Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[prometheus]: Add possibility to disable securityContext for Prometheus and Alertmanager workloads #2595

Merged
merged 8 commits into from Oct 26, 2022
Merged

[prometheus]: Add possibility to disable securityContext for Prometheus and Alertmanager workloads #2595

merged 8 commits into from Oct 26, 2022

Conversation

CarpathianUA
Copy link
Contributor

@CarpathianUA CarpathianUA commented Oct 20, 2022
edited

Add possibility to disable securityContext for Prometheus and Alertmanager workloads

Signed-off-by: Roman Slipchenko romanslipchenko@gmail.com

What this PR does / why we need it:

Which issue this PR fixes

None

Special notes for your reviewer

Checklist

  • DCO signed
  • Chart Version bumped
  • Title of the PR starts with chart name (e.g. [prometheus-couchdb-exporter])

@CarpathianUA
Add possbility to disable securityContext for Prometheus and Alertman…
f2c2fa5 
…ager workloads

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
monotek
monotek requested changes Oct 21, 2022
View reviewed changes
Copy link
Member

@monotek monotek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please remove all unrealted format changes in the values file.
also new values needs to be in values file.

charts/prometheus/Chart.yaml Outdated Show resolved Hide resolved
@CarpathianUA
Add possbility to disable securityContext for Prometheus and Alertman…
d31daa9 
…ager workloads - fix formatting, add default values

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
@CarpathianUA
Add possbility to disable securityContext for Prometheus and Alertman…
047beae 
…ager workloads - fix Chart version

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
zanhsieh
zanhsieh requested changes Oct 21, 2022
View reviewed changes
charts/prometheus/templates/alertmanager/deploy.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/alertmanager/sts.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/server/deploy.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/server/sts.yaml Outdated Show resolved Hide resolved
@CarpathianUA CarpathianUA requested review from zanhsieh and monotek and removed request for monotek and zanhsieh October 22, 2022 11:46
zanhsieh
zanhsieh previously approved these changes Oct 22, 2022
View reviewed changes
@CarpathianUA
Copy link
Contributor Author

CarpathianUA commented Oct 24, 2022
edited

@monotek requested changes have been applied, would appreciate a review from your side, thanks in advance!

@CarpathianUA
Add condition to disable containerSecurityContext
cd4b82e 
Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
@CarpathianUA CarpathianUA requested review from ericpdurand and monotek and removed request for monotek and ericpdurand October 25, 2022 12:11
@ericpdurand
Copy link

That's fine with me.
I'm wondering if the tests with "{{- if .Values.alertmanager.containerSecurityContext }}" could be simply dropped as if the content is empty there is nothing inserted.
That would be less code, more readable.
I let you decide

ericpdurand
ericpdurand previously approved these changes Oct 25, 2022
View reviewed changes
@CarpathianUA
Copy link
Contributor Author

CarpathianUA commented Oct 25, 2022
edited

That's fine with me. I'm wondering if the tests with "{{- if .Values.alertmanager.containerSecurityContext }}" could be simply dropped as if the content is empty there is nothing inserted. That would be less code, more readable. I let you decide

@ericpdurand Yeah, I left it explicitly because of the known bug in Helm.
Due to that bug, and the inability to drop the map from the template via setting it's value to null, and without check for non-empty map ({{- if .Values.alertmanager.containerSecurityContext }}) Helm will render template exactly as containerSecurityContext: {}, and OpenShift will fail security constraint context (SCC) validation on that field. With these two conditions, we can avoid rendering of securityContext map at all, so OpenShift's SCC admission will pass successfully.

@CarpathianUA
Copy link
Contributor Author

@zanhsieh @monotek
Please kindly review the final version of the changes, thanks in advance! I really hope that the PR will be merged soon :)

zanhsieh
zanhsieh previously approved these changes Oct 26, 2022
View reviewed changes
monotek
monotek requested changes Oct 26, 2022
View reviewed changes
charts/prometheus/templates/alertmanager/deploy.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/alertmanager/deploy.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/alertmanager/sts.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/alertmanager/sts.yaml Outdated
@@ -111,8 +115,12 @@ spec:
- name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }}
image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}"
imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}"
{{- if .Values.configmapReload.alertmanager.containerSecurityContextEnabled }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

superfluous too. see above.

charts/prometheus/templates/server/deploy.yaml Outdated Show resolved Hide resolved
charts/prometheus/templates/server/sts.yaml Outdated Show resolved Hide resolved
@monotek
Copy link
Member

monotek commented Oct 26, 2022

@zanhsieh
please check more carefully before approving stuff like this.
change seems not usefull to me.

