Merge branch 'main' into 970-all-nodes

.codespellrc

@@ -1,6 +1,6 @@
 # Lint Codespell configurations
 [codespell]
-skip = .codespellrc,.git,node_modules,build,dist,*.zst,CHANGELOG.md,.playwright,.terraform,*.svg
+skip = .codespellrc,.git,node_modules,build,dist,*.zst,CHANGELOG.md,.playwright,.terraform,*.svg,**/pepr/operator/crd/generated/*.ts
 ignore-words-list = NotIn,AKS,LICENS,aks,afterAll
 enable-colors =
 check-hidden =

docs/reference/configuration/custom resources/packages-v1alpha1-cr.md

@@ -52,7 +52,7 @@ tableOfContents:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">authorization</td><td style="white-space: nowrap;"><a href="#Authorization">Authorization</a></td><td>Authorization settings.</td></tr><tr><td style="white-space: nowrap;">description</td><td style="white-space: nowrap;">string</td><td>A description of this monitor entry, this will become part of the ServiceMonitor name</td></tr><tr><td style="white-space: nowrap;">kind</td><td style="white-space: nowrap;">string (enum):<ul><li><code>PodMonitor</code></li><li><code>ServiceMonitor</code></li></ul></td><td>The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the default.</td></tr><tr><td style="white-space: nowrap;">path</td><td style="white-space: nowrap;">string</td><td>HTTP path from which to scrape for metrics, defaults to `/metrics`</td></tr><tr><td style="white-space: nowrap;">podSelector</td><td style="white-space: nowrap;"></td><td>Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace</td></tr><tr><td style="white-space: nowrap;">portName</td><td style="white-space: nowrap;">string</td><td>The port name for the serviceMonitor</td></tr><tr><td style="white-space: nowrap;">selector</td><td style="white-space: nowrap;"></td><td>Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace</td></tr><tr><td style="white-space: nowrap;">targetPort</td><td style="white-space: nowrap;">number</td><td>The service targetPort. This is required so the NetworkPolicy can be generated correctly.</td></tr>
+    <tr><td style="white-space: nowrap;">authorization</td><td style="white-space: nowrap;"><a href="#Authorization">Authorization</a></td><td>Authorization settings.</td></tr><tr><td style="white-space: nowrap;">description</td><td style="white-space: nowrap;">string</td><td>A description of this monitor entry, this will become part of the ServiceMonitor name</td></tr><tr><td style="white-space: nowrap;">fallbackScrapeProtocol</td><td style="white-space: nowrap;">string (enum):<ul><li><code>OpenMetricsText0.0.1</code></li><li><code>OpenMetricsText1.0.0</code></li><li><code>PrometheusProto</code></li><li><code>PrometheusText0.0.4</code></li><li><code>PrometheusText1.0.0</code></li></ul></td><td>The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise invalid Content-Type</td></tr><tr><td style="white-space: nowrap;">kind</td><td style="white-space: nowrap;">string (enum):<ul><li><code>PodMonitor</code></li><li><code>ServiceMonitor</code></li></ul></td><td>The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the default.</td></tr><tr><td style="white-space: nowrap;">path</td><td style="white-space: nowrap;">string</td><td>HTTP path from which to scrape for metrics, defaults to `/metrics`</td></tr><tr><td style="white-space: nowrap;">podSelector</td><td style="white-space: nowrap;"></td><td>Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace</td></tr><tr><td style="white-space: nowrap;">portName</td><td style="white-space: nowrap;">string</td><td>The port name for the serviceMonitor</td></tr><tr><td style="white-space: nowrap;">selector</td><td style="white-space: nowrap;"></td><td>Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace</td></tr><tr><td style="white-space: nowrap;">targetPort</td><td style="white-space: nowrap;">number</td><td>The service targetPort. This is required so the NetworkPolicy can be generated correctly.</td></tr>
   </tbody>
 </table>
 </div>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "uds-core",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "A collection of capabilities for UDS Core",
   "keywords": [
     "pepr",

pepr.ts

@@ -7,12 +7,10 @@ import { PeprModule } from "pepr";
 
 import cfg from "./package.json";
 
