diff --git a/helm/templates/prometheus/operator-role-binding.yaml b/helm/templates/prometheus/operator-role-binding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0fadc048940ca5254e7ce2867a657361f32ef3b7
--- /dev/null
+++ b/helm/templates/prometheus/operator-role-binding.yaml
@@ -0,0 +1,16 @@
+{{- if not (index .Values "kube-prometheus-stack" "global" "rbac" "create") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+ labels:
+ app: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+subjects:
+- kind: ServiceAccount
+ name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/templates/prometheus/operator-role.yaml b/helm/templates/prometheus/operator-role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..16481a2ec6a4387e589079433490ac5d437dc04b
--- /dev/null
+++ b/helm/templates/prometheus/operator-role.yaml
@@ -0,0 +1,79 @@
+{{- if not (index .Values "kube-prometheus-stack" "global" "rbac" "create") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+ labels:
+ app: {{ template "theodolite.name" . }}-kube-prometheus-operator
+rules:
+- apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - alertmanagers
+ - alertmanagers/finalizers
+ - alertmanagerconfigs
+ - prometheuses
+ - prometheuses/finalizers
+ - thanosrulers
+ - thanosrulers/finalizers
+ - servicemonitors
+ - podmonitors
+ - probes
+ - prometheusrules
+ verbs:
+ - '*'
+- apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - '*'
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - secrets
+ verbs:
+ - '*'
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - list
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - services
+ - services/finalizers
+ - endpoints
+ verbs:
+ - get
+ - create
+ - update
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+{{- end }}
diff --git a/helm/templates/prometheus/cluster-role-binding.yaml b/helm/templates/prometheus/role-binding.yaml
similarity index 75%
rename from helm/templates/prometheus/cluster-role-binding.yaml
rename to helm/templates/prometheus/role-binding.yaml
index f2f167b94b79ad4db130565777cb8af486762c8c..722f806e0621a5775083f74f064e0c9eae18f1d8 100644
--- a/helm/templates/prometheus/cluster-role-binding.yaml
+++ b/helm/templates/prometheus/role-binding.yaml
@@ -1,14 +1,14 @@
-{{- if .Values.prometheus.clusterRoleBinding.enabled -}}
+{{- if .Values.prometheus.roleBinding.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
metadata:
name: {{ template "theodolite.fullname" . }}-prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
+ kind: Role
name: {{ template "theodolite.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ template "theodolite.fullname" . }}-prometheus
namespace: {{ .Release.Namespace }}
-{{- end}}
\ No newline at end of file
+{{- end}}
diff --git a/helm/templates/prometheus/cluster-role.yaml b/helm/templates/prometheus/role.yaml
similarity index 67%
rename from helm/templates/prometheus/cluster-role.yaml
rename to helm/templates/prometheus/role.yaml
index c2fea2205451e01474d1ab7ef1ca342a9d975dc9..321d2825b5b98d31fc34619e88994058bac74cab 100644
--- a/helm/templates/prometheus/cluster-role.yaml
+++ b/helm/templates/prometheus/role.yaml
@@ -1,12 +1,11 @@
-{{- if .Values.prometheus.clusterRole.enabled -}}
+{{- if .Values.prometheus.role.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
metadata:
name: {{ template "theodolite.fullname" . }}-prometheus
rules:
- apiGroups: [""]
resources:
- - nodes
- services
- endpoints
- pods
@@ -15,6 +14,4 @@ rules:
resources:
- configmaps
verbs: ["get"]
-- nonResourceURLs: ["/metrics"]
- verbs: ["get"]
-{{- end }}
\ No newline at end of file
+{{- end}}
diff --git a/helm/values.yaml b/helm/values.yaml
index e3e2143a2694a58be7fb4f48efe0723fc05fb0f7..34a32ce60927a751f645b7f8ff4af46793865797 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -5,7 +5,7 @@
kafkaClient:
enabled: false
nodeSelector: {}
-
+
####
## configuration of sub charts
@@ -52,6 +52,9 @@ grafana:
service:
nodePort: 31199
type: NodePort
+ rbac:
+ pspEnabled: false
+ namespaced: true
###
@@ -155,6 +158,9 @@ cp-helm-charts:
## The interval between refreshing metrics
pollIntervalSeconds: 15
+strimzi-kafka-operator:
+ createGlobalResources: true
+
strimzi:
enabled: true
kafka:
@@ -193,6 +199,10 @@ strimzi:
# Prometheus Monitoring Stack (Prometheus Operator)
###
kube-prometheus-stack:
+ global:
+ rbac:
+ create: false
+
commonLabels:
appScope: titan-ccp
@@ -238,7 +248,14 @@ kube-prometheus-stack:
releaseNamespace: true
additional: []
nodeSelector: {}
+ admissionWebhooks:
+ enabled: false
+ tls:
+ enabled: false
+ serviceAccount:
+ create: true
+ # We use our own Prometheus
prometheus:
enabled: false
@@ -250,12 +267,11 @@ prometheus:
enabled: true
nodeSelector: {}
- # depends on your cluster security and permission settings, you may need to create the following resources
serviceAccount:
enabled: true
- clusterRole:
+ role:
enabled: true
- clusterRoleBinding:
+ roleBinding:
enabled: true
###
@@ -349,7 +365,7 @@ rbac:
additionalRules: []
randomScheduler:
- enabled: true
+ enabled: false
image: ghcr.io/cau-se/theodolite-random-scheduler
imageTag: latest
imagePullPolicy: Always