Merge branch 'improvement/bump-prometheus-adapter' into q/125.0

CHANGELOG.md

@@ -56,6 +56,10 @@
   [v2.35.3](https://github.com/dexidp/dex/releases/tag/v2.35.3)
   (PR[#4012](https://github.com/scality/metalk8s/pull/4012))
 
+- Bump Prometheus Adapter chart version to
+  [4.1.1](https://github.com/prometheus-community/helm-charts/releases/tag/prometheus-adapter-4.1.1)
+  (PR[#4015](https://github.com/scality/metalk8s/pull/4015))
+
 ### Bug fixes
 
 - Fix a bug in Workload Plane Ingress Virtual IPs that make the DaemonSet Pod

buildchain/buildchain/constants.py

@@ -28,7 +28,7 @@
 INGRESS_REPOSITORY: str = "k8s.gcr.io/ingress-nginx"
 KIWIGRID_REPOSITORY: str = "quay.io/kiwigrid"
 KUBE_STATE_METRICS_REPOSITORY: str = "k8s.gcr.io/kube-state-metrics"
-PROMETHEUS_ADAPTER_REPOSITORY: str = "k8s.gcr.io/prometheus-adapter"
+PROMETHEUS_ADAPTER_REPOSITORY: str = f"{K8S_REPOSITORY}/prometheus-adapter"
 PROMETHEUS_OPERATOR_REPOSITORY: str = "quay.io/prometheus-operator"
 PROMETHEUS_REPOSITORY: str = "quay.io/prometheus"
 THANOS_REPOSITORY: str = "quay.io/thanos"

charts/prometheus-adapter/Chart.yaml

@@ -17,4 +17,4 @@ name: prometheus-adapter
 sources:
 - https://github.com/kubernetes/charts
 - https://github.com/kubernetes-sigs/prometheus-adapter
-version: 3.4.0
+version: 4.1.1

charts/prometheus-adapter/README.md

@@ -43,6 +43,10 @@ helm upgrade [RELEASE_NAME] [CHART] --install
 
 _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
 
+### To 4.0.0
+
+Previously, security context of the container was set directly in the deployment template. This release makes it configurable through the new configuration variable `securityContext` whilst keeping the previously set values as defaults. Furthermore, previous variable `runAsUser` is now set in `securityContext` and is not used any longer. Please, use `securityContext.runAsUser` instead. In the same security context, `seccompProfile` has been enabled and set to type `RuntimeDefault`.
+
 ### To 3.0.0
 
 Due to a change in deployment labels, the upgrade requires `helm upgrade --force` in order to re-create the deployment.
@@ -109,8 +113,14 @@ Enabling this option will cause resource metrics to be served at `/apis/metrics.
 rules:
   resource:
     cpu:
-      containerQuery: sum(rate(container_cpu_usage_seconds_total{<<.LabelMatchers>>, container!=""}[3m])) by (<<.GroupBy>>)
-      nodeQuery: sum(rate(container_cpu_usage_seconds_total{<<.LabelMatchers>>, id='/'}[3m])) by (<<.GroupBy>>)
+      containerQuery: |
+        sum by (<<.GroupBy>>) (
+          rate(container_cpu_usage_seconds_total{container!="",<<.LabelMatchers>>}[3m])
+        )
+      nodeQuery: |
+        sum  by (<<.GroupBy>>) (
+          rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal",<<.LabelMatchers>>}[3m])
+        )
       resources:
         overrides:
           node:
@@ -121,8 +131,16 @@ rules:
             resource: pod
       containerLabel: container
     memory:
-      containerQuery: sum(container_memory_working_set_bytes{<<.LabelMatchers>>, container!=""}) by (<<.GroupBy>>)
-      nodeQuery: sum(container_memory_working_set_bytes{<<.LabelMatchers>>,id='/'}) by (<<.GroupBy>>)
+      containerQuery: |
+        sum by (<<.GroupBy>>) (
+          avg_over_time(container_memory_working_set_bytes{container!="",<<.LabelMatchers>>}[3m])
+        )
+      nodeQuery: |
+        sum by (<<.GroupBy>>) (
+          avg_over_time(node_memory_MemTotal_bytes{<<.LabelMatchers>>}[3m])
+          -
+          avg_over_time(node_memory_MemAvailable_bytes{<<.LabelMatchers>>}[3m])
+        )
       resources:
         overrides:
           node:

charts/prometheus-adapter/templates/custom-metrics-apiservice.yaml

@@ -26,7 +26,9 @@ spec:
   {{- end }}
   group: custom.metrics.k8s.io
   version: v1beta1
-  insecureSkipTLSVerify: {{ if or .Values.tls.enable .Values.certManager.enabled }}false{{ else }}true{{ end }}
+  {{- if not (or .Values.tls.enable .Values.certManager.enabled) }}
+  insecureSkipTLSVerify: true
+  {{- end }}
   groupPriorityMinimum: 100
   versionPriority: 100
 {{- end }}

