Merge pull request #18 from brancz/openshift-master-v0.27.0

Openshift master v0.27.0

CHANGELOG.md

@@ -1,9 +1,14 @@
+## 0.27.0 / 2019-01-08
+
+* [FEATURE] Add `image` field to specify full Prometheus, Alertmanager and Thanos images.
+* [FEATURE] Add prometheus query options (lookback-delta, max-concurrency, timeout).
+
 ## 0.26.0 / 2018-11-30
 
 * [CHANGE] Remove attempting to set "secure" security context (#2109).
 * [CHANGE] Remove deprecated StorageSpec fields (#2132).
 * [ENHANCEMENT] Better handling for pod/node labels from ServiceMonitors (#2089).
-* [ENHANCEMENT] Update to Proemtheus v2.5.0 as default (#2101).
+* [ENHANCEMENT] Update to Prometheus v2.5.0 as default (#2101).
 * [ENHANCEMENT] Update to Alertmanager v0.15.3 as default (#2128).
 * [ENHANCEMENT] Increase CPU limits for small containers to not being throttled as much (#2144).
 * [BUGFIX] Sanitize thanos secret volume mount name (#2159).

Documentation/api.md

@@ -27,6 +27,7 @@ This Document documents the types introduced by the Prometheus Operator to be co
 * [PrometheusRuleSpec](#prometheusrulespec)
 * [PrometheusSpec](#prometheusspec)
 * [PrometheusStatus](#prometheusstatus)
+* [QuerySpec](#queryspec)
 * [QueueConfig](#queueconfig)
 * [RelabelConfig](#relabelconfig)
 * [RemoteReadSpec](#remotereadspec)
@@ -112,6 +113,7 @@ AlertmanagerSpec is a specification of the desired behavior of the Alertmanager
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | podMetadata | Standard object’s metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#metadata Metadata Labels and Annotations gets propagated to the prometheus pods. | *[metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#objectmeta-v1-meta) | false |
+| image | Image if specified has precedence over baseImage, tag and sha combinations. Specifying the version is still necessary to ensure the Prometheus Operator knows what version of Alertmanager is being configured. | *string | false |
 | version | Version the cluster should be on. | string | false |
 | tag | Tag of Alertmanager container image to be deployed. Defaults to the value of `version`. Version is ignored if Tag is set. | string | false |
 | sha | SHA of Alertmanager container image to be deployed. Defaults to the value of `version`. Similar to a tag, but the SHA explicitly deploys an immutable container image. Version and Tag are ignored if SHA is set. | string | false |
@@ -266,6 +268,7 @@ PrometheusSpec is a specification of the desired behavior of the Prometheus clus
 | tag | Tag of Prometheus container image to be deployed. Defaults to the value of `version`. Version is ignored if Tag is set. | string | false |
 | sha | SHA of Prometheus container image to be deployed. Defaults to the value of `version`. Similar to a tag, but the SHA explicitly deploys an immutable container image. Version and Tag are ignored if SHA is set. | string | false |
 | paused | When a Prometheus deployment is paused, no actions except for deletion will be performed on the underlying objects. | bool | false |
+| image | Image if specified has precedence over baseImage, tag and sha combinations. Specifying the version is still necessary to ensure the Prometheus Operator knows what version of Prometheus is being configured. | *string | false |
 | baseImage | Base image to use for a Prometheus deployment. | string | false |
 | imagePullSecrets | An optional list of references to secrets in the same namespace to use for pulling prometheus and alertmanager images from registries see http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod | [][v1.LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#localobjectreference-v1-core) | false |
 | replicas | Number of instances to deploy for a Prometheus deployment. | *int32 | false |
@@ -276,6 +279,7 @@ PrometheusSpec is a specification of the desired behavior of the Prometheus clus
 | externalLabels | The labels to add to any time series or alerts when communicating with external systems (federation, remote storage, Alertmanager). | map[string]string | false |
 | externalUrl | The external URL the Prometheus instances will be available under. This is necessary to generate correct URLs. This is necessary if Prometheus is not served from root of a DNS name. | string | false |
 | routePrefix | The route prefix Prometheus registers HTTP handlers for. This is useful, if using ExternalURL and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, but the server serves requests under a different route prefix. For example for use with `kubectl proxy`. | string | false |
+| query | QuerySpec defines the query command line flags when starting Prometheus. | *[QuerySpec](#queryspec) | false |
 | storage | Storage spec to specify how storage shall be used. | *[StorageSpec](#storagespec) | false |
 | ruleSelector | A selector to select which PrometheusRules to mount for loading alerting rules from. Until (excluding) Prometheus Operator v0.24.0 Prometheus Operator will migrate any legacy rule ConfigMaps to PrometheusRule custom resources selected by RuleSelector. Make sure it does not match any config maps that you do not want to be migrated. | *[metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#labelselector-v1-meta) | false |
 | ruleNamespaceSelector | Namespaces to be selected for PrometheusRules discovery. If unspecified, only the same namespace as the Prometheus object is in is used. | *[metav1.LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#labelselector-v1-meta) | false |
@@ -315,6 +319,18 @@ PrometheusStatus is the most recent observed status of the Prometheus cluster. R
 
