Robot Upgrade: prometheus-node-exporter chart upgrade from 4.6.0 to 4.51.1

[weizhoublue]

I am robot, upgrade: project prometheus-node-exporter chart upgrade from 4.6.0 to 4.51.1

[gemini-code-assist]

Summary of Changes

Hello @weizhoublue, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request orchestrates a substantial upgrade of the prometheus-node-exporter Helm chart, bringing it to a much newer version. The primary goal is to integrate a suite of modern features and best practices, notably enhancing security through kube-rbac-proxy and adapting to contemporary Kubernetes resource management paradigms. This update also streamlines Helm chart distribution methods and removes deprecated security configurations, ensuring the chart remains robust and up-to-date with the evolving Kubernetes ecosystem.

Highlights

• Chart Version Upgrade: The prometheus-node-exporter Helm chart has been upgraded from version 4.6.0 to 4.51.1, along with an appVersion update from 1.3.1 to 1.10.2.
• Enhanced Security with kube-rbac-proxy: New configurations and templates have been introduced to support kube-rbac-proxy, allowing for secure, authenticated access to the node-exporter metrics endpoint via HTTPS and Kubernetes RBAC.
• Helm Chart Distribution Updates: The README.md files have been updated to reflect the chart's distribution as an OCI Artifact, alongside the traditional Helm Repository, and installation instructions now prioritize OCI usage.
• Deprecation of Pod Security Policies (PSP): Several files related to Pod Security Policies (psp-clusterrole.yaml, psp-clusterrolebinding.yaml, psp.yaml) have been removed, aligning with Kubernetes' deprecation of PSPs.
• Expanded Configuration Options: The values.yaml file has been significantly expanded with new configurable parameters for service dual-stack networking, network policies, termination behavior, host-related mounts, and detailed Prometheus Operator PodMonitor settings.
• Refined Affinity and Resource Management: Default node affinity rules have been added to exclude Fargate and virtual kubelets, and Vertical Pod Autoscaler (VPA) configurations now include recommenders and more granular control over resource policies.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/prometheus-node-exporter/config
  • Updated the VERSION from 4.6.0 to 4.51.1.
• charts/prometheus-node-exporter/prometheus-node-exporter/Chart.yaml
  • Updated appVersion from 1.3.1 to 1.10.2.
  • Updated version from 4.6.0 to 4.51.1.
  • Added annotations for artifacthub.io/license and artifacthub.io/links.
  • Added icon URL.
  • Added url fields for existing maintainers and a new maintainer (zeritti).
  • Updated dependency version for prometheus-node-exporter to 4.51.1.
• charts/prometheus-node-exporter/prometheus-node-exporter/README.md
  • Updated title formatting from # Prometheus Node Exporter`` to # Prometheus Node Exporter.
  • Changed 'Get Repository Info' section to 'Usage' and updated instructions to include OCI Artifact distribution.
  • Updated helm install command to use OCI artifact.
  • Changed section headings for 'Install Chart', 'Uninstall Chart', and 'Upgrading Chart' to sub-headings.
  • Updated helm upgrade command to use OCI artifact.
  • Updated ServiceMonitor and PodMonitor documentation links.
  • Added a new section for kube-rbac-proxy explaining its usage and required ClusterRole for authorization.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/.helmignore
  • Added ci/ to the ignore list.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/Chart.yaml
  • Updated appVersion from 1.3.1 to 1.10.2.
  • Updated version from 4.6.0 to 4.51.1.
  • Added annotations for artifacthub.io/license and artifacthub.io/links.
  • Added icon URL.
  • Added url fields for existing maintainers and a new maintainer (zeritti).
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/README.md
  • Updated title formatting.
  • Updated Helm installation instructions to use OCI artifacts.
  • Added kube-rbac-proxy usage documentation.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/ci/port-values.yaml
  • Removed this file.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/NOTES.txt
  • Added conditional block for kubeRBACProxy.enabled to provide instructions for metrics endpoint protection and required RBAC permissions.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/_helpers.tpl
  • Modified prometheus-node-exporter.labels to use commonLabels with tpl function instead of podLabels.
  • Updated prometheus-node-exporter.image definition to handle image.digest and global.imageRegistry, and explicitly fail on image.sha.
  • Added new helper templates: prometheus-node-exporter.imagePullSecrets, prometheus-node-exporter.podmonitor-namespace, podmonitor.scrapeLimits, prometheus-node-exporter.sidecarVolumeMounts, prometheus-node-exporter.defaultAffinity, and prometheus-node-exporter.mergedAffinities.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrole.yaml
  • Added new file to define a ClusterRole for kubeRBACProxy with permissions for tokenreviews and subjectaccessreviews.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml
  • Added new file to define a ClusterRoleBinding for kubeRBACProxy to bind the service account to the new ClusterRole.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/daemonset.yaml
  • Added revisionHistoryLimit to the DaemonSet spec.
  • Added podLabels to the pod template labels.