charts/prometheus-adapter/templates/deployment.yaml

@@ -1,9 +1,14 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  {{- if .Values.customAnnotations }}
+  {{- if or .Values.customAnnotations .Values.deploymentAnnotations }}
   annotations:
-  {{- toYaml .Values.customAnnotations | nindent 4 }}
+    {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.deploymentAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- end }}
   labels:
     {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
@@ -17,10 +22,6 @@ spec:
       {{- include "k8s-prometheus-adapter.selectorLabels" . | indent 6 }}
   template:
     metadata:
-      {{- if .Values.customAnnotations }}
-      annotations:
-      {{- toYaml .Values.customAnnotations | nindent 8 }}
-      {{- end }}
       labels:
         {{- include "k8s-prometheus-adapter.labels" . | indent 8 }}
         {{- with .Values.podLabels }}
@@ -30,7 +31,10 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
-        {{- toYaml . | trim | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.customAnnotations }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
       serviceAccountName: {{ template "k8s-prometheus-adapter.serviceAccountName" . }}
@@ -44,6 +48,10 @@ spec:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- with .Values.env }}
+        env:
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         args:
         - /adapter
         - --secure-port={{ .Values.listenPort }}
@@ -85,15 +93,10 @@ spec:
         dnsConfig:
         {{ toYaml . | indent 8 }}
         {{- end }}
+        {{- with .Values.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["all"]
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          {{- if .Values.runAsUser }}
-          runAsUser: {{ .Values.runAsUser }}
-          {{- end }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         {{- if .Values.extraVolumeMounts }}
         {{ toYaml .Values.extraVolumeMounts | trim | nindent 8 }}

charts/prometheus-adapter/templates/external-metrics-apiservice.yaml

@@ -26,7 +26,9 @@ spec:
   {{- end }}
   group: external.metrics.k8s.io
   version: v1beta1
-  insecureSkipTLSVerify: {{ if or .Values.tls.enable .Values.certManager.enabled }}false{{ else }}true{{ end }}
+  {{- if not (or .Values.tls.enable .Values.certManager.enabled) }}
+  insecureSkipTLSVerify: true
+  {{- end }}
   groupPriorityMinimum: 100
   versionPriority: 100
 {{- end -}}

charts/prometheus-adapter/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.psp.create -}}
+{{- if and .Values.psp.create (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy

charts/prometheus-adapter/templates/resource-metrics-apiservice.yaml

@@ -26,7 +26,9 @@ spec:
   {{- end }}
   group: metrics.k8s.io
   version: v1beta1
-  insecureSkipTLSVerify: {{ if or .Values.tls.enable .Values.certManager.enabled }}false{{ else }}true{{ end }}
+  {{- if not (or .Values.tls.enable .Values.certManager.enabled) }}
+  insecureSkipTLSVerify: true
+  {{- end }}
   groupPriorityMinimum: 100
   versionPriority: 100
 {{- end -}}

charts/prometheus-adapter/values.yaml

@@ -3,7 +3,7 @@ affinity: {}
 topologySpreadConstraints: []
 
 image:
-  repository: k8s.gcr.io/prometheus-adapter/prometheus-adapter
+  repository: registry.k8s.io/prometheus-adapter/prometheus-adapter
   tag: v0.10.0
   pullPolicy: IfNotPresent
 
@@ -13,9 +13,6 @@ metricsRelistInterval: 1m
 
 listenPort: 6443
 
-# User to run adapter container as
-runAsUser: 10001
-
 nodeSelector: {}
 
 priorityClassName: ""
@@ -45,6 +42,18 @@ replicas: 1
 podSecurityContext:
   fsGroup: 10001
 
+# SecurityContext of the container
+# ref. https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop: ["all"]
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10001
+  seccompProfile:
+    type: RuntimeDefault
+
 rbac:
   # Specifies whether RBAC resources should be created
   create: true
@@ -111,8 +120,14 @@ rules:
 
   # resource:
   #   cpu:
-  #     containerQuery: sum(rate(container_cpu_usage_seconds_total{<<.LabelMatchers>>, container!=""}[3m])) by (<<.GroupBy>>)
-  #     nodeQuery: sum(rate(container_cpu_usage_seconds_total{<<.LabelMatchers>>, id='/'}[3m])) by (<<.GroupBy>>)
+  #     containerQuery: |
+  #       sum by (<<.GroupBy>>) (
+  #         rate(container_cpu_usage_seconds_total{container!="",<<.LabelMatchers>>}[3m])
+  #       )
+  #     nodeQuery: |
+  #       sum  by (<<.GroupBy>>) (
+  #         rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal",<<.LabelMatchers>>}[3m])
+  #       )
   #     resources:
   #       overrides:
   #         node:
@@ -123,8 +138,16 @@ rules:
   #           resource: pod
   #     containerLabel: container
   #   memory:
-  #     containerQuery: sum(container_memory_working_set_bytes{<<.LabelMatchers>>, container!=""}) by (<<.GroupBy>>)
-  #     nodeQuery: sum(container_memory_working_set_bytes{<<.LabelMatchers>>,id='/'}) by (<<.GroupBy>>)
+  #     containerQuery: |
+  #       sum by (<<.GroupBy>>) (
+  #         avg_over_time(container_memory_working_set_bytes{container!="",<<.LabelMatchers>>}[3m])
+  #       )
+  #     nodeQuery: |
+  #       sum by (<<.GroupBy>>) (
+  #         avg_over_time(node_memory_MemTotal_bytes{<<.LabelMatchers>>}[3m])
+  #         -
+  #         avg_over_time(node_memory_MemAvailable_bytes{<<.LabelMatchers>>}[3m])
+  #       )
   #     resources:
   #       overrides:
   #         node:
@@ -151,6 +174,17 @@ tls:
   certificate: |-
     # Public key of the APIService
 
+# Set environment variables from secrets, configmaps or by setting them as name/value
+env: []
+  # - name: TMP_DIR
+  #   value: /tmp
+  # - name: PASSWORD
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: mysecret
+  #       key: password
+  #       optional: false
+
 # Any extra arguments
 extraArguments: []
   # - --tls-private-key-file=/etc/tls/tls.key
@@ -183,6 +217,9 @@ podLabels: {}
 # Annotations added to the pod
 podAnnotations: {}
 
+# Annotations added to the deployment
+deploymentAnnotations: {}
+
 hostNetwork:
   # Specifies if prometheus-adapter should be started in hostNetwork mode.
   #