Merge upstream

Signed-off-by: Jonas De Gendt <[email protected]>

Author: jdegendt

.github/workflows/update-helm-repo.yaml

@@ -30,6 +30,9 @@ on:
       github_app_pem:
         description: GitHub APP pem to authenticate with
         required: false
+      vault_repo_secret_name:
+        description: Vault secret name that holds repository's GitHub App credentials to authenticate with
+        required: false
       helm_repo_token:
         description: GitHub api token to use against the helm-charts repository
         required: false
@@ -96,37 +99,51 @@ jobs:
     needs: [setup]
     runs-on: ubuntu-latest
     permissions:
+      id-token: write # allows GitHub App to generate id-token from Github's OIDC
       contents: write # allows GITHUB_TOKEN to push chart release, create release, and push tags to github
       packages: write # allows GITHUB_TOKEN to push package to ghcr
     env:
-      github_app_id: ${{ secrets.github_app_id }}
+      # APP_ID and PRIVATE_KEY are overwritten by credentials from vault, if configured
+      GITHUB_APP_ID: ${{ secrets.github_app_id }}
+      PRIVATE_KEY: ${{ secrets.github_app_pem }}
+      VAULT_REPO_SECRET_NAME: ${{ secrets.vault_repo_secret_name }}
     if: needs.setup.outputs.changed == 'true'
     steps:
-      - name: Create a GitHub App installation access token
-        if: env.github_app_id != ''
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+      - name: Retrieve GitHub App credentials from Vault
+        if: env.VAULT_REPO_SECRET_NAME != ''
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=${{ env.VAULT_REPO_SECRET_NAME }}:app-id
+            PRIVATE_KEY=${{ env.VAULT_REPO_SECRET_NAME }}:private-key
+
+      - name: Generate GitHub App Token
+        if: env.GITHUB_APP_ID != ''
         id: app-token
+        uses: actions/create-github-app-token@v1
         with:
-          app_id: ${github_app_id}
-          private_key: ${{ secrets.github_app_pem }}
+          # Variables generated by the previous step get-secrets
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
 
       - name: Set the correct token (Github App or PAT)
         env:
           HELM_REPO_TOKEN: ${{ secrets.helm_repo_token }}
           APP_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
-          if [[ "${github_app_id}" == '' ]]; then
+          if [[ "${GITHUB_APP_ID}" == '' ]]; then
             echo "AUTHTOKEN=${HELM_REPO_TOKEN}" >> $GITHUB_ENV
           else
             echo "AUTHTOKEN=${APP_TOKEN}" >> $GITHUB_ENV
           fi
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[artipacked] without this ignore comment, zizmor would complain that persist-credentials is not explicitly set to false. We need it set to true (default) to be able to push the release tags later on in this workflow
         with:
           fetch-depth: 0
           path: source
-          persist-credentials: false
 
       - name: Configure Git
         run: |
@@ -136,13 +153,12 @@ jobs:
 
       - name: Checkout helm-charts
         # The cr tool only works if the target repository is already checked out
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[artipacked] without this ignore comment, zizmor would complain that persist-credentials is not explicitly set to false. We need it set to true (default) to be able to push the release tags later on in this workflow
         with:
           fetch-depth: 0
           repository: grafana/helm-charts
           path: helm-charts
-          token: ${{ env.AUTHTOKEN  }}
-          persist-credentials: false
+          token: ${{ env.AUTHTOKEN }}
 
       - name: Configure Git for helm-charts
         run: |
@@ -218,7 +234,7 @@ jobs:
           git tag "${TAGNAME}"
 
       - name: Make github release
-        uses: softprops/action-gh-release@b21b43df682dab285bf5146c1955e7f3560805f8 # tags/v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tags/v1
         with:
           body: |
             ${{ steps.parse-chart.outputs.desc }}

charts/cloudcost-exporter/Chart.yaml

@@ -5,10 +5,10 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 1.0.3
+version: 1.0.4
 
 # This is the version of cloudcost-exporter to be deployed, which should be incremented
 # with each release.
-appVersion: "0.8.0"
+appVersion: "0.8.1"
 
 home: https://github.com/grafana/cloudcost-exporter

charts/cloudcost-exporter/README.md

@@ -2,7 +2,7 @@
 
 Cloud Cost Exporter exports cloud provider agnostic cost metrics to Prometheus.
 