  • Modified automountServiceAccountToken to be true if kubeRBACProxy.enabled is true.
  • Added terminationGracePeriodSeconds configuration.
  • Introduced variables $servicePort and $servicePortReference to dynamically set ports based on kubeRBACProxy.enabled.
  • Added --path.udev.data argument to node-exporter if version is >=1.4.0-0.
  • Updated HOST_IP environment variable logic for kubeRBACProxy.
  • Conditional ports block for node-exporter container if kubeRBACProxy.enabled is false.
  • Updated liveness and readiness probes to use 127.0.0.1 host and $servicePortReference if kubeRBACProxy.enabled.
  • Added terminationMessageParams configuration.
  • Added mountPropagation for proc and sys volume mounts.
  • Added extraVolumeMounts to node-exporter container.
  • Refactored sidecar container definition to use prometheus-node-exporter.sidecarVolumeMounts helper.
  • Added kube-rbac-proxy sidecar container definition, including arguments, volume mounts, image configuration, ports, readiness probe, resources, termination message params, env, and security context.
  • Updated imagePullSecrets to use the new prometheus-node-exporter.imagePullSecrets helper.
  • Added hostUsers and hostIPC configurations.
  • Updated affinity to use prometheus-node-exporter.mergedAffinities helper.
  • Added dnsPolicy and restartPolicy configurations.
  • Added type field for hostPath volumes.
  • Added kube-rbac-proxy-config and tlsSecret volumes.
  • Added extraVolumes configuration.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/extra-manifests.yaml
  • Added new file to allow deployment of extra Kubernetes manifests.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/networkpolicy.yaml
  • Added new file to define a NetworkPolicy for the node-exporter service.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/podmonitor.yaml
  • Added new file to define a PodMonitor resource for Prometheus Operator, with extensive configuration options.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml
  • Removed this file, indicating deprecation of Pod Security Policies.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml
  • Removed this file, indicating deprecation of Pod Security Policies.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/psp.yaml
  • Removed this file, indicating deprecation of Pod Security Policies.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/rbac-configmap.yaml
  • Added new file to create a ConfigMap for kube-rbac-proxy authorization configuration.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/service.yaml
  • Wrapped the entire service definition in an if .Values.service.enabled block.
  • Added service.labels to service metadata.
  • Added ipDualStack, externalTrafficPolicy, and internalTrafficPolicy configurations.
  • Added clusterIP configuration for ClusterIP type services.
  • Changed ports.port to use service.servicePort if defined, otherwise service.port.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/serviceaccount.yaml
  • Added automountServiceAccountToken configuration.
  • Updated imagePullSecrets to use the new prometheus-node-exporter.imagePullSecrets helper.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/servicemonitor.yaml
  • Added podTargetLabels, targetLabels, and attachMetadata configurations to the ServiceMonitor spec.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml
  • Added recommenders configuration.
  • Changed containerName from {{ include "prometheus-node-exporter.name" . }} to node-exporter.
  • Modified controlledResources to be a block.
  • Added controlledValues configuration.
  • Modified updatePolicy to be a block.
• charts/prometheus-node-exporter/prometheus-node-exporter/charts/prometheus-node-exporter/values.yaml
  • Updated image to use registry and repository fields, and added digest instead of sha.
  • Added nameOverride, fullnameOverride, revisionHistoryLimit.
  • Added global section for imagePullSecrets and imageRegistry.
  • Introduced extensive kubeRBACProxy configuration options (enabled, env, image, extraArgs, containerSecurityContext, ports, proxyEndpointsPort, resources, extraVolumeMounts, tls).
  • Added tlsSecret configuration (enabled, caItem, certItem, keyItem, secretName, volumeName).
  • Expanded service configuration with enabled, servicePort, clusterIP, labels, ipDualStack, externalTrafficPolicy, internalTrafficPolicy.
  • Added networkPolicy configuration (enabled, ingress).
  • Added restartPolicy.
  • Updated containerSecurityContext to include readOnlyRootFilesystem: true.
  • Removed pspEnabled and pspAnnotations from rbac section.
  • Added hostUsers and hostIPC.
  • Added hostProcFsMount and hostSysFsMount with mountPropagation.
  • Updated affinity comments to mention default node affinity exclusions.
  • Updated nodeSelector default to kubernetes.io/os: linux.
  • Added terminationGracePeriodSeconds.
  • Added terminationMessageParams (enabled, path, policy).
  • Added dnsPolicy.
  • Added commonLabels.
  • Updated extraHostVolumeMounts comments to include type.
  • Updated sidecars comments to mention default image/securityContext inheritance.
  • Added extraManifests, extraVolumes, extraVolumeMounts.
  • Added version override.
  • Expanded prometheus.monitor with podTargetLabels, targetLabels, attachMetadata.
  • Introduced extensive prometheus.podMonitor configuration options.
  • Expanded verticalPodAutoscaler with recommenders, controlledValues, and updatePolicy details.