@CarpathianUA
Copy link
Contributor Author

@zanhsieh please check more carefully before approving stuff like this. change seems not usefull to me.

@monotek What's your concern here?

@CarpathianUA
Remove redundant containerSecurityContextEnabled variable and condtition
34efe4e 
Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
@CarpathianUA
Copy link
Contributor Author

CarpathianUA commented Oct 26, 2022
edited

@monotek @zanhsieh @ericpdurand Your requested changes have been applied. Please kindly review.

@CarpathianUA CarpathianUA requested review from zanhsieh and ericpdurand and removed request for zanhsieh and ericpdurand October 26, 2022 10:58
@zanhsieh
Copy link
Contributor

@zanhsieh please check more carefully before approving stuff like this. change seems not usefull to me.

@monotek
My apologies. I already addressed my concerns previously, but the original author didn't think those are issues as fitting previous contributors format (mainly battle between with and if). So I thought just let him functionally pass maybe I make another PR myself to tidy up.

@CarpathianUA
Copy link
Contributor Author

@zanhsieh please check more carefully before approving stuff like this. change seems not usefull to me.

@monotek My apologies. I already addressed my concerns previously, but the original author didn't think those are issues as fitting previous contributors format (mainly battle between with and if). So I thought just let him functionally pass maybe I make another PR myself to tidy up.

@zanhsieh
@monotek 's suggested changes were applied - with won here :) I think there is no need for another PR

@zanhsieh
Copy link
Contributor

@zanhsieh please check more carefully before approving stuff like this. change seems not usefull to me.

@monotek My apologies. I already addressed my concerns previously, but the original author didn't think those are issues as fitting previous contributors format (mainly battle between with and if). So I thought just let him functionally pass maybe I make another PR myself to tidy up.

@zanhsieh @monotek 's suggested changes were applied - with won here :) I think there is no need for another PR

With with, if is not needed.

@CarpathianUA
Remove redundant if condition for check if containerSecurtyContext ma…
5320328 
…p is non-empty

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
@CarpathianUA
Copy link
Contributor Author

@zanhsieh please check more carefully before approving stuff like this. change seems not usefull to me.

@monotek My apologies. I already addressed my concerns previously, but the original author didn't think those are issues as fitting previous contributors format (mainly battle between with and if). So I thought just let him functionally pass maybe I make another PR myself to tidy up.

@zanhsieh @monotek 's suggested changes were applied - with won here :) I think there is no need for another PR

With with, if is not needed.

Just pushed changes for that

@CarpathianUA
Remove redundant if condition with omit func in vafour of with iterator
c367000 
Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
@CarpathianUA
Remove redundant if condition
24406d3 
Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
@CarpathianUA CarpathianUA requested review from naseemkullah and removed request for zanhsieh October 26, 2022 15:34
naseemkullah
naseemkullah approved these changes Oct 26, 2022
View reviewed changes
Copy link
Member

@naseemkullah naseemkullah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks @CarpathianUA

@CarpathianUA
Copy link
Contributor Author

@monotek Please kindly review, thanks in advance!

@monotek monotek merged commit 8d06d6d into prometheus-community:main Oct 26, 2022
@cm0s cm0s mentioned this pull request Dec 14, 2022
Open
3 tasks
Matiasmct pushed a commit to giffgaff/prometheus-charts that referenced this pull request May 16, 2023
@CarpathianUA @Matiasmct
[prometheus]: Add possibility to disable securityContext for Promethe…
35ff4eb 
…us and Alertmanager workloads (prometheus-community#2595)

* Add possbility to disable securityContext for Prometheus and Alertmanager workloads

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Add possbility to disable securityContext for Prometheus and Alertmanager workloads - fix formatting, add default values

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Add possbility to disable securityContext for Prometheus and Alertmanager workloads - fix Chart version

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Add condition to disable containerSecurityContext

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Remove redundant containerSecurityContextEnabled variable and condtition

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Remove redundant if condition for check if containerSecurtyContext map is non-empty

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Remove redundant if condition with omit func in vafour of with iterator

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

* Remove redundant if condition

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>

Signed-off-by: Roman Slipchenko <romanslipchenko@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@monotek monotek monotek approved these changes

@ericpdurand ericpdurand ericpdurand approved these changes

@naseemkullah naseemkullah naseemkullah approved these changes

@zanhsieh zanhsieh zanhsieh left review comments

@gianrubio gianrubio Awaiting requested review from gianrubio gianrubio is a code owner

@Xtigyro Xtigyro Awaiting requested review from Xtigyro Xtigyro is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@CarpathianUA @ericpdurand @monotek @zanhsieh @naseemkullah