-![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
+![Version: 1.0.4](https://img.shields.io/badge/Version-1.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.1](https://img.shields.io/badge/AppVersion-0.8.1-informational?style=flat-square)
 
 ## Installing the Chart
 

charts/grafana/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: grafana
-version: 8.14.0
-appVersion: 11.6.1
+version: 9.0.0
+appVersion: 12.0.0
 kubeVersion: "^1.8.0-0"
 description: The leading tool for querying and visualizing time series and metrics.
 home: https://grafana.com

charts/grafana/README.md

@@ -130,6 +130,7 @@ need to instead set `global.imageRegistry`.
 | `initChownData.image.sha`                 | init-chown-data container image sha (optional)| `""`                                                    |
 | `initChownData.image.pullPolicy`          | init-chown-data container image pull policy   | `IfNotPresent`                                          |
 | `initChownData.resources`                 | init-chown-data pod resource requests & limits | `{}`                                                   |
+| `initChownData.securityContext`           | init-chown-data pod securityContext           | `{"readOnlyRootFilesystem": false, "runAsNonRoot": false}`, "runAsUser": 0, "seccompProfile": {"type": "RuntimeDefault"}, "capabilities": {"add": ["CHOWN"], "drop": ["ALL"]}}` |
 | `schedulerName`                           | Alternate scheduler name                      | `nil`                                                   |
 | `env`                                     | Extra environment variables passed to pods    | `{}`                                                    |
 | `envValueFrom`                            | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` |
@@ -150,6 +151,7 @@ need to instead set `global.imageRegistry`.
 | `alerting`                                | Configure grafana alerting (passed through tpl) | `{}`                                                  |
 | `notifiers`                               | Configure grafana notifiers                   | `{}`                                                    |
 | `dashboardProviders`                      | Configure grafana dashboard providers         | `{}`                                                    |
+| `defaultCurlOptions`                      | Configure default curl short options for all dashboards, the beginning dash is required  | `-skf`       |
 | `dashboards`                              | Dashboards to import                          | `{}`                                                    |
 | `dashboardsConfigMaps`                    | ConfigMaps reference that contains dashboards | `{}`                                                    |
 | `grafana.ini`                             | Grafana's primary configuration               | `{}`                                                    |
@@ -395,7 +397,16 @@ dashboards:
       - name: DS_LOKI
         value: Loki
     local-dashboard:
-      url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json
+      url: https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json
+      # redirects to:
+      # https://raw.githubusercontent.com/cloudnative-pg/grafana-dashboards/refs/heads/main/charts/cluster/grafana-dashboard.json
+
+      # default: -skf
+      # -s  - silent mode
+      # -k  - allow insecure (eg: non-TLS) connections
+      # -f  - fail fast
+      # -L  - follow HTTP redirects
+      curlOptions: -Lf
 ```
 
 ## BASE64 dashboards

charts/grafana/templates/_config.tpl

@@ -85,7 +85,7 @@ download_dashboards.sh: |
 {{- range $provider, $dashboards := .Values.dashboards }}
   {{- range $key, $value := $dashboards }}
     {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }}
-  curl -skf \
+  curl {{ get $value "curlOptions" | default $.Values.defaultCurlOptions }} \
   --connect-timeout 60 \
   --max-time 60 \
     {{- if not $value.b64content }}

charts/grafana/values.yaml

@@ -475,13 +475,16 @@ initChownData:
   #    cpu: 100m
   #    memory: 128Mi
   securityContext:
+    readOnlyRootFilesystem: false
     runAsNonRoot: false
     runAsUser: 0
     seccompProfile:
       type: RuntimeDefault
     capabilities:
       add:
         - CHOWN
+      drop:
+        - ALL
 
 # Administrator credentials when not using an existing secret (see below)
 adminUser: admin
@@ -806,6 +809,18 @@ dashboardProviders: {}