 [Back to TOC](#table-of-contents)
 
+## QuerySpec
+
+QuerySpec defines the query command line flags when starting Prometheus.
+
+| Field | Description | Scheme | Required |
+| ----- | ----------- | ------ | -------- |
+| lookbackDelta | The delta difference allowed for retrieving metrics during expression evaluations. | *string | false |
+| maxConcurrency | Number of concurrent queries that can be run at once. | *int32 | false |
+| timeout | Maximum time a query may take before being aborted. | *string | false |
+
+[Back to TOC](#table-of-contents)
+
 ## QueueConfig
 
 QueueConfig allows the tuning of remote_write queue_config parameters. This object is referenced in the RemoteWriteSpec object.
@@ -507,6 +523,7 @@ ThanosSpec defines parameters for a Prometheus server within a Thanos deployment
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | peers | Peers is a DNS name for Thanos to discover peers through. | *string | false |
+| image | Image if specified has precedence over baseImage, tag and sha combinations. Specifying the version is still necessary to ensure the Prometheus Operator knows what version of Thanos is being configured. | *string | false |
 | version | Version describes the version of Thanos to use. | *string | false |
 | tag | Tag of Thanos sidecar container image to be deployed. Defaults to the value of `version`. Version is ignored if Tag is set. | *string | false |
 | sha | SHA of Thanos container image to be deployed. Defaults to the value of `version`. Similar to a tag, but the SHA explicitly deploys an immutable container image. Version and Tag are ignored if SHA is set. | *string | false |

