diff --git a/CHANGELOG.md b/CHANGELOG.md index 7060b52..aad12d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- *!Breaking change*: Simplify configuration for the bundled apps + - Move all user configs from under `apps.appName.userConfig` from string to regular helm values to `appName.userConfig` + - Rename `prometheus-operator-app` to `kube-prometheus-stack` + - Rename `promtail-app` to `promtail` +- Enforce `Cilium Network Policy` by default. +- Enforce `Pod Security Standard` by default. + ## [0.8.8] - 2023-10-11 ### Changed diff --git a/helm/observability-bundle/Chart.yaml b/helm/observability-bundle/Chart.yaml index 4a001e5..ae163ac 100644 --- a/helm/observability-bundle/Chart.yaml +++ b/helm/observability-bundle/Chart.yaml @@ -5,7 +5,7 @@ home: https://github.com/giantswarm/observability-bundle kubeVersion: ">=1.19.0-0" sources: - https://github.com/giantswarm/observability-bundle -version: 0.8.8 +version: 1.0.0 annotations: application.giantswarm.io/app-type: bundle application.giantswarm.io/in-cluster-app: "true" diff --git a/helm/observability-bundle/templates/apps.yaml b/helm/observability-bundle/templates/apps.yaml index 65af828..ef2801d 100644 --- a/helm/observability-bundle/templates/apps.yaml +++ b/helm/observability-bundle/templates/apps.yaml @@ -16,7 +16,6 @@ metadata: {{- end }} {{- end }} labels: - app.kubernetes.io/name: {{ .appName }} {{- include "labels.common" $ | nindent 4 }} name: {{ $appName }} namespace: {{ $.Release.Namespace }} @@ -30,7 +29,7 @@ spec: namespace: {{ $.Release.Namespace }} {{- end }} install: - skipCRDs: {{.skipCRDs | default false }} + skipCRDs: {{ .skipCRDs | default false }} timeout: 10m upgrade: timeout: 10m @@ -51,57 +50,62 @@ spec: version: {{ .version }} {{- if .extraConfigs }} extraConfigs: - {{- range $extraConfig := .extraConfigs }} - - kind: {{ $extraConfig.kind }} - name: {{ tpl $extraConfig.name $ }} - namespace: {{ tpl $extraConfig.namespace $ }} - {{- if $extraConfig.priority }} - priority: {{ $extraConfig.priority }} + {{- range $extraConfig := .extraConfigs }} + - kind: {{ $extraConfig.kind }} + name: {{ tpl $extraConfig.name $ }} + namespace: {{ tpl $extraConfig.namespace $ }} + {{- if $extraConfig.priority }} + priority: {{ $extraConfig.priority }} + {{- end }} {{- end }} {{- end }} - {{- end }} - {{- if .userConfig }} - {{- if or .userConfig.configMap .userConfig.secret }} + {{- if $.Values.userConfig }} + {{- with (get $.Values.userConfig $key) }} + {{- if or .configMap .secret }} userConfig: - {{- if .userConfig.configMap }} + {{- if .configMap }} configMap: name: {{ $appName }}-user-values namespace: {{ $.Release.Namespace }} {{- end }} - {{- if .userConfig.secret }} + {{- if .secret }} secret: name: {{ $appName }}-user-secrets namespace: {{ $.Release.Namespace }} {{- end }} {{- end }} {{- end }} + {{- end }} {{- end }} -{{- if .userConfig }} -{{- if .userConfig.configMap }} + +{{- if $.Values.userConfig }} +{{- with (get $.Values.userConfig $key) }} +{{- if ((.configMap).values) }} --- apiVersion: v1 kind: ConfigMap metadata: labels: - app.kubernetes.io/name: {{ .appName }} {{- include "labels.common" $ | nindent 4 }} name: {{ $appName }}-user-values namespace: {{ $.Release.Namespace }} data: - {{- (tpl (.userConfig.configMap | toYaml | toString) $) | nindent 2 }} + values: | + {{- (tpl (.configMap.values | toYaml | toString) $) | nindent 4 }} {{- end }} -{{- if .userConfig.secret }} +{{- if ((.secret).values) }} --- apiVersion: v1 kind: Secret metadata: labels: - app.kubernetes.io/name: {{ .appName }} {{- include "labels.common" $ | nindent 4 }} name: {{ $appName }}-user-secrets namespace: {{ $.Release.Namespace }} stringData: - {{- (tpl (.userConfig.secret | toYaml | toString) $) | nindent 2 }} + values: | + {{- (tpl (.secret.values | toYaml | toString) $) | nindent 4 }} {{- end }} {{- end }} {{- end }} +{{- end -}} diff --git a/helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml b/helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml deleted file mode 100644 index 4358354..0000000 --- a/helm/observability-bundle/templates/prometheus-agent-extraconfig.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - values: | - prometheus-agent: - psp: - enabled: {{ not .Values.global.podSecurityStandards.enforced }} -kind: ConfigMap -metadata: - name: "{{ $.Values.clusterID }}-prometheus-agent-extraconfig" - namespace: "{{ $.Release.Namespace }}" diff --git a/helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml b/helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml deleted file mode 100644 index 1ebc750..0000000 --- a/helm/observability-bundle/templates/prometheus-operator-extraconfig.