feat(helm): Allow provisioner to be namespaced #16091
Merged
+19
−6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
github-actions
bot
added
area/helm
type/docs
|
💻 Deploy preview deleted. |
This comment has been minimized.
This comment has been minimized.
rbrady
force-pushed
the
federal/185454-allow-provisioner-as-namespaced
branch
2 times, most recently
from
9c5a1e4 to
ce43c28
Compare
davidham
approved these changes
Feb 4, 2025
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| kind: {{ if not .Values.rbac.namespaced }}Cluster{{ else }}Role{{ end }}Binding |
rbrady
force-pushed
the
federal/185454-allow-provisioner-as-namespaced
branch
from
ce43c28 to
e89f410
Compare
This comment has been minimized.
This comment has been minimized.
rbrady
force-pushed
the
federal/185454-allow-provisioner-as-namespaced
branch
from
e89f410 to
be34c1a
Compare
This comment has been minimized.
This comment has been minimized.
rbrady
changed the title
rbrady
force-pushed
the
federal/185454-allow-provisioner-as-namespaced
branch
from
be34c1a to
bc2af1f
Compare
This comment has been minimized.
This comment has been minimized.
lwille
approved these changes
Feb 10, 2025
rbrady
force-pushed
the
federal/185454-allow-provisioner-as-namespaced
branch
2 times, most recently
from
2922d08 to
22ad3d4
Compare
In the Grafana Federal Cloud we have clusters where we cannot create ClusterRole/ClusterRoleBinding due to an increased security posture. To ensure we can deploy the provisioner in these clusters, this PR conditionally generates Role instead of ClusterRole if enterprise and enterprise.provisioner are enabled and rbac.namespaced is true. This PR also updates the provisioner job helm hooks to allow it to be customized to run on other hookTypes. This still defaults to post-install and should have no impact to current usage. This will allow the Grafana Federal Cloud to use the provisioner after helm post-upgrades to attempt to create tenants as required. Closes deployment_tools/#185454 Signed-off-by: Ryan Brady <[email protected]>
rbrady
force-pushed
the
federal/185454-allow-provisioner-as-namespaced
branch
from
22ad3d4 to
75db8aa
Compare
Helm Diff Output - SummaryDefault Values Scenario-diff-outputdefault, loki-backend, StatefulSet (apps) has changed:
# Source: loki/templates/backend/statefulset-backend.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-backend
namespace: default
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
replicas: 1
podManagementPolicy: Parallel
updateStrategy:
rollingUpdate:
partition: 0
serviceName: loki-backend-headless
revisionHistoryLimit: 10
persistentVolumeClaimRetentionPolicy:
whenDeleted: Delete
whenScaled: Delete
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: backend
template:
metadata:
annotations:
checksum/config: 6074dc4b0d60af4991bb01fbda4550e5e2da5dd9c203362200c280b3e43407ea
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
serviceAccountName: loki
automountServiceAccountToken: true
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
terminationGracePeriodSeconds: 300
containers:
- name: loki-sc-rules
- image: "kiwigrid/k8s-sidecar:1.29.1"
+ image: "kiwigrid/k8s-sidecar:1.30.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "loki_rule"
- name: FOLDER
value: "/rules"
- name: RESOURCE
value: "both"
- name: WATCH_SERVER_TIMEOUT
value: "60"
- name: WATCH_CLIENT_TIMEOUT
value: "60"
- name: LOG_LEVEL
value: "INFO"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: sc-rules-volume
mountPath: "/rules"
- name: loki
image: docker.io/grafana/loki:3.3.2
imagePullPolicy: IfNotPresent
args:
- -config.file=/etc/loki/config/config.yaml
- -target=backend
- -legacy-read-mode=false
ports:
- name: http-metrics
containerPort: 3100
protocol: TCP
- name: grpc
containerPort: 9095
protocol: TCP
- name: http-memberlist
containerPort: 7946
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- name: config
mountPath: /etc/loki/config
- name: runtime-config
mountPath: /etc/loki/runtime-config
- name: tmp
mountPath: /tmp
- name: data
mountPath: /var/loki
- name: sc-rules-volume
mountPath: "/rules"
resources:
{}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/component: backend