Documentation/user-guides/cluster-monitoring.md

@@ -424,6 +424,10 @@ spec:
     matchLabels:
       prometheus: k8s
       role: alert-rules
+  securityContext:
+    fsGroup: 2000
+    runAsNonRoot: true
+    runAsUser: 1000
   serviceAccountName: prometheus-k8s
   serviceMonitorNamespaceSelector: {}
   serviceMonitorSelector: {}
@@ -621,6 +625,10 @@ spec:
   nodeSelector:
     beta.kubernetes.io/os: linux
   replicas: 3
+  securityContext:
+    fsGroup: 2000
+    runAsNonRoot: true
+    runAsUser: 1000
   serviceAccountName: alertmanager-main
   version: v0.15.3
 ```

Documentation/user-guides/getting-started.md

@@ -118,8 +118,8 @@ spec:
         - --kubelet-service=kube-system/kubelet
         - --logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
-        - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.26.0
-        image: quay.io/coreos/prometheus-operator:v0.26.0
+        - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.27.0
+        image: quay.io/coreos/prometheus-operator:v0.27.0
         name: prometheus-operator
         ports:
         - containerPort: 8080

VERSION

@@ -1 +1 @@
-0.26.0
+0.27.0

bundle.yaml

@@ -100,8 +100,8 @@ spec:
         - --kubelet-service=kube-system/kubelet
         - --logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
-        - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.26.0
-        image: quay.io/coreos/prometheus-operator:v0.26.0
+        - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.27.0
+        image: quay.io/coreos/prometheus-operator:v0.27.0
         name: prometheus-operator
         ports:
         - containerPort: 8080

contrib/kube-prometheus/examples/ingress.jsonnet

@@ -15,7 +15,7 @@ local kp =
     alertmanager+:: {
       alertmanager+: {
         spec+: {
-          externalURL: 'http://alertmanager.example.com',
+          externalUrl: 'http://alertmanager.example.com',
         },
       },
     },
@@ -31,7 +31,7 @@ local kp =
     prometheus+:: {
       prometheus+: {
         spec+: {
-          externalURL: 'http://prometheus.example.com',
+          externalUrl: 'http://prometheus.example.com',
         },
       },
     },

contrib/kube-prometheus/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet

@@ -113,6 +113,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
           baseImage: $._config.imageRepos.alertmanager,
           nodeSelector: { 'beta.kubernetes.io/os': 'linux' },
           serviceAccountName: 'alertmanager-' + $._config.alertmanager.name,
+          securityContext: {
+            runAsUser: 1000,
+            runAsNonRoot: true,
+            fsGroup: 2000,
+          },
         },
       },
   },

contrib/kube-prometheus/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet

@@ -41,11 +41,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
 
     clusterRole:
       local clusterRole = k.rbac.v1.clusterRole;
-      local policyRule = clusterRole.rulesType;
+      local rulesType = clusterRole.rulesType;
 
-      local coreRule = policyRule.new() +
-                       policyRule.withApiGroups(['']) +
-                       policyRule.withResources([
+      local coreRule = rulesType.new() +
+                       rulesType.withApiGroups(['']) +
+                       rulesType.withResources([
                          'configmaps',
                          'secrets',
                          'nodes',
@@ -59,57 +59,64 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
                          'namespaces',
                          'endpoints',
                        ]) +
-                       policyRule.withVerbs(['list', 'watch']);
+                       rulesType.withVerbs(['list', 'watch']);
 
-      local extensionsRule = policyRule.new() +
-                             policyRule.withApiGroups(['extensions']) +
-                             policyRule.withResources([
+      local extensionsRule = rulesType.new() +
+                             rulesType.withApiGroups(['extensions']) +
+                             rulesType.withResources([
                                'daemonsets',
                                'deployments',
                                'replicasets',
                              ]) +
-                             policyRule.withVerbs(['list', 'watch']);
+                             rulesType.withVerbs(['list', 'watch']);
 
-      local appsRule = policyRule.new() +
-                       policyRule.withApiGroups(['apps']) +
-                       policyRule.withResources([
+      local appsRule = rulesType.new() +
+                       rulesType.withApiGroups(['apps']) +
+                       rulesType.withResources([
                          'statefulsets',
                          'daemonsets',
                          'deployments',
                          'replicasets',
                        ]) +
-                       policyRule.withVerbs(['list', 'watch']);
+                       rulesType.withVerbs(['list', 'watch']);
 
-      local batchRule = policyRule.new() +
-                        policyRule.withApiGroups(['batch']) +
-                        policyRule.withResources([
+      local batchRule = rulesType.new() +
+                        rulesType.withApiGroups(['batch']) +
+                        rulesType.withResources([
                           'cronjobs',
                           'jobs',
                         ]) +
-                        policyRule.withVerbs(['list', 'watch']);
+                        rulesType.withVerbs(['list', 'watch']);
 
-      local autoscalingRule = policyRule.new() +
-                              policyRule.withApiGroups(['autoscaling']) +
-                              policyRule.withResources([
+      local autoscalingRule = rulesType.new() +
+                              rulesType.withApiGroups(['autoscaling']) +
+                              rulesType.withResources([
                                 'horizontalpodautoscalers',
                               ]) +
-                              policyRule.withVerbs(['list', 'watch']);
+                              rulesType.withVerbs(['list', 'watch']);
 
-      local authenticationRole = policyRule.new() +
-                                 policyRule.withApiGroups(['authentication.k8s.io']) +
-                                 policyRule.withResources([
+      local authenticationRole = rulesType.new() +
+                                 rulesType.withApiGroups(['authentication.k8s.io']) +
