From ed706960d3cb421d7e2ba651e60fc3313f8410f9 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:55:04 +0200 Subject: [PATCH 1/9] Add gke-allowlist-synchronizer template --- .../templates/gke-allowlist-synchronizer.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml diff --git a/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml b/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml new file mode 100644 index 0000000..8c4b1ea --- /dev/null +++ b/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml @@ -0,0 +1,12 @@ +{{- /* Deploy only if .Values.gkeAutopilot.allowlistPaths is non-empty */ -}} +{{- if .Values.gkeAutopilot.allowlistPaths }} +apiVersion: auto.gke.io/v1 +kind: AllowlistSynchronizer +metadata: + name: {{ include "checkmk.fullname" . }}-allowlist-synchronizer +spec: + allowlistPaths: +{{- range .Values.gkeAutopilot.allowlistPaths }} + - "{{ . }}" +{{- end }} +{{- end }} From a488058cdb674c772ba8aef245edaad4bf530e1f Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:59:29 +0200 Subject: [PATCH 2/9] Include AllowlistSynchronizer in values.yaml --- deploy/charts/checkmk/values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml index 7400190..d5c3154 100644 --- a/deploy/charts/checkmk/values.yaml +++ b/deploy/charts/checkmk/values.yaml @@ -10,6 +10,14 @@ kubeVersionOverride: "" ## If you are using one of them, or containerd is located in an alternate location, please uncomment / adapt the override. #containerdOverride: "/run/k3s/containerd/containerd.sock" +## GKE Autopilot only allows privilegded workloads, if they are allowlisted +## Please uncomment the following section to deploy the required AllowlistSynchronizer +## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads +#gkeAutopilot: +# allowlistPaths: +# - "Checkmk/checkmk_kube_agent/v1.0.0/*" +# - "Checkmk/checkmk_kube_agent/v1.0.1/*" + tlsCommunication: enabled: false verifySsl: false From 5feca2ad09ad0133958d341a80051445ce7bbcc4 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Tue, 5 Aug 2025 16:10:43 +0200 Subject: [PATCH 3/9] Make gke-allowlist-synchronizer more robust If entries were commented in values.yaml, then the helm rendering crashed --- deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml b/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml index 8c4b1ea..1380260 100644 --- a/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml +++ b/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml @@ -1,5 +1,5 @@ {{- /* Deploy only if .Values.gkeAutopilot.allowlistPaths is non-empty */ -}} -{{- if .Values.gkeAutopilot.allowlistPaths }} +{{- if and .Values.gkeAutopilot (hasKey .Values.gkeAutopilot "allowlistPaths") }} apiVersion: auto.gke.io/v1 kind: AllowlistSynchronizer metadata: From f2ec6a7957e17220b2df81da4fbd77cbbbd59d76 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Tue, 5 Aug 2025 17:39:54 +0200 Subject: [PATCH 4/9] Added allowlist to container label Was not documented, but is required... --- .../checkmk/templates/node-collector-container-metrics-ds.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml index 3d0dbb3..bee6747 100644 --- a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml +++ b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml @@ -31,6 +31,9 @@ spec: {{- include "checkmk.selectorLabels" . | nindent 8 }} component: {{ include "checkmk.fullname" . }}-node-collector app: {{ include "checkmk.fullname" . }}-node-collector-container-metrics + {{- if and .Values.gkeAutopilot (hasKey .Values.gkeAutopilot "allowlistPaths") }} + cloud.google.com/matching-allowlist: checkmk-node-collector-container-metrics + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: From fdda1348cc88bde0690e992289a71490681e2b03 Mon Sep 17 00:00:00 2001 From: Martin Hirschvogel Date: Tue, 5 Aug 2025 19:46:48 +0200 Subject: [PATCH 5/9] Moved CRD from Helm to own manifest --- .../templates/gke-allowlist-synchronizer.yaml | 12 ------------ .../node-collector-container-metrics-ds.yaml | 2 +- deploy/charts/checkmk/values.yaml | 13 ++++++------- .../gke-allowlist/cmk-allowlist-synchronizer.yaml | 8 ++++++++ 4 files changed, 15 insertions(+), 20 deletions(-) delete mode 100644 deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml create mode 100644 deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml diff --git a/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml b/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml deleted file mode 100644 index 1380260..0000000 --- a/deploy/charts/checkmk/templates/gke-allowlist-synchronizer.