topologyKey: kubernetes.io/hostname
volumes:
- name: tmp
emptyDir: {}
- name: config
configMap:
name: loki
items:
- key: "config.yaml"
path: "config.yaml"
- name: runtime-config
configMap:
name: loki-runtime
- name: sc-rules-volume
emptyDir: {}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Gi"
default, loki-release-chunks-cache, StatefulSet (apps) has changed:
# Source: loki/templates/chunks-cache/statefulset-chunks-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-chunks-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-chunks-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 9830Mi
requests:
cpu: 500m
memory: 9830Mi
ports:
- containerPort: 11211
name: client
args:
- -m 8192
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
default, loki-release-results-cache, StatefulSet (apps) has changed:
# Source: loki/templates/results-cache/statefulset-results-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-results-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-results-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 1229Mi
requests:
cpu: 500m
memory: 1229Mi
ports:
- containerPort: 11211
name: client
args:
- -m 1024
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: trueIngress Values Scenario-diff-outputdefault, loki-backend, StatefulSet (apps) has changed:
# Source: loki/templates/backend/statefulset-backend.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-backend
namespace: default
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
replicas: 1
podManagementPolicy: Parallel
updateStrategy:
rollingUpdate:
partition: 0
serviceName: loki-backend-headless
revisionHistoryLimit: 10
persistentVolumeClaimRetentionPolicy:
whenDeleted: Delete
whenScaled: Delete
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: backend
template:
metadata:
annotations:
checksum/config: 6074dc4b0d60af4991bb01fbda4550e5e2da5dd9c203362200c280b3e43407ea
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
serviceAccountName: loki
automountServiceAccountToken: true
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
terminationGracePeriodSeconds: 300
containers:
- name: loki-sc-rules
- image: "kiwigrid/k8s-sidecar:1.29.1"
+ image: "kiwigrid/k8s-sidecar:1.30.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "loki_rule"
- name: FOLDER
value: "/rules"
- name: RESOURCE
value: "both"
- name: WATCH_SERVER_TIMEOUT
value: "60"
- name: WATCH_CLIENT_TIMEOUT
value: "60"
- name: LOG_LEVEL
value: "INFO"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: sc-rules-volume
mountPath: "/rules"
- name: loki
image: docker.io/grafana/loki:3.3.2
imagePullPolicy: IfNotPresent
args:
- -config.file=/etc/loki/config/config.yaml
- -target=backend
- -legacy-read-mode=false
ports:
- name: http-metrics
containerPort: 3100
protocol: TCP
- name: grpc
containerPort: 9095
protocol: TCP
- name: http-memberlist
containerPort: 7946
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- name: config
mountPath: /etc/loki/config
- name: runtime-config
mountPath: /etc/loki/runtime-config
- name: tmp
mountPath: /tmp
- name: data
mountPath: /var/loki
- name: sc-rules-volume
mountPath: "/rules"
resources:
{}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/component: backend
topologyKey: kubernetes.io/hostname
volumes:
- name: tmp
emptyDir: {}
- name: config
configMap:
name: loki
items:
- key: "config.yaml"
path: "config.yaml"
- name: runtime-config
configMap:
name: loki-runtime
- name: sc-rules-volume
emptyDir: {}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Gi"
default, loki-release-chunks-cache, StatefulSet (apps) has changed:
# Source: loki/templates/chunks-cache/statefulset-chunks-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-chunks-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-chunks-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 9830Mi
requests:
cpu: 500m
memory: 9830Mi
ports:
- containerPort: 11211
name: client
args:
- -m 8192
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
default, loki-release-results-cache, StatefulSet (apps) has changed:
# Source: loki/templates/results-cache/statefulset-results-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-results-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-results-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 1229Mi
requests:
cpu: 500m
memory: 1229Mi
ports:
- containerPort: 11211
name: client
args:
- -m 1024
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: trueLegacy Monitoring Values Scenario-diff-outputdefault, loki-backend, StatefulSet (apps) has changed:
# Source: loki/templates/backend/statefulset-backend.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-backend
namespace: default
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
replicas: 1
podManagementPolicy: Parallel
updateStrategy:
rollingUpdate:
partition: 0
serviceName: loki-backend-headless
revisionHistoryLimit: 10
persistentVolumeClaimRetentionPolicy:
whenDeleted: Delete
whenScaled: Delete
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: backend
template:
metadata:
annotations:
checksum/config: 6074dc4b0d60af4991bb01fbda4550e5e2da5dd9c203362200c280b3e43407ea
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
serviceAccountName: loki
automountServiceAccountToken: true
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
terminationGracePeriodSeconds: 300
containers:
- name: loki-sc-rules
- image: "kiwigrid/k8s-sidecar:1.29.1"
+ image: "kiwigrid/k8s-sidecar:1.30.0"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "loki_rule"
- name: FOLDER
value: "/rules"
- name: RESOURCE
value: "both"
- name: WATCH_SERVER_TIMEOUT
value: "60"
- name: WATCH_CLIENT_TIMEOUT
value: "60"
- name: LOG_LEVEL
value: "INFO"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: sc-rules-volume
mountPath: "/rules"
- name: loki
image: docker.io/grafana/loki:3.3.2
imagePullPolicy: IfNotPresent
args:
- -config.file=/etc/loki/config/config.yaml
- -target=backend
- -legacy-read-mode=false
ports:
- name: http-metrics
containerPort: 3100
protocol: TCP
- name: grpc
containerPort: 9095
protocol: TCP
- name: http-memberlist
containerPort: 7946
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- name: config
mountPath: /etc/loki/config
- name: runtime-config
mountPath: /etc/loki/runtime-config
- name: tmp
mountPath: /tmp
- name: data
mountPath: /var/loki
- name: sc-rules-volume
mountPath: "/rules"
resources:
{}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/component: backend
topologyKey: kubernetes.io/hostname
volumes:
- name: tmp
emptyDir: {}
- name: config
configMap:
name: loki
items:
- key: "config.yaml"
path: "config.yaml"
- name: runtime-config
configMap:
name: loki-runtime
- name: sc-rules-volume
emptyDir: {}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Gi"
default, loki-release-chunks-cache, StatefulSet (apps) has changed:
# Source: loki/templates/chunks-cache/statefulset-chunks-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-chunks-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-chunks-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 9830Mi
requests:
cpu: 500m
memory: 9830Mi
ports:
- containerPort: 11211
name: client
args:
- -m 8192
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
default, loki-release-results-cache, StatefulSet (apps) has changed:
# Source: loki/templates/results-cache/statefulset-results-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-results-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-results-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 1229Mi
requests:
cpu: 500m
memory: 1229Mi
ports:
- containerPort: 11211
name: client
args:
- -m 1024
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: trueSimple Scalable AWS Kube IRSA Values Scenario-diff-output1142c1142
< image: "kiwigrid/k8s-sidecar:1.30.0"
---
> image: "kiwigrid/k8s-sidecar:1.29.1"
1306c1306
< image: memcached:1.6.35-alpine
---
> image: memcached:1.6.34-alpine
1408c1408
< image: memcached:1.6.35-alpine
---
> image: memcached:1.6.34-alpine
1642a1643,1666
> # Source: loki/templates/provisioner/rolebinding-provisioner.yaml
> apiVersion: rbac.authorization.k8s.io/v1
> kind: ClusterRoleBinding
> metadata:
> name: enterprise-logs-provisioner
> namespace: default
> labels:
> helm.sh/chart: loki-6.25.1
> app.kubernetes.io/name: enterprise-logs
> app.kubernetes.io/instance: loki-release