-import { DataStore } from "pepr/dist/lib/storage";
 import { istio } from "./src/pepr/istio";
 import { Component, setupLogger } from "./src/pepr/logger";
 import { operator } from "./src/pepr/operator";
 import { setupAuthserviceSecret } from "./src/pepr/operator/controllers/keycloak/authservice/config";
-import { Policy } from "./src/pepr/operator/crd";
 import { registerCRDs } from "./src/pepr/operator/crd/register";
 import { patches } from "./src/pepr/patches";
 import { policies, startExemptionWatch } from "./src/pepr/policies";
@@ -42,23 +40,6 @@ const log = setupLogger(Component.STARTUP);
     // Patches for specific components
     patches,
   ]);
-  // Remove legacy policy entries from the pepr store for the 0.5.0 upgrade
-  if (
-    process.env.PEPR_MODE === "dev" ||
-    (process.env.PEPR_WATCH_MODE === "true" && cfg.version === "0.5.0")
-  ) {
-    log.debug("Clearing legacy pepr store exemption entries...");
-    policies.Store.onReady((data: DataStore) => {
-      const policiesList = Object.values(Policy);
-      for (const p of Object.keys(data)) {
-        // if p matches a Policy key, remove it
-        if (policiesList.includes(p as Policy)) {
-          log.debug(`Removing legacy storage of ${p} policy exemptions...`);
-          policies.Store.removeItem(p);
-        }
-      }
-    });
-  }
 })().catch(err => {
   log.error(err, "Critical error during startup. Exiting...");
   process.exit(1);

src/grafana/values/registry1-values.yaml

@@ -21,4 +21,4 @@ sidecar:
   image:
     registry: registry1.dso.mil
     repository: ironbank/kiwigrid/k8s-sidecar
-    tag: 1.28.1
+    tag: 1.28.4

src/grafana/values/unicorn-values.yaml

@@ -21,4 +21,4 @@ sidecar:
   image:
     registry: cgr.dev
     repository: du-uds-defenseunicorns/k8s-sidecar-fips
-    tag: 1.28.3
+    tag: 1.28.4

src/grafana/values/upstream-values.yaml

@@ -6,7 +6,7 @@ sidecar:
     # -- The Docker registry
     registry: ghcr.io
     repository: kiwigrid/k8s-sidecar
-    tag: 1.28.3
+    tag: 1.28.4
 
 image:
   registry: docker.io

src/grafana/zarf.yaml

@@ -30,7 +30,7 @@ components:
       - docker.io/grafana/grafana:11.4.0
       - docker.io/curlimages/curl:8.11.1
       - docker.io/library/busybox:1.37.0
-      - ghcr.io/kiwigrid/k8s-sidecar:1.28.3
+      - ghcr.io/kiwigrid/k8s-sidecar:1.28.4
 
   - name: grafana
     required: true
@@ -45,7 +45,7 @@ components:
     images:
       - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.4.0
       - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5
-      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.1
+      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.4
 
   - name: grafana
     required: true
@@ -61,4 +61,4 @@ components:
       - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.4.0
       - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0
       - cgr.dev/du-uds-defenseunicorns/curl-fips:8.11.1
-      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.3
+      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.4

src/loki/common/zarf.yaml

@@ -16,7 +16,7 @@ components:
         localPath: ../chart
       - name: loki
         url: https://grafana.github.io/helm-charts/
-        version: 6.23.0
+        version: 6.24.0
         namespace: loki
         valuesFiles:
           - ../values/values.yaml

src/loki/values/registry1-values.yaml

@@ -5,7 +5,7 @@ loki:
   image:
     registry: registry1.dso.mil
     repository: ironbank/opensource/grafana/loki
-    tag: 3.3.1
+    tag: 3.3.2
   podSecurityContext:
     fsGroup: 10001
     runAsGroup: 10001

src/loki/values/unicorn-values.yaml

@@ -5,7 +5,7 @@ loki:
   image:
     registry: cgr.dev
     repository: du-uds-defenseunicorns/loki
-    tag: 3.3.1
+    tag: 3.3.2
 gateway:
   image:
     registry: cgr.dev

src/loki/values/upstream-values.yaml

@@ -5,7 +5,7 @@ loki:
   image:
     registry: docker.io
     repository: grafana/loki
-    tag: 3.3.1
+    tag: 3.3.2
 
 gateway:
   image:

src/loki/zarf.yaml

@@ -19,7 +19,7 @@ components:
         valuesFiles:
           - ./values/upstream-values.yaml
     images:
-      - docker.io/grafana/loki:3.3.1
+      - docker.io/grafana/loki:3.3.2
       - docker.io/nginxinc/nginx-unprivileged:1.27-alpine
       - docker.io/memcached:1.6.33-alpine
 
