Closed bot-akira[bot] closed 3 weeks ago
--- HelmRelease: monitoring/goldilocks ClusterRole: monitoring/vpa-actor
+++ HelmRelease: monitoring/goldilocks ClusterRole: monitoring/vpa-actor
@@ -28,13 +28,12 @@
resources:
- verticalpodautoscalers
verbs:
- get
- list
- watch
- - patch
- apiGroups:
- autoscaling.k8s.io
resources:
- verticalpodautoscalers
verbs:
- get
--- HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-vpa-admission-controller
+++ HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-vpa-admission-controller
@@ -24,16 +24,23 @@
app.kubernetes.io/instance: goldilocks
spec:
serviceAccountName: goldilocks-vpa-admission-controller
securityContext:
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: vpa
- securityContext: {}
- image: registry.k8s.io/autoscaling/vpa-admission-controller:0.14.0
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ image: registry.k8s.io/autoscaling/vpa-admission-controller:1.0.0
imagePullPolicy: Always
args:
- --register-webhook=false
- --webhook-service=goldilocks-vpa-webhook
- --client-ca-file=/etc/tls-certs/ca
- --tls-cert-file=/etc/tls-certs/cert
@@ -70,17 +77,16 @@
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
- limits:
- cpu: 200m
- memory: 500Mi
+ limits: {}
requests:
cpu: 50m
memory: 200Mi
+ hostNetwork: false
volumes:
- name: tls-certs
secret:
secretName: goldilocks-vpa-tls-secret
--- HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-vpa-recommender
+++ HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-vpa-recommender
@@ -24,16 +24,23 @@
app.kubernetes.io/instance: goldilocks
spec:
serviceAccountName: goldilocks-vpa-recommender
securityContext:
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: vpa
- securityContext: {}
- image: registry.k8s.io/autoscaling/vpa-recommender:0.14.0
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ image: registry.k8s.io/autoscaling/vpa-recommender:1.0.0
imagePullPolicy: Always
args:
- --pod-recommendation-min-cpu-millicores=15
- --pod-recommendation-min-memory-mb=100
- --v=4
livenessProbe:
@@ -56,13 +63,11 @@
timeoutSeconds: 3
ports:
- name: metrics
containerPort: 8942
protocol: TCP
resources:
- limits:
- cpu: 200m
- memory: 1000Mi
+ limits: {}
requests:
cpu: 50m
memory: 500Mi
--- HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-controller
+++ HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-controller
@@ -27,13 +27,13 @@
serviceAccountName: goldilocks-controller
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: goldilocks
- image: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.10.0
+ image: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.13.0
imagePullPolicy: Always
command:
- /goldilocks
- controller
- -v2
securityContext:
--- HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-dashboard
+++ HelmRelease: monitoring/goldilocks Deployment: monitoring/goldilocks-dashboard
@@ -27,13 +27,13 @@
serviceAccountName: goldilocks-dashboard
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: goldilocks
- image: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.10.0
+ image: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.13.0
imagePullPolicy: Always
command:
- /goldilocks
- dashboard
- --exclude-containers=linkerd-proxy,istio-proxy
- -v2
--- HelmRelease: monitoring/goldilocks MutatingWebhookConfiguration: monitoring/goldilocks-vpa-webhook-config
+++ HelmRelease: monitoring/goldilocks MutatingWebhookConfiguration: monitoring/goldilocks-vpa-webhook-config
@@ -40,8 +40,8 @@
- CREATE
- UPDATE
resources:
- verticalpodautoscalers
scope: '*'
sideEffects: None
- timeoutSeconds: 30
+ timeoutSeconds: 5
--- HelmRelease: monitoring/goldilocks Job: monitoring/goldilocks-vpa-admission-certgen-create