> app.kubernetes.io/version: "3.3.2"
> app.kubernetes.io/component: provisioner
> annotations:
> eks.amazonaws.com/role-arn: arn:aws:iam::2222222:role/test-role
> "helm.sh/hook": post-install
> roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: enterprise-logs-provisioner
> subjects:
> - kind: ServiceAccount
> name: enterprise-logs-provisioner
> namespace: default
> ---
1709c1733
< "helm.sh/hook": "post-install"
---
> "helm.sh/hook": post-install
1875,1898d1898
< ---
< # Source: loki/templates/provisioner/rolebinding-provisioner.yaml
< apiVersion: rbac.authorization.k8s.io/v1
< kind: ClusterBinding
< metadata:
< name: enterprise-logs-provisioner
< namespace: default
< labels:
< helm.sh/chart: loki-6.25.1
< app.kubernetes.io/name: enterprise-logs
< app.kubernetes.io/instance: loki-release
< app.kubernetes.io/version: "3.3.2"
< app.kubernetes.io/component: provisioner
< annotations:
< eks.amazonaws.com/role-arn: arn:aws:iam::2222222:role/test-role
< "helm.sh/hook": post-install
< roleRef:
< apiGroup: rbac.authorization.k8s.io
< kind: ClusterRole
< name: enterprise-logs-provisioner
< subjects:
< - kind: ServiceAccount
< name: enterprise-logs-provisioner
< namespace: defaultSimple Thanos Values Scenario-diff-output520d519
< prefix: null
522,531c521
< access_key_id: thanos-minio
< bucket_name: admin_thanos
< endpoint: http://minio.minio.svc.cluster.local:9000
< http:
< tls_config:
< insecure_skip_verify: true
< insecure: true
< region: us-east-1
< secret_access_key: thanos-minio123
< sse: {}
---
> bucket_name: admin
564,576c554,560
< object_store:
< prefix: null
< s3:
< access_key_id: thanos-minio
< bucket_name: chunks_thanos
< endpoint: http://minio.minio.svc.cluster.local:9000
< http:
< tls_config:
< insecure_skip_verify: true
< insecure: true
< region: us-east-1
< secret_access_key: thanos-minio123
< sse: {}
---
> s3:
> access_key_id: root-user
> bucketnames: chunks
> endpoint: loki-release-minio.default.svc:9000
> insecure: true
> s3forcepathstyle: true
> secret_access_key: supersecretpassword
620,633d603
< ruler_storage:
< backend: s3
< prefix: null
< s3:
< access_key_id: thanos-minio
< bucket_name: ruler_thanos
< endpoint: http://minio.minio.svc.cluster.local:9000
< http:
< tls_config:
< insecure_skip_verify: true
< insecure: true
< region: us-east-1
< secret_access_key: thanos-minio123
< sse: {}
1271c1241
< checksum/config: 1c596ed8933ceee9bd7c5e30b7b4b6b7c8060ceb4c345db76938b297f96a59e4
---
> checksum/config: 0afeeec017d60fd5bb2d0c8900214e5cdaa121f2c08993d250c03f0821c0d22e
1377c1347
< checksum/config: 1c596ed8933ceee9bd7c5e30b7b4b6b7c8060ceb4c345db76938b297f96a59e4
---
> checksum/config: 0afeeec017d60fd5bb2d0c8900214e5cdaa121f2c08993d250c03f0821c0d22e
1481c1451
< checksum/config: 1c596ed8933ceee9bd7c5e30b7b4b6b7c8060ceb4c345db76938b297f96a59e4
---
> checksum/config: 0afeeec017d60fd5bb2d0c8900214e5cdaa121f2c08993d250c03f0821c0d22e
1697c1667
< checksum/config: 1c596ed8933ceee9bd7c5e30b7b4b6b7c8060ceb4c345db76938b297f96a59e4
---
> checksum/config: 0afeeec017d60fd5bb2d0c8900214e5cdaa121f2c08993d250c03f0821c0d22e
1715c1685
< image: "kiwigrid/k8s-sidecar:1.30.0"
---
> image: "kiwigrid/k8s-sidecar:1.29.1"
1878c1848
< image: memcached:1.6.35-alpine
---
> image: memcached:1.6.34-alpine
1980c1950
< image: memcached:1.6.35-alpine
---
> image: memcached:1.6.34-alpine
2054c2024
< checksum/config: 1c596ed8933ceee9bd7c5e30b7b4b6b7c8060ceb4c345db76938b297f96a59e4
---
> checksum/config: 0afeeec017d60fd5bb2d0c8900214e5cdaa121f2c08993d250c03f0821c0d22e
2209a2180,2202
> # Source: loki/templates/provisioner/rolebinding-provisioner.yaml
> apiVersion: rbac.authorization.k8s.io/v1
> kind: ClusterRoleBinding
> metadata:
> name: enterprise-logs-provisioner
> namespace: default
> labels:
> helm.sh/chart: loki-6.25.1
> app.kubernetes.io/name: enterprise-logs
> app.kubernetes.io/instance: loki-release
> app.kubernetes.io/version: "3.3.2"
> app.kubernetes.io/component: provisioner
> annotations:
> "helm.sh/hook": post-install
> roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: enterprise-logs-provisioner
> subjects:
> - kind: ServiceAccount
> name: enterprise-logs-provisioner
> namespace: default
> ---
2348c2341
< "helm.sh/hook": "post-install"
---
> "helm.sh/hook": post-install
2510,2532d2502
< ---
< # Source: loki/templates/provisioner/rolebinding-provisioner.yaml
< apiVersion: rbac.authorization.k8s.io/v1
< kind: ClusterBinding
< metadata:
< name: enterprise-logs-provisioner
< namespace: default
< labels:
< helm.sh/chart: loki-6.25.1
< app.kubernetes.io/name: enterprise-logs
< app.kubernetes.io/instance: loki-release
< app.kubernetes.io/version: "3.3.2"
< app.kubernetes.io/component: provisioner
< annotations:
< "helm.sh/hook": post-install
< roleRef:
< apiGroup: rbac.authorization.k8s.io
< kind: ClusterRole
< name: enterprise-logs-provisioner
< subjects:
< - kind: ServiceAccount
< name: enterprise-logs-provisioner
< namespace: defaultSingle Binary Scenario-diff-outputdefault, loki-release-chunks-cache, StatefulSet (apps) has changed:
# Source: loki/templates/chunks-cache/statefulset-chunks-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-chunks-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-chunks-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-chunks-cache"
name: "memcached-chunks-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 9830Mi
requests:
cpu: 500m
memory: 9830Mi
ports:
- containerPort: 11211
name: client
args:
- -m 8192
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
default, loki-release-results-cache, StatefulSet (apps) has changed:
# Source: loki/templates/results-cache/statefulset-results-cache.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-release-results-cache
labels:
helm.sh/chart: loki-6.25.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/version: "3.3.2"
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
{}
namespace: "default"
spec:
podManagementPolicy: Parallel
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
updateStrategy:
type: RollingUpdate
serviceName: loki-release-results-cache
template:
metadata:
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: loki-release
app.kubernetes.io/component: "memcached-results-cache"
name: "memcached-results-cache"
annotations:
spec:
serviceAccountName: loki
securityContext:
fsGroup: 11211
runAsGroup: 11211
runAsNonRoot: true
runAsUser: 11211
initContainers:
[]
nodeSelector:
{}
affinity:
{}
topologySpreadConstraints:
[]
tolerations:
[]
terminationGracePeriodSeconds: 60
containers:
- name: memcached
- image: memcached:1.6.34-alpine
+ image: memcached:1.6.35-alpine
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 1229Mi
requests:
cpu: 500m
memory: 1229Mi
ports:
- containerPort: 11211
name: client
args:
- -m 1024
- --extended=modern,track_sizes
- -I 5m
- -c 16384
- -v
- -u 11211
env:
envFrom:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- name: exporter
image: prom/memcached-exporter:v0.15.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9150
name: http-metrics
args:
- "--memcached.address=localhost:11211"
- "--web.listen-address=0.0.0.0:9150"
resources:
limits: {}
requests: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true |
salvacorts
pushed a commit
that referenced
this pull request
Feb 12, 2025
Signed-off-by: Ryan Brady <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
In the Grafana Federal Cloud we have clusters where we cannot create ClusterRole/ClusterRoleBinding due to an increased security posture. To ensure we can deploy the provisioner in these clusters, this PR conditionally generates Role instead of ClusterRole if enterprise and enterprise.provisioner are enabled and rbac.namespaced is true.
This PR also updates the provisioner job helm hooks to allow it to be customized to run on other hookTypes. This still defaults to post-install and should have no impact to current usage. This will allow the Grafana Federal Cloud to use the provisioner after helm post-upgrades to attempt to create tenants as required.
Which issue(s) this PR fixes:
Fixes grafana/deployment_tools#185454.
Special notes for your reviewer:
Checklist
CONTRIBUTING.mdguide (required)featPRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.docs/sources/setup/upgrade/_index.mddeprecated-config.yamlanddeleted-config.yamlfiles respectively in thetools/deprecated-config-checkerdirectory. Example PR