@@ -35,7 +35,7 @@ components:
         valuesFiles:
           - ./values/registry1-values.yaml
     images:
-      - registry1.dso.mil/ironbank/opensource/grafana/loki:3.3.1
+      - registry1.dso.mil/ironbank/opensource/grafana/loki:3.3.2
       - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2
       - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.33
 
@@ -51,6 +51,6 @@ components:
         valuesFiles:
           - ./values/unicorn-values.yaml
     images:
-      - cgr.dev/du-uds-defenseunicorns/loki:3.3.1
+      - cgr.dev/du-uds-defenseunicorns/loki:3.3.2
       - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.3
       - cgr.dev/du-uds-defenseunicorns/memcached:1.6.33

src/pepr/operator/controllers/monitoring/pod-monitor.ts

@@ -8,6 +8,7 @@ import { K8s } from "pepr";
 import { Component, setupLogger } from "../../../logger";
 import { Monitor, PrometheusPodMonitor, UDSPackage } from "../../crd";
 import { Kind } from "../../crd/generated/package-v1alpha1";
+import { FallbackScrapeProtocol } from "../../crd/generated/prometheus/podmonitor-v1";
 import { getOwnerRef, purgeOrphans } from "../utils";
 import { generateMonitorName } from "./common";
 
@@ -86,6 +87,9 @@ export function generatePodMonitor(
       selector: {
         matchLabels: podSelector ?? selector,
       },
+      // Fallback to the Prometheus 2.x default if not defined
+      fallbackScrapeProtocol:
+        monitor.fallbackScrapeProtocol || FallbackScrapeProtocol.PrometheusText004,
     },
   };
 

src/pepr/operator/controllers/monitoring/service-monitor.ts

@@ -9,6 +9,7 @@ import { V1OwnerReference } from "@kubernetes/client-node";
 import { Component, setupLogger } from "../../../logger";
 import { Monitor, PrometheusServiceMonitor, UDSPackage } from "../../crd";
 import { Kind } from "../../crd/generated/package-v1alpha1";
+import { FallbackScrapeProtocol } from "../../crd/generated/prometheus/servicemonitor-v1";
 import { getOwnerRef, purgeOrphans } from "../utils";
 import { generateMonitorName } from "./common";
 
@@ -89,6 +90,9 @@ export function generateServiceMonitor(
       selector: {
         matchLabels: selector,
       },
+      // Fallback to the Prometheus 2.x default if not defined
+      fallbackScrapeProtocol:
+        monitor.fallbackScrapeProtocol || FallbackScrapeProtocol.PrometheusText004,
     },
   };
 

src/pepr/operator/crd/generated/package-v1alpha1.ts

@@ -34,6 +34,11 @@ export interface Monitor {
    * A description of this monitor entry, this will become part of the ServiceMonitor name
    */
   description?: string;
+  /**
+   * The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise
+   * invalid Content-Type
+   */
+  fallbackScrapeProtocol?: FallbackScrapeProtocol;
   /**
    * The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the
    * default.
@@ -99,6 +104,18 @@ export interface Credentials {
   optional?: boolean;
 }
 
+/**
+ * The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise
+ * invalid Content-Type
+ */
+export enum FallbackScrapeProtocol {
+  OpenMetricsText001 = "OpenMetricsText0.0.1",
+  OpenMetricsText100 = "OpenMetricsText1.0.0",
+  PrometheusProto = "PrometheusProto",
+  PrometheusText004 = "PrometheusText0.0.4",
+  PrometheusText100 = "PrometheusText1.0.0",
+}
+
 /**
  * The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the
  * default.