Activity

• The pull request was automatically generated by the user 'weizhoublue', indicating an automated chart upgrade process.
• The changes are comprehensive, reflecting a major version update of the prometheus-node-exporter Helm chart, incorporating numerous new features and configuration parameters.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades the prometheus-node-exporter Helm chart from version 4.6.0 to 4.51.1, bringing numerous features, enhanced security by removing deprecated PodSecurityPolicy resources, and improved configuration flexibility. A security audit, however, identified potential template injection vulnerabilities due to the use of the tpl function on user-provided values in labels and extra manifests. The RBAC permissions for kube-rbac-proxy are also significant, increasing the potential impact of a pod compromise. It is recommended to review the use of tpl and ensure RBAC permissions adhere to the principle of least privilege. Minor issues also include a markdown formatting error in README files and an inconsistency in the kube-rbac-proxy sidecar image configuration, where sha is used instead of digest.

[gemini-code-assist]

The use of the tpl function on user-provided values like podLabels can lead to template injection. In environments where the Helm chart is deployed by a service with high privileges (e.g., ArgoCD or Flux), a user who can modify values.yaml could use the lookup function within these templates to access sensitive information, such as Secrets, from any namespace in the cluster. It is recommended to avoid using tpl on values that are intended to be plain strings or maps provided by the user.

        {{- toYaml . | nindent 8 }}

[gemini-code-assist]

The use of the tpl function on commonLabels allows for potential template injection. Similar to podLabels, this can be exploited to leak sensitive information from the cluster using the lookup function if the deployment process has sufficient permissions. Consider using toYaml without tpl for user-provided labels.

{{ toYaml . }}

[gemini-code-assist]

Processing extraManifests through the tpl function allows users to inject arbitrary Helm template logic into the deployed manifests. This significantly increases the risk of template injection and unauthorized access to cluster resources via functions like lookup. If this feature is necessary, the security implications should be clearly documented.

{{ . }}

[gemini-code-assist]

The ClusterRole created for kube-rbac-proxy grants create permissions on tokenreviews and subjectaccessreviews. These are sensitive cluster-wide permissions. Since this role is bound to the service account used by the node-exporter DaemonSet (which runs on every node and has extensive host access), a compromise of any node-exporter pod could allow an attacker to perform authentication and authorization checks across the entire cluster, facilitating reconnaissance and lateral movement.

[gemini-code-assist]

The markdown for the link to the helm repo documentation is nested, which makes it invalid. This should be corrected to a single, valid link.

Suggested change

	The installation instructions use the OCI registry. Refer to the [`helm repo`]([`helm repo`](https://helm.sh/docs/helm/helm_repo/)) command documentation for information on installing charts via the traditional repository.
	The installation instructions use the OCI registry. Refer to the [`helm repo`](https://helm.sh/docs/helm/helm_repo/) command documentation for information on installing charts via the traditional repository.

[gemini-code-assist]

The markdown for the link to the helm repo documentation is nested, which makes it invalid. This should be corrected to a single, valid link.

Suggested change

	The installation instructions use the OCI registry. Refer to the [`helm repo`]([`helm repo`](https://helm.sh/docs/helm/helm_repo/)) command documentation for information on installing charts via the traditional repository.
	The installation instructions use the OCI registry. Refer to the [`helm repo`](https://helm.sh/docs/helm/helm_repo/) command documentation for information on installing charts via the traditional repository.

[gemini-code-assist]

For consistency with the main application image, which now uses image.digest, the kube-rbac-proxy image configuration should also be updated to use digest instead of sha. Additionally, hardcoding the sha256: prefix is less flexible; the digest value should ideally include the algorithm.

          {{- if .Values.kubeRBACProxy.image.digest }}
          image: "{{ .Values.global.imageRegistry | default .Values.kubeRBACProxy.image.registry}}/{{ .Values.kubeRBACProxy.image.repository }}:{{ .Values.kubeRBACProxy.image.tag }}@{{ .Values.kubeRBACProxy.image.digest }}"
          {{- else }}
          image: "{{ .Values.global.imageRegistry | default .Values.kubeRBACProxy.image.registry}}/{{ .Values.kubeRBACProxy.image.repository }}:{{ .Values.kubeRBACProxy.image.tag }}"
          {{- end }}

[gemini-code-assist]

For consistency with the main application image configuration (image.digest), this field should be renamed from sha to digest. The main image configuration now fails if sha is used, and the same standard should be applied here for the kube-rbac-proxy image.

    digest: ""