ckotzbauer / helm-charts Goto Github PK

Hi,

I would like to publish the metrics on the node port.
But there doesn't seem to be a setting for that in the values.yaml.

With kind regards,

Gerben Immeker.

I did the following:

kind create cluster
helm install monitoring prometheus-community/kube-prometheus-stack
helm install cadvisor ckotzbauer/cadvisor --set metrics.enabled=true
# 4. Wait for all pods to be running and healthy
# 5. Port forward prometheus-pod to localhost
# 6. Go to http://localhost:9090/targets?search=

but I didn't see any targets for cadvisor. Did I do something in the wrong order?

Hi there! I noticed that metrics like container_spec_cpu_quota and container_spec_cpu_period are not provided when installing this helm-chart.

When searching for the issue online I found this: google/cadvisor#3154 maybe it is related? OP said, that cadvisor doesn't construct the listed metrics, if

cpu soft quota is enabled

but I don't know cadvisor well enough to see, whether this is the cause for the issue when using this helm-chart or how I could alter the current behavior. Any idea on your part?

v0.44.1 is renamed to v0.44.1-test link . Current chart will be stuck forever with ErrImagePull. Use latest tag perhaps?

When I first tried helm deploy vulnerability operator, it failed at the stage where it tried to create the /reports directory and save the report.json. There is no volume for the /reports directory created in the helm deployment yaml. The out-of-the-box deployment gives an error that says that the root directory is read-only, which is expected since the default config is set as:

securityContext:
  capabilities:
    drop:
    - ALL
  allowPrivilegeEscalation: false
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  seccompProfile:
    type: RuntimeDefault

Setting readOnlyRootFilesystem to false was not enough, because then a permissions error occurred during the creation of the /reports directory. The configuration required to make it work was:

  readOnlyRootFilesystem: false
  runAsNonRoot: false
  runAsUser: 0

Obviously this is not ideal. The solution I came up with utilized the same solution as #174. This is also not ideal because the user should be able to set the reports-dir argument and just expect it to work. I am currently working on an alternative solution which will add the /reports volume and volumeMount in the deployment yaml code, and it will attempt to read from the user's custom-values.yaml file (or whatever it's called) for the name of the volume mount, and otherwise use the default value of /reports

When providing additional environment variables via the envVars section, the indentation of the template is broken.

Given

values.yaml

envVars:
- name: TEST_VAR
  value: TEST

Command:

helm template ./charts/sbom-operator --dry-run --debug --generate-name -f values.yaml

Result

Error: YAML parse error on sbom-operator/templates/deployment.yaml: error converting YAML to JSON: yaml: line 33: did not find expected key

template.yaml

# Source: sbom-operator/templates/deployment.yaml
# Document has been shortened for clarity!

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sbom-operator

# Document shrinked for better understandability
spec:
    spec:
      containers:
        - name: sbom-operator
          image: "ghcr.io/ckotzbauer/sbom-operator:0.13.0"
          imagePullPolicy: IfNotPresent
          args:
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
# ---> Indentation of 10 expected but 12 is rendered          
            - name: TEST_VAR
              value: TEST

Hi!

Thanks for the project.

I've tried installing cadvisor and found an issue with oom metrics being not available due to permission issue:

❯ kl cadvisor-ktblb
W0910 14:59:26.756250       1 machine_libipmctl.go:62] There are no NVM devices!
W0910 14:59:26.805682       1 manager.go:289] Could not configure a source for OOM detection, disabling OOM events: open /dev/kmsg: operation not permitted

It can be fixed by adding the following settings to the daemonset:

        securityContext:
          privileged: true

Do you have plans to add this to the chart? Or there is another option to enable oom detection?

Given a chart deployment
When I set custom labels for the pods using `Values.podLabels`
Then the pods should contain the labels in `metadata.labels`

Example: bitnami/nginx
https://github.com/bitnami/charts/blob/main/bitnami/nginx/templates/deployment.yaml#LL25C28-L25C30
https://github.com/bitnami/charts/blob/main/bitnami/nginx/values.yaml#L128

Most of the templates in the chart are missing following key:
namespace: {{ .Release.Namespace}}.

Steps to reproduce:

helm repo add ckotzbauer https://ckotzbauer.github.io/helm-charts && \
  helm repo update && \
  helm upgrade --install cadvisor ckotzbauer/cadvisor \
    --namespace monitoring \
    --create-namespace \
    --set metrics.enabled=true \
    --version v2.2.4

I get the same error with 2.2.3/2.2.2

Daemonset is deployed with the error on all worker nodes:

Error: container create failed: time="2023-04-15T14:58:20+10:00" level=error msg="runc create failed: unable to start container process: error during container init: error mounting \"/run/containers/storage/overlay-containers/5e99476e2d47dc1d78f6c6de64793a6b7d0651780a21ce8802b20827da85b40c/userdata/run/secrets\" to rootfs at \"/run/secrets\": mkdir /var/lib/containers/storage/overlay/15210da1c05500b6f951ba387c617dcf88d74133bf9bb1d6abe93ffe2f2d54f3/merged/run/secrets: read-only file system"

I think I'm missing something in the set up. CRIO is read_only = false in the config.

Please add the possibility to add securityContext from values both on pod and container level, and remove the hardcoded
seccomp annotation. This way we can set more than just privilged true/false which are required by podSecurityAdmission (PSA)

the original helm chart will be going soon, so im hoping to use this as a base for the nfs-client helm chart

could you maybe ask them to take over that chart for the nfs-client anyways?

can you update your chart to include the accessmode that they have included in there chart?

https://github.com/helm/charts/tree/master/stable/nfs-client-provisioner
helm/charts@a4a35c3#diff-ec531825a9cf4a43add171082b59e73dff020a2e22bc911fb2b8f66005370226

I recently modified the housekeeping interval of the values.yaml to increase the scraping rate with the following additional args. But it seems the housekeeping interval is still using the default, 10s and 15s. Does it means these two args is not working (given that this issue or I just didn't configure it correcly?

additionalArgs:
    - --allow_dynamic_housekeeping=false
    - --housekeeping_interval=2s                       
    - --max_housekeeping_interval=2s
    - --event_storage_event_limit=default=0
    - --event_storage_age_limit=default=0
    - --disable_metrics=percpu,process,sched,tcp,udp    # enable only diskIO, cpu, memory, network, disk
    - --docker_only

I ran into an issue with vulnerability-operator and sbom-operator deployments where I needed to add a CA for our privately hosted git repository. The helm deployment source code allowed extraVolumes, but not extraVolumeMounts. I modified the deployment yaml to take extraVolumeMounts from a my-values.yaml values file, and I added my CA through this method. It works and I have the solution in my local repository. I will fork this repo on GitHub and post a solution shortly.

Deprecate the chart here at the end of Q2 in favor of the official chart if prometheus-msteams/helm-chart#1 is merged