+                                 rulesType.withResources([
                                    'tokenreviews',
                                  ]) +
-                                 policyRule.withVerbs(['create']);
+                                 rulesType.withVerbs(['create']);
 
-      local authorizationRole = policyRule.new() +
-                                policyRule.withApiGroups(['authorization.k8s.io']) +
-                                policyRule.withResources([
+      local authorizationRole = rulesType.new() +
+                                rulesType.withApiGroups(['authorization.k8s.io']) +
+                                rulesType.withResources([
                                   'subjectaccessreviews',
                                 ]) +
-                                policyRule.withVerbs(['create']);
+                                rulesType.withVerbs(['create']);
 
-      local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole];
+      local policyRule = rulesType.new() +
+                                rulesType.withApiGroups(['policy']) +
+                                rulesType.withResources([
+                                  'poddisruptionbudgets',
+                                ]) +
+                                rulesType.withVerbs(['list', 'watch']);
+
+      local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole, policyRule];
 
       clusterRole.new() +
       clusterRole.mixin.metadata.withName('kube-state-metrics') +
@@ -208,30 +215,30 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
 
     role:
       local role = k.rbac.v1.role;
-      local policyRule = role.rulesType;
+      local rulesType = role.rulesType;
 
-      local coreRule = policyRule.new() +
-                       policyRule.withApiGroups(['']) +
-                       policyRule.withResources([
+      local coreRule = rulesType.new() +
+                       rulesType.withApiGroups(['']) +
+                       rulesType.withResources([
                          'pods',
                        ]) +
-                       policyRule.withVerbs(['get']);
+                       rulesType.withVerbs(['get']);
 
-      local extensionsRule = policyRule.new() +
-                             policyRule.withApiGroups(['extensions']) +
-                             policyRule.withResources([
+      local extensionsRule = rulesType.new() +
+                             rulesType.withApiGroups(['extensions']) +
+                             rulesType.withResources([
                                'deployments',
                              ]) +
-                             policyRule.withVerbs(['get', 'update']) +
-                             policyRule.withResourceNames(['kube-state-metrics']);
+                             rulesType.withVerbs(['get', 'update']) +
+                             rulesType.withResourceNames(['kube-state-metrics']);
 
-      local appsRule = policyRule.new() +
-                       policyRule.withApiGroups(['apps']) +
-                       policyRule.withResources([
+      local appsRule = rulesType.new() +
+                       rulesType.withApiGroups(['apps']) +
+                       rulesType.withResources([
                          'deployments',
                        ]) +
-                       policyRule.withVerbs(['get', 'update']) +
-                       policyRule.withResourceNames(['kube-state-metrics']);
+                       rulesType.withVerbs(['get', 'update']) +
+                       rulesType.withResourceNames(['kube-state-metrics']);
 
       local rules = [coreRule, extensionsRule, appsRule];
 

contrib/kube-prometheus/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet

@@ -5,7 +5,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
     namespace: 'default',
 
     versions+:: {
-      prometheusAdapter: 'v0.3.0',
+      prometheusAdapter: 'v0.4.1',
     },
 
     imageRepos+:: {
@@ -113,6 +113,8 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       deployment.mixin.metadata.withNamespace($._config.namespace) +
       deployment.mixin.spec.selector.withMatchLabels($._config.prometheusAdapter.labels) +
       deployment.mixin.spec.template.spec.withServiceAccountName($.prometheusAdapter.serviceAccount.metadata.name) +
+      deployment.mixin.spec.strategy.rollingUpdate.withMaxSurge(1) +
+      deployment.mixin.spec.strategy.rollingUpdate.withMaxUnavailable(0) +
       deployment.mixin.spec.template.spec.withVolumes([
         volume.fromEmptyDir(name='tmpfs'),
         volume.fromEmptyDir(name='volume-serving-cert'),

contrib/kube-prometheus/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet

@@ -40,7 +40,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       service.new('prometheus-' + $._config.prometheus.name, { app: 'prometheus', prometheus: $._config.prometheus.name }, prometheusPort) +
       service.mixin.metadata.withNamespace($._config.namespace) +
       service.mixin.metadata.withLabels({ prometheus: $._config.prometheus.name }),
-    [if $._config.prometheus.rules != null && $._config.prometheus.rules != {} then "rules"]:
+    [if $._config.prometheus.rules != null && $._config.prometheus.rules != {} then 'rules']:
       {
         apiVersion: 'monitoring.coreos.com/v1',
         kind: 'PrometheusRule',
@@ -185,6 +185,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
               },
             ],
           },
+          securityContext: {
+            runAsUser: 1000,
+            runAsNonRoot: true,
+            fsGroup: 2000,
+          },
         },
       },
     serviceMonitor:
@@ -386,6 +391,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
           },
         },
         spec: {
+          jobLabel: 'k8s-app',
           selector: {
             matchLabels: {
               'k8s-app': 'kube-dns',

contrib/kube-prometheus/jsonnetfile.lock.json

@@ -8,7 +8,7 @@
                     "subdir": "contrib/kube-prometheus/jsonnet/kube-prometheus"
                 }
             },
-            "version": "433616b23b9c4bce759bc99c35ca2a66348c36b8"
+            "version": "360f5ad835e12f3627a45f2df0487f73ec8969e3"
         },
         {
             "name": "ksonnet",
@@ -58,7 +58,7 @@
                     "subdir": "grafana"
                 }
             },
-            "version": "3df5e36ecbf348a13e155e12c495ac9fd05030b6"
+            "version": "3cab96409b2b4b8e8a87f768f1e2b063b1df7038"
         },
         {
             "name": "prometheus-operator",