diff --git a/prometheus-operator/prometheus-operator-helmrelease.yaml b/prometheus-operator/prometheus-operator-helmrelease.yaml new file mode 100644 index 0000000..fc12ae5 --- /dev/null +++ b/prometheus-operator/prometheus-operator-helmrelease.yaml @@ -0,0 +1,321 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: prometheus-operator + namespace: prometheus-system +spec: + chart: + spec: + chart: prometheus-operator + version: 1.0.4 + sourceRef: + kind: HelmRepository + name: truecharts + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: prometheus-operator + values: + image: + repository: tccr.io/truecharts/prometheus-operator + tag: "v0.68.0@sha256:bd63ef4b9fcce4b07c9c1c58b114e09af73a360daf1b4c8ce3e910e5a09027c1" + pullPolicy: + + configReloaderImage: + repository: tccr.io/truecharts/prometheus-config-reloader + tag: "v0.68.0@sha256:52a3143e9852180f0f5ca91b67e714fac4905d4c076b3082c7c199fe72cadb1e" + pullPolicy: + + thanosImage: + repository: tccr.io/truecharts/thanos + tag: "v0.32.4@sha256:68b83f65ed1df9e2f749e78280d1ebeeaa8e6beade3f1ac1c31f810038a34df3" + pullPolicy: + + patchImage: + repository: tccr.io/truecharts/kube-webhook-certgen + tag: latest@sha256:28c6de4c7fe7527daafd761e2d33aafe1094004e77248fcc674cc6e092da1017 + pullPolicy: + + workload: + main: + podSpec: + containers: + main: + probes: + liveness: + type: tcp + readiness: + type: tcp + args: + - --kubelet-service={{ .Values.prometheusOperator.kubeletService.namespace }}/{{ include "tc.v1.common.lib.chart.names.fullname" $ }}-kubelet + - --log-format={{ .Values.prometheusOperator.logFormat }} + - --log-level={{ .Values.prometheusOperator.logLevel }} + # - --deny-namespaces={{ tpl (.Values.prometheusOperator.denyNamespaces | join ",") $ }} + - --localhost=127.0.0.1 + # - --prometheus-default-base-image={{ .Values.global.imageRegistry | default .Values.prometheusOperator.prometheusDefaultBaseImageRegistry }}/{{ .Values.prometheusOperator.prometheusDefaultBaseImage }} + # - --alertmanager-default-base-image={{ .Values.global.imageRegistry | default .Values.prometheusOperator.alertmanagerDefaultBaseImageRegistry }}/{{ .Values.prometheusOperator.alertmanagerDefaultBaseImage }} + - --prometheus-config-reloader={{ .Values.configReloaderImage.repository }}:{{ .Values.configReloaderImage.tag }} + - --config-reloader-cpu-request={{ .Values.resources.requests.cpu }} + - --config-reloader-cpu-limit={{ .Values.resources.limits.cpu }} + - --config-reloader-memory-request={{ .Values.resources.requests.memory }} + - --config-reloader-memory-limit={{ .Values.resources.limits.memory }} + - --enable-config-reloader-probes={{ .Values.prometheusOperator.prometheusConfigReloader.probes.enabled }} + # - --alertmanager-instance-namespaces={{ .Values.prometheusOperator.alertmanagerInstanceNamespaces | join "," }} + # - --alertmanager-instance-selector={{ .Values.prometheusOperator.alertmanagerInstanceSelector }} + # - --alertmanager-config-namespaces={{ .Values.prometheusOperator.alertmanagerConfigNamespaces | join "," }} + # - --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }} + # - --prometheus-instance-selector={{ .Values.prometheusOperator.prometheusInstanceSelector }} + # - --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }} + # - --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }} + # - --thanos-ruler-instance-selector={{ .Values.prometheusOperator.thanosRulerInstanceSelector }} + - --secret-field-selector={{ tpl (.Values.prometheusOperator.secretFieldSelector) $ }} + # - --cluster-domain={{ .Values.prometheusOperator.clusterDomain }} + createsecret: + type: Job + enabled: true + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + podSpec: + restartPolicy: Never + containers: + main: + enabled: true + primary: true + imageSelector: patchImage + args: + - create + - --host={{ include "tc.v1.common.lib.chart.names.fullname" $ }},{{ include "tc.v1.common.lib.chart.names.fullname" $ }}.{{ .Release.Namespace }}.svc + - --namespace={{ .Release.Namespace }} + - --secret-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-admission + probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false + + patchwebhook: + type: Job + enabled: true + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + podSpec: + restartPolicy: Never + containers: + main: + enabled: true + primary: true + imageSelector: patchImage + args: + - patch + - --webhook-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-admission + - --namespace={{ .Release.Namespace }} + - --secret-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-admission + - --patch-failure-policy={{ .Values.prometheusOperator.admissionWebhooks.failurePolicy }} + probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false + + podOptions: + automountServiceAccountToken: true + + service: + main: + ports: + main: + protocol: http + port: 8080 + + prometheusOperator: + logFormat: logfmt + logLevel: all + kubeletService: + enabled: true + namespace: kube-system + + prometheusConfigReloader: + enabled: false + probes: + enabled: false + + ## Set a Field Selector to filter watched secrets + ## + secretFieldSelector: "type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1" + + ## Admission webhook support for PrometheusRules resources added in Prometheus Operator 0.30 can be enabled to prevent incorrectly formatted + ## rules from making their way into prometheus and potentially preventing the container from starting + admissionWebhooks: + ## Valid values: Fail, Ignore, IgnoreOnInstallOnly + ## IgnoreOnInstallOnly - If Release.IsInstall returns "true", set "Ignore" otherwise "Fail" + failurePolicy: "" + ## The default timeoutSeconds is 10 and the maximum value is 30. + timeoutSeconds: 10 + enabled: true + ## A PEM encoded CA bundle which will be used to validate the webhook's server certificate. + ## If unspecified, system trust roots on the apiserver are used. + caBundle: "" + ## If enabled, generate a self-signed certificate, then patch the webhook configurations with the generated data. + ## On chart upgrades (or if the secret exists) the cert will not be re-generated. You can use this to provide your own + ## certs ahead of time if you wish. + ## + + patch: + enabled: true + + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + # default to be 5y + duration: "" + admissionCert: + # default to be 1y + duration: "" + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + + operator: + register: true + + portal: + open: + enabled: false + + metrics: + main: + enabled: false + endpoints: + - port: main + interval: 5s + scrapeTimeout: 5s + path: / + honorLabels: false + + rbac: + main: + enabled: true + primary: true + clusterWide: true + rules: + - apiGroups: + - monitoring.coreos.com + resources: + - alertmanagers + - alertmanagers/finalizers + - alertmanagers/status + - alertmanagerconfigs + - prometheuses + - prometheuses/finalizers + - prometheuses/status + - prometheusagents + - prometheusagents/finalizers + - prometheusagents/status + - thanosrulers + - thanosrulers/finalizers + - thanosrulers/status + - scrapeconfigs + - servicemonitors + - podmonitors + - probes + - prometheusrules + verbs: + - "*" + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - "*" + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - "*" + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - delete + - apiGroups: + - "" + resources: + - services + - services/finalizers + - endpoints + verbs: + - get + - create + - update + - delete + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - update + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + + crds: + annotations: {} + + serviceAccount: + main: + enabled: true + primary: true + targetSelectAll: true + + manifestManager: + enabled: false +