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- /* Deploy only if .Values.gkeAutopilot.allowlistPaths is non-empty */ -}} -{{- if and .Values.gkeAutopilot (hasKey .Values.gkeAutopilot "allowlistPaths") }} -apiVersion: auto.gke.io/v1 -kind: AllowlistSynchronizer -metadata: - name: {{ include "checkmk.fullname" . }}-allowlist-synchronizer -spec: - allowlistPaths: -{{- range .Values.gkeAutopilot.allowlistPaths }} - - "{{ . }}" -{{- end }} -{{- end }} diff --git a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml index bee6747..052b62f 100644 --- a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml +++ b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml @@ -31,7 +31,7 @@ spec: {{- include "checkmk.selectorLabels" . | nindent 8 }} component: {{ include "checkmk.fullname" . }}-node-collector app: {{ include "checkmk.fullname" . }}-node-collector-container-metrics - {{- if and .Values.gkeAutopilot (hasKey .Values.gkeAutopilot "allowlistPaths") }} + {{- if .Values.gkeAutopilot.enabled }} cloud.google.com/matching-allowlist: checkmk-node-collector-container-metrics {{- end }} spec: diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml index d5c3154..faecb16 100644 --- a/deploy/charts/checkmk/values.yaml +++ b/deploy/charts/checkmk/values.yaml @@ -10,13 +10,12 @@ kubeVersionOverride: "" ## If you are using one of them, or containerd is located in an alternate location, please uncomment / adapt the override. #containerdOverride: "/run/k3s/containerd/containerd.sock" -## GKE Autopilot only allows privilegded workloads, if they are allowlisted -## Please uncomment the following section to deploy the required AllowlistSynchronizer -## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads -#gkeAutopilot: -# allowlistPaths: -# - "Checkmk/checkmk_kube_agent/v1.0.0/*" -# - "Checkmk/checkmk_kube_agent/v1.0.1/*" +## GKE Autopilot only allows privilegded workloads, if they are allowlisted. +## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/gke-allowlist/gke-allowlist-synchronizer.yaml] +## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads +## To deploy in GKE Autopilot, please set to true. +gkeAutopilot: + enabled: true tlsCommunication: enabled: false diff --git a/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml b/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml new file mode 100644 index 0000000..2f79b3d --- /dev/null +++ b/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml @@ -0,0 +1,8 @@ +apiVersion: auto.gke.io/v1 +kind: AllowlistSynchronizer +metadata: + name: checkmk-allowlist-synchronizer +spec: + allowlistPaths: + - "Checkmk/checkmk_kube_agent/v1.0.0/*" + - "Checkmk/checkmk_kube_agent/v1.0.1/*" \ No newline at end of file From c82ee7612289678059f3a46be25918983e903631 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Tue, 5 Aug 2025 19:57:51 +0200 Subject: [PATCH 6/9] Set default for gkeAutopilot to false --- deploy/charts/checkmk/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml index faecb16..1ef7646 100644 --- a/deploy/charts/checkmk/values.yaml +++ b/deploy/charts/checkmk/values.yaml @@ -15,7 +15,7 @@ kubeVersionOverride: "" ## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads ## To deploy in GKE Autopilot, please set to true. gkeAutopilot: - enabled: true + enabled: false tlsCommunication: enabled: false From 6dc293ba6da450e97adbe6f5ef8a04d9bf846ab6 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Wed, 6 Aug 2025 12:22:56 +0200 Subject: [PATCH 7/9] Fixed link to manifest --- deploy/charts/checkmk/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml index 1ef7646..7493966 100644 --- a/deploy/charts/checkmk/values.yaml +++ b/deploy/charts/checkmk/values.yaml @@ -11,7 +11,7 @@ kubeVersionOverride: "" #containerdOverride: "/run/k3s/containerd/containerd.sock" ## GKE Autopilot only allows privilegded workloads, if they are allowlisted. -## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/gke-allowlist/gke-allowlist-synchronizer.yaml] +## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/cmk-allowlist/gke-allowlist-synchronizer.yaml] ## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads ## To deploy in GKE Autopilot, please set to true. gkeAutopilot: From 58add71b7f5c1812a3c10c1ced8d9ea9a8540c48 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Thu, 7 Aug 2025 14:43:50 +0200 Subject: [PATCH 8/9] Updated allowlistPath for 1.1.0 --- deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml b/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml index 2f79b3d..82d34b8 100644 --- a/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml +++ b/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml @@ -5,4 +5,4 @@ metadata: spec: allowlistPaths: - "Checkmk/checkmk_kube_agent/v1.0.0/*" - - "Checkmk/checkmk_kube_agent/v1.0.1/*" \ No newline at end of file + - "Checkmk/checkmk_kube_agent/v1.1.0/*" From 6ba68d9b99c3767f846de18879a18d69fa22a804 Mon Sep 17 00:00:00 2001 From: martinhv <37176063+martinhv@users.noreply.github.com> Date: Thu, 7 Aug 2025 15:28:18 +0200 Subject: [PATCH 9/9] Fixed path to cmk-allowlist-synchronizer --- deploy/charts/checkmk/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml index 7493966..28711a1 100644 --- a/deploy/charts/checkmk/values.yaml +++ b/deploy/charts/checkmk/values.yaml @@ -11,7 +11,7 @@ kubeVersionOverride: "" #containerdOverride: "/run/k3s/containerd/containerd.sock" ## GKE Autopilot only allows privilegded workloads, if they are allowlisted. -## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/cmk-allowlist/gke-allowlist-synchronizer.yaml] +## Requirement: Please first deploy the allowlist-synchronizer CRD [https://github.com/checkmk/checkmk_kube_agent/tree/main/deploy/manifests/gke-allowlist/cmk-allowlist-synchronizer.yaml] ## More info: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads ## To deploy in GKE Autopilot, please set to true. gkeAutopilot: