaps commented Nov 4, 2024

kvaps commented Nov 4, 2024

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

coderabbitai bot Nov 4, 2024

Choose a reason for hiding this comment

kvaps left a comment

Choose a reason for hiding this comment

klinch0 commented Nov 4, 2024 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Nov 4, 2024 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)