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -data: - values: | - {{- if .Values.global.podSecurityStandards.enforced }} - global: - rbac: - pspEnabled: false - {{- end }} - prometheus-operator-app: - defaultRules: - create: false - alertmanager: - enabled: false - grafana: - enabled: false - {{- if .Values.global.podSecurityStandards.enforced }} - rbac: - pspEnabled: false - {{- end }} - {{- if .Values.global.podSecurityStandards.enforced }} - prometheus-node-exporter: - rbac: - pspEnabled: false - {{- end }} - prometheus: - enabled: false - {{- if .Values.ciliumNetworkPolicy.enabled }} - prometheusOperator: - networkPolicy: - flavor: cilium - matchLabels: - app.kubernetes.io/instance: prometheus-operator-app - app.kubernetes.io/part-of: prometheus-operator-app - application.giantswarm.io/team: atlas - kube-state-metrics: - networkPolicy: - flavor: cilium - {{- end }} -kind: ConfigMap -metadata: - name: "{{ $.Values.clusterID }}-prometheus-operator" - namespace: "{{ $.Release.Namespace }}" diff --git a/helm/observability-bundle/templates/promtail-extraconfig.yaml b/helm/observability-bundle/templates/promtail-extraconfig.yaml deleted file mode 100644 index df60393..0000000 --- a/helm/observability-bundle/templates/promtail-extraconfig.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -data: - values: | - ciliumNetworkPolicy: - enabled: {{ .Values.ciliumNetworkPolicy.enabled }} - promtail: - {{- if .Values.global.podSecurityStandards.enforced }} - rbac: - pspEnabled: false - {{- end }} - {{- if not .Values.ciliumNetworkPolicy.enabled }} - networkPolicy: - enabled: true - {{- end }} -kind: ConfigMap -metadata: - name: "{{ $.Values.clusterID }}-promtail-app-extraconfig" - namespace: "{{ $.Release.Namespace }}" diff --git a/helm/observability-bundle/values.schema.json b/helm/observability-bundle/values.schema.json index 30dbdaf..5c23e0e 100644 --- a/helm/observability-bundle/values.schema.json +++ b/helm/observability-bundle/values.schema.json @@ -5,7 +5,7 @@ "apps": { "type": "object", "properties": { - "prometheus-agent": { + "kubePrometheusStack": { "type": "object", "properties": { "appName": { @@ -23,35 +23,18 @@ "enabled": { "type": "boolean" }, - "extraConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "kind": { - "type": "string" - }, - "name": { - "type": "string" - }, - "namespace": { - "type": "string" - } - } - } - }, "namespace": { "type": "string" }, - "userConfig": { - "type": "object" + "skipCRDs": { + "type": "boolean" }, "version": { "type": "string" } } }, - "prometheus-operator-app": { + "prometheusAgent": { "type": "object", "properties": { "appName": { @@ -89,18 +72,12 @@ "namespace": { "type": "string" }, - "skipCRDs": { - "type": "boolean" - }, - "userConfig": { - "type": "object" - }, "version": { "type": "string" } } }, - "prometheus-operator-crd": { + "prometheusOperatorCrd": { "type": "object", "properties": { "appName": { @@ -115,21 +92,15 @@ "enabled": { "type": "boolean" }, - "extraConfigs": { - "type": "array" - }, "namespace": { "type": "string" }, - "userConfig": { - "type": "object" - }, "version": { "type": "string" } } }, - "promtail-app": { + "promtail": { "type": "object", "properties": { "appName": { @@ -164,9 +135,6 @@ "namespace": { "type": "string" }, - "userConfig": { - "type": "object" - }, "version": { "type": "string" } @@ -174,32 +142,214 @@ } } }, - "ciliumNetworkPolicy": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, "clusterID": { "type": "string" }, - "global": { + "organization": { + "type": "string" + }, + "userConfig": { "type": "object", "properties": { - "podSecurityStandards": { + "kubePrometheusStack": { "type": "object", "properties": { - "enforced": { - "type": "boolean" + "configMap": { + "type": "object", + "properties": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object", + "properties": { + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "kube-prometheus-stack": { + "type": "object", + "properties": { + "alertmanager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "defaultRules": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "grafana": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "kube-state-metrics": { + "type": "object", + "properties": { + "networkPolicy": { + "type": "object", + "properties": { + "flavor": { + "type": "string" + } + } + } + } + }, + "prometheus": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "prometheus-node-exporter": { + "type": "object", + "properties": { + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "prometheusOperator": { + "type": "object", + "properties": { + "networkPolicy": { + "type": "object", + "properties": { + "flavor": { + "type": "string" + }, + "matchLabels": { + "type": "object", + "properties": { + "app.kubernetes.io/instance": { + "type": "string" + }, + "app.kubernetes.io/part-of": { + "type": "string" + }, + "application.giantswarm.io/team": { + "type": "string" + } + } + } + } + } + } + } + } + } + } + } + } + } + } + }, + "prometheusAgent": { + "type": "object", + "properties": { + "configMap": { + "type": "object", + "properties": { + "values": { + "type": "object", + "properties": { + "prometheus-agent": { + "type": "object", + "properties": { + "psp": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + } + } + } + } + } + } + }, + "promtail": { + "type": "object", + "properties": { + "configMap": { + "type": "object", + "properties": { + "values": { + "type": "object", + "properties": { + "ciliumNetworkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "promtail": { + "type": "object", + "properties": { + "networkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + } + } + } + } } } } } - }, - "organization": { - "type": "string" } } } diff --git a/helm/observability-bundle/values.yaml b/helm/observability-bundle/values.yaml index 7119045..9f95b07 100644 --- a/helm/observability-bundle/values.yaml +++ b/helm/observability-bundle/values.yaml @@ -1,15 +1,56 @@ clusterID: "" organization: "" -global: - podSecurityStandards: - enforced: false - -ciliumNetworkPolicy: - enabled: false +userConfig: + kubePrometheusStack: + configMap: + values: + global: + rbac: + pspEnabled: false + kube-prometheus-stack: + defaultRules: + create: false + alertmanager: + enabled: false + grafana: + enabled: false + rbac: + pspEnabled: false + prometheus-node-exporter: + rbac: + pspEnabled: false + prometheus: + enabled: false + prometheusOperator: + networkPolicy: + flavor: cilium + matchLabels: + app.kubernetes.io/instance: kube-prometheus-stack + app.kubernetes.io/part-of: kube-prometheus-stack + application.giantswarm.io/team: atlas + kube-state-metrics: + networkPolicy: + flavor: cilium + prometheusAgent: + configMap: + values: + prometheus-agent: + psp: + enabled: false + promtail: + configMap: + values: + ciliumNetworkPolicy: + enabled: true + promtail: + rbac: + pspEnabled: false + networkPolicy: + enabled: false apps: - prometheus-operator-crd: + prometheusOperatorCrd: appName: prometheus-operator-crd chartName: prometheus-operator-crd catalog: default @@ -18,34 +59,20 @@ apps: # used by renovate # repo: giantswarm/prometheus-operator-crd version: 6.1.0 - # User values can be provided via a ConfigMap or Secret for each individual app - userConfig: {} - # a list of extraConfigs for the App, - # It can be secret or configmap - # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example - extraConfigs: [] - prometheus-operator-app: - appName: prometheus-operator-app - chartName: prometheus-operator-app - catalog: default + kubePrometheusStack: + appName: kube-prometheus-stack + chartName: kube-prometheus-stack + catalog: default-test dependsOn: prometheus-operator-crd enabled: true namespace: kube-system skipCRDs: true # used by renovate - # repo: giantswarm/prometheus-operator-app - version: 6.2.1 - userConfig: {} - # a list of extraConfigs for the App, - # It can be secret or configmap - # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example - extraConfigs: - - kind: configMap - name: "{{ $.Values.clusterID }}-prometheus-operator" - namespace: "{{ $.Release.Namespace }}" + # repo: giantswarm/kube-prometheus-stack + version: 6.2.1-4513cea606f680171c64fb74d4302321544559cf - prometheus-agent: + prometheusAgent: appName: prometheus-agent chartName: prometheus-agent catalog: default @@ -55,16 +82,10 @@ apps: # used by renovate # repo: giantswarm/prometheus-agent-app version: 0.6.5 - # User values can be provided via a ConfigMap or Secret for each individual app - # using the structure shown below. - userConfig: {} # a list of extraConfigs for the App, # It can be secret or configmap # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example extraConfigs: - - kind: configMap - name: "{{ $.Values.clusterID }}-prometheus-agent-extraconfig" - namespace: "{{ $.Release.Namespace }}" - kind: secret name: "{{ $.Values.clusterID }}-remote-write-secret" namespace: "{{ $.Release.Namespace }}" @@ -72,8 +93,8 @@ apps: name: "{{ $.Values.clusterID }}-remote-write-config" namespace: "{{ $.Release.Namespace }}" - promtail-app: - appName: promtail-app + promtail: + appName: promtail chartName: promtail catalog: giantswarm enabled: false @@ -81,8 +102,6 @@ apps: # used by renovate # repo: giantswarm/promtail-app version: 1.4.0 - # User values can be provided via a ConfigMap or Secret for each individual app - userConfig: {} # a list of extraConfigs for the App, # It can be secret or configmap # https://github.com/giantswarm/rfc/tree/main/multi-layer-app-config#example @@ -93,6 +112,3 @@ apps: - kind: configMap name: "{{ $.Values.clusterID }}-logging-config" namespace: "{{ $.Release.Namespace }}" - - kind: configMap - name: "{{ $.Values.clusterID }}-promtail-app-extraconfig" - namespace: "{{ $.Release.Namespace }}"