+++ HelmRelease: monitoring/goldilocks Job: monitoring/goldilocks-vpa-admission-certgen-create
@@ -1,37 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: goldilocks-vpa-admission-certgen-create
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- helm.sh/hook-weight: '-110'
- labels:
- app.kubernetes.io/component: certgen
- app.kubernetes.io/name: vpa
- app.kubernetes.io/instance: goldilocks
- app.kubernetes.io/managed-by: Helm
-spec:
- ttlSecondsAfterFinished: 300
- template:
- metadata:
- name: goldilocks-vpa-admission-certgen
- labels:
- app.kubernetes.io/component: cadmission-ertgen
- app.kubernetes.io/name: vpa
- app.kubernetes.io/instance: goldilocks
- app.kubernetes.io/managed-by: Helm
- spec:
- restartPolicy: OnFailure
- serviceAccountName: goldilocks-vpa-admission-certgen
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794
- args:
- - create
- - --host=goldilocks-vpa-webhook,goldilocks-vpa-webhook.monitoring.svc
- - --namespace=monitoring
- - --secret-name=goldilocks-vpa-tls-secret
- resources: {}
-
--- HelmRelease: monitoring/goldilocks ClusterRole: monitoring/vpa-status-actor
+++ HelmRelease: monitoring/goldilocks ClusterRole: monitoring/vpa-status-actor
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: vpa-status-actor
+rules:
+- apiGroups:
+ - autoscaling.k8s.io
+ resources:
+ - verticalpodautoscalers/status
+ verbs:
+ - get
+ - patch
+
--- HelmRelease: monitoring/goldilocks ClusterRoleBinding: monitoring/vpa-status-actor
+++ HelmRelease: monitoring/goldilocks ClusterRoleBinding: monitoring/vpa-status-actor
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: vpa-status-actor
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: vpa-status-actor
+subjects:
+- kind: ServiceAccount
+ name: goldilocks-vpa-recommender
+ namespace: monitoring
+
--- HelmRelease: monitoring/goldilocks Job: monitoring/goldilocks-vpa-admission-certgen
+++ HelmRelease: monitoring/goldilocks Job: monitoring/goldilocks-vpa-admission-certgen
@@ -0,0 +1,37 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: goldilocks-vpa-admission-certgen
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: '-110'
+ labels:
+ app.kubernetes.io/component: certgen
+ app.kubernetes.io/name: vpa
+ app.kubernetes.io/instance: goldilocks
+ app.kubernetes.io/managed-by: Helm
+spec:
+ ttlSecondsAfterFinished: 300
+ template:
+ metadata:
+ name: goldilocks-vpa-admission-certgen
+ labels:
+ app.kubernetes.io/component: admission-certgen
+ app.kubernetes.io/name: vpa
+ app.kubernetes.io/instance: goldilocks
+ app.kubernetes.io/managed-by: Helm
+ spec:
+ restartPolicy: OnFailure
+ serviceAccountName: goldilocks-vpa-admission-certgen
+ containers:
+ - name: create
+ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794
+ args:
+ - create
+ - --host=goldilocks-vpa-webhook,goldilocks-vpa-webhook.monitoring.svc
+ - --namespace=monitoring
+ - --secret-name=goldilocks-vpa-tls-secret
+ resources: {}
+
--- kubernetes/apps/monitoring/goldilocks/app Kustomization: flux-system/cluster-apps-goldilocks HelmRelease: monitoring/goldilocks
+++ kubernetes/apps/monitoring/goldilocks/app Kustomization: flux-system/cluster-apps-goldilocks HelmRelease: monitoring/goldilocks
@@ -13,13 +13,13 @@
chart: goldilocks
interval: 5m
sourceRef:
kind: HelmRepository
name: fairwinds
namespace: flux-system
- version: 8.0.2
+ version: 9.0.0
interval: 5m
values:
dashboard:
enabled: true
ingress:
annotations:
Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
---|
See detailed report in MegaLinter reports
_Set VALIDATE_ALL_CODEBASE: true
in mega-linter.yml to validate all sources, not only the diff_
This PR contains the following updates:
8.0.2
->9.0.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.