 #      options:
 #        path: /var/lib/grafana/dashboards/default
 
+## Configure how curl fetches remote dashboards. The beginning dash is required.
+## NOTE: This sets the default short flags for all dashboards, but these
+##       defaults can be overridden individually for each dashboard by setting
+##       curlOptions. See the example dashboards section below.
+##
+## -s  - silent mode
+## -k  - allow insecure (eg: non-TLS) connections
+## -f  - fail fast
+## See the curl documentation for additional options
+##
+defaultCurlOptions: "-skf"
+
 ## Configure grafana dashboard to import
 ## NOTE: To use dashboards you must also enable/configure dashboardProviders
 ## ref: https://grafana.com/dashboards
@@ -825,6 +840,7 @@ dashboards: {}
   #     datasource: Prometheus
   #   local-dashboard:
   #     url: https://example.com/repository/test.json
+  #     curlOptions: "-sLf"
   #     token: ''
   #   local-dashboard-base64:
   #     url: https://example.com/repository/test-b64.json

charts/loki-distributed/Chart.yaml

@@ -3,7 +3,7 @@ name: loki-distributed
 description: Helm chart for Grafana Loki in microservices mode
 type: application
 appVersion: 2.9.13
-version: 0.80.3
+version: 0.80.5
 home: https://grafana.github.io/helm-charts
 sources:
   - https://github.com/grafana/loki

charts/loki-distributed/README.md

@@ -1,6 +1,6 @@
 # loki-distributed
 
-![Version: 0.80.3](https://img.shields.io/badge/Version-0.80.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.13](https://img.shields.io/badge/AppVersion-2.9.13-informational?style=flat-square)
+![Version: 0.80.5](https://img.shields.io/badge/Version-0.80.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.13](https://img.shields.io/badge/AppVersion-2.9.13-informational?style=flat-square)
 
 Helm chart for Grafana Loki in microservices mode
 
@@ -205,6 +205,7 @@ kubectl delete statefulset RELEASE_NAME-loki-distributed-querier -n LOKI_NAMESPA
 | gateway.ingress.enabled | bool | `false` | Specifies whether an ingress for the gateway should be created |
 | gateway.ingress.hosts | list | `[{"host":"gateway.loki.example.com","paths":[{"path":"/"}]}]` | Hosts configuration for the gateway ingress |
 | gateway.ingress.ingressClassName | string | `""` | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 For example: `ingressClassName: nginx` |
+| gateway.ingress.labels | object | `{}` | Custom labels for the gateway ingress |
 | gateway.ingress.tls | list | `[]` | TLS configuration for the gateway ingress |
 | gateway.livenessProbe.httpGet.path | string | `"/"` |  |
 | gateway.livenessProbe.httpGet.port | string | `"http"` |  |
@@ -324,12 +325,14 @@ kubectl delete statefulset RELEASE_NAME-loki-distributed-querier -n LOKI_NAMESPA
 | ingester.replicas | int | `1` | Number of replicas for the ingester |
 | ingester.resources | object | `{}` | Resource requests and limits for the ingester |
 | ingester.serviceLabels | object | `{}` | Labels for ingester service |
+| ingester.statefulStrategy | object | `{"rollingUpdate":{"partition":0}}` | updateStrategy of the ingester statefulset. |
 | ingester.terminationGracePeriodSeconds | int | `300` | Grace period to allow the ingester to shutdown before it is killed. Especially for the ingester, this must be increased. It must be long enough so ingesters can be gracefully shutdown flushing/transferring all data and to successfully leave the member ring on shutdown. |
 | ingester.tolerations | list | `[]` | Tolerations for ingester pods |
 | ingester.topologySpreadConstraints | string | Defaults to allow skew no more then 1 node per AZ | topologySpread for ingester pods. Passed through `tpl` and, thus, to be configured as string |
 | ingress.annotations | object | `{}` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.hosts[0] | string | `"loki.example.com"` |  |
+| ingress.labels | object | `{}` | Custom labels for the ingress |
 | ingress.paths.distributor[0] | string | `"/api/prom/push"` |  |
 | ingress.paths.distributor[1] | string | `"/loki/api/v1/push"` |  |
 | ingress.paths.querier[0] | string | `"/api/prom/tail"` |  |

charts/loki-distributed/templates/gateway/ingress-gateway.yaml

@@ -9,6 +9,9 @@ metadata:
   name: {{ include "loki.gatewayFullname" . }}
   labels:
     {{- include "loki.gatewayLabels" . | nindent 4 }}
+    {{- with .Values.gateway.ingress.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.gateway.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}