From 9a21d1b80f301bb9cd86f8ca9c79c71c4979326f Mon Sep 17 00:00:00 2001 From: treksler Date: Tue, 16 Apr 2024 17:42:46 -0600 Subject: [PATCH 01/10] only enable psp in kubernetes version less than 1.25 --- charts/metrics-server/templates/psp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/metrics-server/templates/psp.yaml b/charts/metrics-server/templates/psp.yaml index bf8ace1ae..d5710de0b 100644 --- a/charts/metrics-server/templates/psp.yaml +++ b/charts/metrics-server/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.pspEnabled }} +{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: From 48e7fd27aef688d8204a6de6973043c3ce4f1658 Mon Sep 17 00:00:00 2001 From: treksler Date: Tue, 16 Apr 2024 17:47:35 -0600 Subject: [PATCH 02/10] Update README.md --- charts/metrics-server/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/metrics-server/README.md b/charts/metrics-server/README.md index 0cbffc49e..9783c9669 100644 --- a/charts/metrics-server/README.md +++ b/charts/metrics-server/README.md @@ -33,7 +33,7 @@ The following table lists the configurable parameters of the _Metrics Server_ ch | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | | `serviceAccount.secrets` | The list of secrets mountable by this service account. See | `[]` | | `rbac.create` | If `true`, create the RBAC resources. | `true` | -| `rbac.pspEnabled` | If `true`, create a pod security policy resource. | `false` | +| `rbac.pspEnabled` | If `true`, create a pod security policy resource, unless Kubernetes version is 1.25 or later. | `false` | | `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | | `apiService.annotations` | Annotations to add to the API service | `{}` | | `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification (NOTE: this setting is not a proxy for the `--kubelet-insecure-tls` metrics-server flag) | `true` | From dc602ab3cbe3d2a2189c3db9f6ce8e3b759aa384 Mon Sep 17 00:00:00 2001 From: treksler Date: Tue, 16 Apr 2024 17:48:28 -0600 Subject: [PATCH 03/10] Update values.yaml --- charts/metrics-server/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/metrics-server/values.yaml b/charts/metrics-server/values.yaml index 4f6b9219b..e35385211 100644 --- a/charts/metrics-server/values.yaml +++ b/charts/metrics-server/values.yaml @@ -29,6 +29,7 @@ serviceAccount: rbac: # Specifies whether RBAC resources should be created create: true + # Note: PodSecurityPolicy will not be created when Kubernetes version is 1.25 or later. pspEnabled: false apiService: From 52677a2e9d0d1ad9caf0f3eef7d15512dfcef5be Mon Sep 17 00:00:00 2001 From: Charles SENGES Date: Fri, 26 Apr 2024 09:49:13 +0200 Subject: [PATCH 04/10] chore(chart): add conditional include on optional Deployment schedulerName --- charts/metrics-server/CHANGELOG.md | 1 + charts/metrics-server/templates/deployment.yaml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/metrics-server/CHANGELOG.md b/charts/metrics-server/CHANGELOG.md index 735a0e369..3a47d15fb 100644 --- a/charts/metrics-server/CHANGELOG.md +++ b/charts/metrics-server/CHANGELOG.md @@ -19,6 +19,7 @@ ### Changed - Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1). ([#1461](https://github.com/kubernetes-sigs/metrics-server/pull/1461)) _@stevehipwell_ +- Changed `Deployment` templating to ignore `schedulerName` when value is empty. ([#1475](https://github.com/kubernetes-sigs/metrics-server/pull/1475)) _@senges_ ## [3.12.0] - 2024-02-07 diff --git a/charts/metrics-server/templates/deployment.yaml b/charts/metrics-server/templates/deployment.yaml index 48cda7feb..dd628f9bd 100644 --- a/charts/metrics-server/templates/deployment.yaml +++ b/charts/metrics-server/templates/deployment.yaml @@ -33,7 +33,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - schedulerName: {{ .Values.schedulerName }} + {{- with .Values.schedulerName }} + schedulerName: {{ . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} From 6a2beb03bded1f849588b4df41de94f041865f3b Mon Sep 17 00:00:00 2001 From: Nathanael Liechti Date: Wed, 1 May 2024 11:57:15 +0000 Subject: [PATCH 05/10] fix(helm): nanny rolebinding needs to be in release ns Signed-off-by: Nathanael Liechti --- charts/metrics-server/CHANGELOG.md | 5 +++++ charts/metrics-server/templates/rolebinding-nanny.yaml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/metrics-server/CHANGELOG.md b/charts/metrics-server/CHANGELOG.md index 3a47d15fb..5a1fc6056 100644 --- a/charts/metrics-server/CHANGELOG.md +++ b/charts/metrics-server/CHANGELOG.md @@ -14,6 +14,11 @@ ## [UNRELEASED] +### Fixed + +- Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@ +the-technat_ + ## [3.12.1] - TBC ### Changed diff --git a/charts/metrics-server/templates/rolebinding-nanny.yaml b/charts/metrics-server/templates/rolebinding-nanny.yaml index 73bfaaffe..228c0cfec 100644 --- a/charts/metrics-server/templates/rolebinding-nanny.yaml +++ b/charts/metrics-server/templates/rolebinding-nanny.yaml @@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ printf "%s-nanny" (include "metrics-server.fullname" .) }} - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{- include "metrics-server.labels" . | nindent 4 }} roleRef: From 27afcec46b9c2e31bf98260e9a78a197111f1ebb Mon Sep 17 00:00:00 2001 From: Jimmy Ungerman Date: Mon, 17 Jun 2024 09:21:23 -0600 Subject: [PATCH 06/10] addOnResizer update --- charts/metrics-server/CHANGELOG.md | 3 +++ charts/metrics-server/README.md | 2 +- charts/metrics-server/values.yaml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/metrics-server/CHANGELOG.md b/charts/metrics-server/CHANGELOG.md index 5a1fc6056..5a7b3c5ca 100644 --- a/charts/metrics-server/CHANGELOG.md +++ b/charts/metrics-server/CHANGELOG.md @@ -19,6 +19,9 @@ - Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@ the-technat_ +- ### Changed +- Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). _@jimmy-ungerman_ + ## [3.12.1] - TBC ### Changed diff --git a/charts/metrics-server/README.md b/charts/metrics-server/README.md index 9783c9669..4b6ce652b 100644 --- a/charts/metrics-server/README.md +++ b/charts/metrics-server/README.md @@ -63,7 +63,7 @@ The following table lists the configurable parameters of the _Metrics Server_ ch | `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | | `addonResizer.securityContext` | Security context for the _metrics_server_container. | _See values.yaml | | `addonResizer.image.repository` | addon-resizer image repository | `registry.k8s.io/autoscaling/addon-resizer` | -| `addonResizer.image.tag` | addon-resizer image tag | `1.8.19` | +| `addonResizer.image.tag` | addon-resizer image tag | `1.8.21` | | `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{ requests: { cpu: 40m, memory: 25Mi }, limits: { cpu: 40m, memory: 25Mi } }` | | `addonResizer.nanny.cpu` | The base CPU requirement. | `0m` | | `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | `1m` | diff --git a/charts/metrics-server/values.yaml b/charts/metrics-server/values.yaml index e35385211..be843db41 100644 --- a/charts/metrics-server/values.yaml +++ b/charts/metrics-server/values.yaml @@ -130,7 +130,7 @@ addonResizer: enabled: false image: repository: registry.k8s.io/autoscaling/addon-resizer - tag: 1.8.20 + tag: 1.8.21 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true From 21019d3854ddd8718c673693708e0ea5931e6345 Mon Sep 17 00:00:00 2001 From: Sean Liao Date: Thu, 15 Aug 2024 15:38:57 +0800 Subject: [PATCH 07/10] explicit protocol selection with appProtocol Signed-off-by: Sean Liao --- charts/metrics-server/templates/service.yaml | 1 + manifests/base/service.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/metrics-server/templates/service.yaml b/charts/metrics-server/templates/service.yaml index d45bcf36a..35318a48b 100644 --- a/charts/metrics-server/templates/service.yaml +++ b/charts/metrics-server/templates/service.yaml @@ -19,5 +19,6 @@ spec: port: {{ .Values.service.port }} protocol: TCP targetPort: https + appProtocol: https selector: {{- include "metrics-server.selectorLabels" . | nindent 4 }} diff --git a/manifests/base/service.yaml b/manifests/base/service.yaml index d1785c989..79eaaef0a 100644 --- a/manifests/base/service.yaml +++ b/manifests/base/service.yaml @@ -10,3 +10,4 @@ spec: port: 443 protocol: TCP targetPort: https + appProtocol: https From c947981e07ff660eb4ed83ef36a8cd45c9b579d6 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Tue, 10 Sep 2024 17:12:56 +0100 Subject: [PATCH 08/10] feat(chart): Updated image to v0.7.2 Signed-off-by: Steve Hipwell --- charts/metrics-server/CHANGELOG.md | 22 ++++++++++++++----- charts/metrics-server/Chart.yaml | 12 +++++++--- .../metrics-server/templates/deployment.yaml | 4 ++-- .../templates/servicemonitor.yaml | 2 +- 4 files changed, 28 insertions(+), 12 deletions(-) diff --git a/charts/metrics-server/CHANGELOG.md b/charts/metrics-server/CHANGELOG.md index 5a7b3c5ca..481fb57eb 100644 --- a/charts/metrics-server/CHANGELOG.md +++ b/charts/metrics-server/CHANGELOG.md @@ -14,15 +14,24 @@ ## [UNRELEASED] -### Fixed +## [3.12.2] - TBC + +### Added + +- Explicitly added the app protocol to the service. ([#1540](https://github.com/kubernetes-sigs/metrics-server/pull/1540)) _@ +seankhliao_ -- Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@ -the-technat_ +### Changed + +- Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2). ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ +- Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). ([#1504](https://github.com/kubernetes-sigs/metrics-server/pull/1504)) _@jimmy-ungerman_ + +### Fixed -- ### Changed -- Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). _@jimmy-ungerman_ +- Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@the-technat_ +- Fixed the `ServiceMonitor` job label. ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ -## [3.12.1] - TBC +## [3.12.1] - 2024-04-05 ### Changed @@ -143,6 +152,7 @@ the-technat_ RELEASE LINKS --> [UNRELEASED]: https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server +[3.12.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.2 [3.12.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.1 [3.12.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.0 [3.11.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.11.0 diff --git a/charts/metrics-server/Chart.yaml b/charts/metrics-server/Chart.yaml index eb26cc7d4..65803bf3c 100644 --- a/charts/metrics-server/Chart.yaml +++ b/charts/metrics-server/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: metrics-server description: Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. type: application -version: 3.12.1 -appVersion: 0.7.1 +version: 3.12.2 +appVersion: 0.7.2 keywords: - kubernetes - metrics-server @@ -21,5 +21,11 @@ maintainers: url: https://github.com/endrec annotations: artifacthub.io/changes: | + - kind: added + description: "Explicitly added the app protocol to the service." - kind: changed - description: "Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1)." + description: "Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2)." + - kind: changed + description: "Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21)" + - kind: fixed + description: "Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace." diff --git a/charts/metrics-server/templates/deployment.yaml b/charts/metrics-server/templates/deployment.yaml index dd628f9bd..37e7f953b 100644 --- a/charts/metrics-server/templates/deployment.yaml +++ b/charts/metrics-server/templates/deployment.yaml @@ -11,8 +11,8 @@ metadata: {{- end }} spec: replicas: {{ .Values.replicas }} - {{- if or (kindIs "float64" .Values.revisionHistoryLimit) (kindIs "int64" .Values.revisionHistoryLimit) }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit | int64 }} + {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- end }} {{- with .Values.updateStrategy }} strategy: diff --git a/charts/metrics-server/templates/servicemonitor.yaml b/charts/metrics-server/templates/servicemonitor.yaml index 5c1c5b775..079318d20 100644 --- a/charts/metrics-server/templates/servicemonitor.yaml +++ b/charts/metrics-server/templates/servicemonitor.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - jobLabel: {{ .Release.Name }} + jobLabel: app.kubernetes.io/instance namespaceSelector: matchNames: - {{ .Release.Namespace }} From dea731bac85211c58d48ba6ec1f5d595ac3fce20 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Mon, 7 Oct 2024 16:35:14 +0100 Subject: [PATCH 09/10] fix: Fixed changelog Signed-off-by: Steve Hipwell --- charts/metrics-server/CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/metrics-server/CHANGELOG.md b/charts/metrics-server/CHANGELOG.md index 481fb57eb..bc073ebb7 100644 --- a/charts/metrics-server/CHANGELOG.md +++ b/charts/metrics-server/CHANGELOG.md @@ -18,16 +18,17 @@ ### Added -- Explicitly added the app protocol to the service. ([#1540](https://github.com/kubernetes-sigs/metrics-server/pull/1540)) _@ -seankhliao_ +- Explicitly added the app protocol to the service. ([#1540](https://github.com/kubernetes-sigs/metrics-server/pull/1540)) _@seankhliao_ ### Changed - Updated the _Metrics Server_ OCI image to [v0.7.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.2). ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ - Updated the _addonResizer_ OCI image to [1.8.21](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.21). ([#1504](https://github.com/kubernetes-sigs/metrics-server/pull/1504)) _@jimmy-ungerman_ +- Changed `Deployment` templating to ignore `schedulerName` when value is empty. ([#1475](https://github.com/kubernetes-sigs/metrics-server/pull/1475)) _@senges_ ### Fixed +- Fixed PSPs to only be templated for supported K8s versions. ([#1471](https://github.com/kubernetes-sigs/metrics-server/pull/1471)) _@treksler_ - Fixed nanny's RoleBinding which contained a hard-coded namespace instead of the Helm's release namespace. ([#1479](https://github.com/kubernetes-sigs/metrics-server/pull/1479)) _@the-technat_ - Fixed the `ServiceMonitor` job label. ([#1568](https://github.com/kubernetes-sigs/metrics-server/pull/1568)) _@stevehipwell_ @@ -36,7 +37,6 @@ seankhliao_ ### Changed - Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1). ([#1461](https://github.com/kubernetes-sigs/metrics-server/pull/1461)) _@stevehipwell_ -- Changed `Deployment` templating to ignore `schedulerName` when value is empty. ([#1475](https://github.com/kubernetes-sigs/metrics-server/pull/1475)) _@senges_ ## [3.12.0] - 2024-02-07 From 5b259c54ee1ef1a15b43eb81f174d40393927128 Mon Sep 17 00:00:00 2001 From: Damien Grisonnet Date: Thu, 29 Aug 2024 15:09:32 +0200 Subject: [PATCH 10/10] .github: add content write perm to release jobs Signed-off-by: Damien Grisonnet --- .github/workflows/gh-workflow-approve.yaml | 3 +++ .github/workflows/lint-test-chart.yaml | 3 +++ .github/workflows/release-chart.yaml | 5 +++++ .github/workflows/release.yaml | 5 +++++ 4 files changed, 16 insertions(+) diff --git a/.github/workflows/gh-workflow-approve.yaml b/.github/workflows/gh-workflow-approve.yaml index c63152d1d..e0c8ae839 100644 --- a/.github/workflows/gh-workflow-approve.yaml +++ b/.github/workflows/gh-workflow-approve.yaml @@ -8,6 +8,9 @@ on: branches: - master +permissions: + contents: read + jobs: approve: name: Approve ok-to-test diff --git a/.github/workflows/lint-test-chart.yaml b/.github/workflows/lint-test-chart.yaml index 27fd2880c..fa5d3d9d3 100644 --- a/.github/workflows/lint-test-chart.yaml +++ b/.github/workflows/lint-test-chart.yaml @@ -6,6 +6,9 @@ on: - .github/workflows/lint-test-chart.yaml - "charts/metrics-server/**" +permissions: + contents: read + jobs: lint-test: name: Lint & Test diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml index 34cefd777..8097bb1b3 100644 --- a/.github/workflows/release-chart.yaml +++ b/.github/workflows/release-chart.yaml @@ -7,6 +7,9 @@ on: paths: - charts/metrics-server/Chart.yaml +permissions: + contents: read + jobs: release: name: Release @@ -15,6 +18,8 @@ jobs: defaults: run: shell: bash + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 277284bfe..cf3ba14d1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,6 +5,9 @@ on: types: - published +permissions: + contents: read + jobs: build: name: build @@ -12,6 +15,8 @@ jobs: defaults: run: shell: bash + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1