From ee40d1c6ead4586e3b82ccdcd5e21ecbdb7f62bd Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:48:49 -0500 Subject: [PATCH 01/14] USHIFT-6951: auto-rebase update Update component images, vendor dependencies, and build artifacts from the latest auto-rebase run. Inlines c2cc_common.sh into individual c2cc test scripts. Signed-off-by: Jonathan H. Cope --- scripts/auto-rebase/commits.txt | 28 ++++++++++++++++++++++++++++ scripts/auto-rebase/last_rebase.sh | 4 ++++ 2 files changed, 32 insertions(+) diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index 4eacf45d24..1bb48b3d86 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -1,8 +1,16 @@ +<<<<<<< HEAD https://github.com/openshift/api embedded-component 05673ba6e6503fa49f049fb7a85903cb1f7a34ed https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component d6dbe6dd6aaed30d36409d8e54adb0c5b60b6744 https://github.com/openshift/cluster-dns-operator embedded-component 8395f9054f235aec2cd5185019d201146c9827ed https://github.com/openshift/cluster-ingress-operator embedded-component 6c84b7c7250e7412502382dca7d1f065f94fed5b https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 86563261c7e7e4bbbbbf10791fc5065514e4d4de +======= +https://github.com/openshift/api embedded-component 992ec954f8b3debeb041fa3f17caf27b264d9fb8 +https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component ed3c0c6b8b1639d8688309c3e999a6f037436d62 +https://github.com/openshift/cluster-dns-operator embedded-component 4556c40798213ee824f76c26bef66865326fe08b +https://github.com/openshift/cluster-ingress-operator embedded-component 6c84b7c7250e7412502382dca7d1f065f94fed5b +https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 8fe970955c77da87fbbcf2c8f9e0665548185fce +>>>>>>> 73eed7430 (USHIFT-6951: auto-rebase update) https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component c35307f04313369c9ba4dcab3308506a3987065e https://github.com/openshift/cluster-kube-scheduler-operator embedded-component d43423b583269eea8236040424609c3f108ac9c4 https://github.com/openshift/cluster-network-operator embedded-component c376140ed1842c6a5f78cb74c55b4b49ba212041 @@ -12,6 +20,7 @@ https://github.com/openshift/csi-external-snapshotter embedded-component e695e2b https://github.com/openshift/etcd embedded-component bf6c0094589afdf6c814a28c24f8f1bb5a577816 https://github.com/openshift/kubernetes embedded-component d8d517e6bbe7cf7359026cac26bb96ea45e18806 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component 72835e43c7754356645e41031f3a99926b4d42e6 +<<<<<<< HEAD https://github.com/openshift/machine-config-operator embedded-component 49eaf75d2e8cf026da563bd708f6f5512facf41a https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940 https://github.com/openshift/operator-framework-olm embedded-component a78cfd39c259a22c104831c6ddf2572801b0f19d @@ -29,6 +38,25 @@ https://github.com/openshift/oc image-arm64 c639a3143e8d86763c185a5afc6c9b38d24c https://github.com/openshift/coredns image-arm64 97f7cc327ab5df7d6da38137b7be338efa9a3551 https://github.com/openshift/csi-external-snapshotter image-arm64 e695e2bd0b548afd0fce049d86d4af29dd34e574 https://github.com/openshift/router image-arm64 3553702970b094986d91f218e3191487de46e476 +======= +https://github.com/openshift/machine-config-operator embedded-component 6a2c5c65419c3e9c3028f6bd9344690f48ae837c +https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940 +https://github.com/openshift/operator-framework-olm embedded-component 3eb13541cac6e2c0110329b37cb5375ddb52ecc0 +https://github.com/openshift/route-controller-manager embedded-component e454c01fbe561cce9973f54b1ddbcdd35a9d18ff +https://github.com/openshift/service-ca-operator embedded-component 35cf51895f4dc77dca8a709e7635980753f87e17 +https://github.com/openshift/oc image-amd64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 +https://github.com/openshift/coredns image-amd64 3c21b066c9bd86caa06f790dcd1c046667875d46 +https://github.com/openshift/csi-external-snapshotter image-amd64 e695e2bd0b548afd0fce049d86d4af29dd34e574 +https://github.com/openshift/router image-amd64 ce3479af6677053650d617a8165ce80c1178597c +https://github.com/openshift/kube-rbac-proxy image-amd64 d12e274605248f6c59373240a7eae7a7a357dcb3 +https://github.com/openshift/ovn-kubernetes image-amd64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c +https://github.com/openshift/kubernetes image-amd64 d8d517e6bbe7cf7359026cac26bb96ea45e18806 +https://github.com/openshift/service-ca-operator image-amd64 35cf51895f4dc77dca8a709e7635980753f87e17 +https://github.com/openshift/oc image-arm64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 +https://github.com/openshift/coredns image-arm64 3c21b066c9bd86caa06f790dcd1c046667875d46 +https://github.com/openshift/csi-external-snapshotter image-arm64 e695e2bd0b548afd0fce049d86d4af29dd34e574 +https://github.com/openshift/router image-arm64 ce3479af6677053650d617a8165ce80c1178597c +>>>>>>> 73eed7430 (USHIFT-6951: auto-rebase update) https://github.com/openshift/kube-rbac-proxy image-arm64 d12e274605248f6c59373240a7eae7a7a357dcb3 https://github.com/openshift/ovn-kubernetes image-arm64 62baca4832f3aeb3fc7032d38619835c04208c95 https://github.com/openshift/kubernetes image-arm64 d8d517e6bbe7cf7359026cac26bb96ea45e18806 diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index 9c0418ee13..3a02040ba3 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,6 @@ #!/bin/bash -x +<<<<<<< HEAD ./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-18-000016" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-19-034904" +======= +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-14-221055" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-14-225436" +>>>>>>> 73eed7430 (USHIFT-6951: auto-rebase update) From b63bf31325b93462eb8c3096994cce5202b7eefe Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:48:52 -0500 Subject: [PATCH 02/14] USHIFT-6951: add kube-state-metrics Kubernetes manifests Add the full set of Kubernetes resources for deploying kube-state-metrics as an optional MicroShift component: - Namespace, ServiceAccount, ClusterRole, ClusterRoleBinding - Custom-resource-state ConfigMap for MicroShift-specific metrics - Deployment: kube-state-metrics + 2x kube-rbac-proxy sidecars - kube-rbac-proxy static auth secret - Headless Service with service-ca TLS annotation - Kustomize overlays with arch-specific image digests Signed-off-by: Jonathan H. Cope --- .../kube-state-metrics/00-namespace.yaml | 9 + .../01-cluster-role-binding.yaml | 18 + .../kube-state-metrics/01-cluster-role.yaml | 153 +++++ .../01-service-account.yaml | 12 + .../02-custom-resource-state-configmap.yaml | 544 ++++++++++++++++++ .../02-kube-rbac-proxy-secret.yaml | 19 + .../kube-state-metrics/03-deployment.yaml | 144 +++++ .../kube-state-metrics/04-service.yaml | 30 + .../kustomization.aarch64.yaml | 7 + .../kustomization.x86_64.yaml | 7 + .../kube-state-metrics/kustomization.yaml | 11 + .../release-kube-state-metrics-aarch64.json | 8 + .../release-kube-state-metrics-x86_64.json | 8 + 13 files changed, 970 insertions(+) create mode 100644 assets/optional/kube-state-metrics/00-namespace.yaml create mode 100644 assets/optional/kube-state-metrics/01-cluster-role-binding.yaml create mode 100644 assets/optional/kube-state-metrics/01-cluster-role.yaml create mode 100644 assets/optional/kube-state-metrics/01-service-account.yaml create mode 100644 assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml create mode 100644 assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml create mode 100644 assets/optional/kube-state-metrics/03-deployment.yaml create mode 100644 assets/optional/kube-state-metrics/04-service.yaml create mode 100644 assets/optional/kube-state-metrics/kustomization.aarch64.yaml create mode 100644 assets/optional/kube-state-metrics/kustomization.x86_64.yaml create mode 100644 assets/optional/kube-state-metrics/kustomization.yaml create mode 100644 assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json create mode 100644 assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json diff --git a/assets/optional/kube-state-metrics/00-namespace.yaml b/assets/optional/kube-state-metrics/00-namespace.yaml new file mode 100644 index 0000000000..17f727565a --- /dev/null +++ b/assets/optional/kube-state-metrics/00-namespace.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-monitoring + labels: + name: openshift-monitoring + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml b/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml new file mode 100644 index 0000000000..c8e3419960 --- /dev/null +++ b/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-state-metrics +subjects: +- kind: ServiceAccount + name: kube-state-metrics + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/01-cluster-role.yaml b/assets/optional/kube-state-metrics/01-cluster-role.yaml new file mode 100644 index 0000000000..ab123ee6cd --- /dev/null +++ b/assets/optional/kube-state-metrics/01-cluster-role.yaml @@ -0,0 +1,153 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics +rules: +- apiGroups: + - "" + resources: + - configmaps + - secrets + - nodes + - pods + - services + - serviceaccounts + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingressclasses + - ingresses + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + verbs: + - list + - watch diff --git a/assets/optional/kube-state-metrics/01-service-account.yaml b/assets/optional/kube-state-metrics/01-service-account.yaml new file mode 100644 index 0000000000..7f3fe4b1ce --- /dev/null +++ b/assets/optional/kube-state-metrics/01-service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml b/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml new file mode 100644 index 0000000000..63adb89f96 --- /dev/null +++ b/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml @@ -0,0 +1,544 @@ +apiVersion: v1 +data: + custom-resource-state-configmap.yaml: |- + "kind": "CustomResourceStateMetrics" + "spec": + "resources": + - "groupVersionKind": + "group": "autoscaling.k8s.io" + "kind": "VerticalPodAutoscaler" + "version": "v1" + "metrics": + - "commonLabels": null + "each": + "stateSet": + "labelName": "updatemode" + "list": + - "Off" + - "Initial" + - "Recreate" + - "Auto" + "path": + - "spec" + - "updatePolicy" + - "updateMode" + "type": "StateSet" + "help": "Update mode of the VerticalPodAutoscaler." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_updatepolicy_updatemode" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "lowerBound" + - "cpu" + "type": "Gauge" + "help": "Minimum cpu resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "lowerBound" + - "memory" + "type": "Gauge" + "help": "Minimum memory resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_lowerbound_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "upperBound" + - "cpu" + "type": "Gauge" + "help": "Maximum cpu resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "upperBound" + - "memory" + "type": "Gauge" + "help": "Maximum memory resources the container can use before the VerticalPodAutoscaler updater evicts it." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_upperbound_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "target" + - "cpu" + "type": "Gauge" + "help": "Target cpu resources the VerticalPodAutoscaler recommends for the container." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_target_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "target" + - "memory" + "type": "Gauge" + "help": "Target memory resources the VerticalPodAutoscaler recommends for the container." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_target_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "uncappedTarget" + - "cpu" + "type": "Gauge" + "help": "Target cpu resources the VerticalPodAutoscaler recommends for the container ignoring bounds." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "status" + - "recommendation" + - "containerRecommendations" + "valueFrom": + - "uncappedTarget" + - "memory" + "type": "Gauge" + "help": "Target memory resources the VerticalPodAutoscaler recommends for the container ignoring bounds." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "minAllowed" + - "cpu" + "type": "Gauge" + "help": "Minimum cpu resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_minallowed_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "minAllowed" + - "memory" + "type": "Gauge" + "help": "Minimum memory resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_minallowed_memory" + - "commonLabels": + "resource": "cpu" + "unit": "cores" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "maxAllowed" + - "cpu" + "type": "Gauge" + "help": "Maximum cpu resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_maxallowed_cpu" + - "commonLabels": + "resource": "memory" + "unit": "bytes" + "each": + "gauge": + "labelsFromPath": + "container": + - "containerName" + "path": + - "spec" + - "resourcePolicy" + - "containerPolicies" + "valueFrom": + - "maxAllowed" + - "memory" + "type": "Gauge" + "help": "Maximum memory resources the VerticalPodAutoscaler can set for containers matching the name." + "labelsFromPath": + "namespace": + - "metadata" + - "namespace" + "target_api_version": + - "spec" + - "targetRef" + - "apiVersion" + "target_kind": + - "spec" + - "targetRef" + - "kind" + "target_name": + - "spec" + - "targetRef" + - "name" + "verticalpodautoscaler": + - "metadata" + - "name" + "name": "verticalpodautoscaler_spec_resourcepolicy_container_policies_maxallowed_memory" + - "groupVersionKind": + "group": "gateway.networking.k8s.io" + "kind": "GatewayClass" + "version": "v1" + "metrics": + - "each": + "info": + "labelsFromPath": + "accepted": + - "status" + - "conditions" + - "[type=Accepted]" + - "status" + "controller": + - "spec" + - "controllerName" + "gateway_class": + - "metadata" + - "name" + "type": "Info" + "help": "Information about GatewayClasses" + "name": "gateway_class_info" + - "groupVersionKind": + "group": "gateway.networking.k8s.io" + "kind": "Gateway" + "version": "v1" + "metrics": + - "each": + "info": + "labelsFromPath": + "gateway": + - "metadata" + - "name" + "gateway_class": + - "spec" + - "gatewayClassName" + "namespace": + - "metadata" + - "namespace" + "programmed": + - "status" + - "conditions" + - "[type=Programmed]" + - "status" + "type": "Info" + "help": "Information about Gateways" + "name": "gateway_info" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: kube-state-metrics-custom-resource-state-configmap + namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml b/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml new file mode 100644 index 0000000000..1cae041683 --- /dev/null +++ b/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +data: {} +kind: Secret +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: kube-state-metrics-kube-rbac-proxy-config + namespace: openshift-monitoring +stringData: + config.yaml: |- + "authorization": + "static": + - "path": "/metrics" + "resourceRequest": false + "user": + "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" + "verb": "get" +type: Opaque diff --git a/assets/optional/kube-state-metrics/03-deployment.yaml b/assets/optional/kube-state-metrics/03-deployment.yaml new file mode 100644 index 0000000000..902b4677ea --- /dev/null +++ b/assets/optional/kube-state-metrics/03-deployment.yaml @@ -0,0 +1,144 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics + namespace: openshift-monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + strategy: + type: Recreate + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: kube-state-metrics + openshift.io/required-scc: restricted-v2 + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + spec: + automountServiceAccountToken: true + containers: + - args: + - --host=127.0.0.1 + - --port=8081 + - --telemetry-host=127.0.0.1 + - --telemetry-port=8082 + - --custom-resource-state-config-file=/etc/kube-state-metrics/custom-resource-state-configmap.yaml + - --metric-denylist=^kube_secret_labels$,^kube_.+_annotations$,^kube_customresource_.+_annotations_info$,^kube_customresource_.+_labels_info$,^kube_.+_created$,^kube_.+_metadata_resource_version$,^kube_replicaset_metadata_generation$,^kube_replicaset_status_observed_generation$,^kube_pod_restart_policy$,^kube_pod_init_container_status_terminated$,^kube_pod_init_container_status_running$,^kube_pod_container_status_terminated$,^kube_pod_container_status_running$,^kube_pod_completion_time$,^kube_pod_status_scheduled$ + - --metric-labels-allowlist=pods=[*],nodes=[*],namespaces=[*],persistentvolumes=[*],persistentvolumeclaims=[*],poddisruptionbudgets=[*] + image: quay.io/openshift/kube-state-metrics + name: kube-state-metrics + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 2m + memory: 80Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: volume-directive-shadow + readOnly: false + - mountPath: /etc/kube-state-metrics + name: kube-state-metrics-custom-resource-state-configmap + readOnly: true + - args: + - --secure-listen-address=:8443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8081/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --config-file=/etc/kube-rbac-policy/config.yaml + image: quay.io/openshift/kube-rbac-proxy + name: kube-rbac-proxy-main + ports: + - containerPort: 8443 + name: https-main + resources: + limits: + cpu: 20m + memory: 40Mi + requests: + cpu: 1m + memory: 15Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: kube-state-metrics-tls + readOnly: true + - mountPath: /etc/kube-rbac-policy + name: kube-state-metrics-kube-rbac-proxy-config + readOnly: true + - args: + - --secure-listen-address=:9443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8082/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --config-file=/etc/kube-rbac-policy/config.yaml + image: quay.io/openshift/kube-rbac-proxy + name: kube-rbac-proxy-self + ports: + - containerPort: 9443 + name: https-self + resources: + limits: + cpu: 20m + memory: 40Mi + requests: + cpu: 1m + memory: 15Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: kube-state-metrics-tls + readOnly: true + - mountPath: /etc/kube-rbac-policy + name: kube-state-metrics-kube-rbac-proxy-config + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + serviceAccountName: kube-state-metrics + volumes: + - emptyDir: {} + name: volume-directive-shadow + - name: kube-state-metrics-tls + secret: + secretName: kube-state-metrics-tls + - name: kube-state-metrics-kube-rbac-proxy-config + secret: + secretName: kube-state-metrics-kube-rbac-proxy-config + - configMap: + name: kube-state-metrics-custom-resource-state-configmap + name: kube-state-metrics-custom-resource-state-configmap diff --git a/assets/optional/kube-state-metrics/04-service.yaml b/assets/optional/kube-state-metrics/04-service.yaml new file mode 100644 index 0000000000..94b982309d --- /dev/null +++ b/assets/optional/kube-state-metrics/04-service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + openshift.io/description: |- + Expose kube-state-metrics `/metrics` endpoints within the cluster on the following ports: + * Port 8443 provides access to the Kubernetes resource metrics. This port is for internal use, and no other usage is guaranteed. + * Port 9443 provides access to the internal kube-state-metrics metrics. This port is for internal use, and no other usage is guaranteed. + service.beta.openshift.io/serving-cert-secret-name: kube-state-metrics-tls + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring + app.kubernetes.io/version: 2.19.0 + name: kube-state-metrics + namespace: openshift-monitoring +spec: + clusterIP: None + ports: + - name: https-main + port: 8443 + targetPort: https-main + - name: https-self + port: 9443 + targetPort: https-self + selector: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/kustomization.aarch64.yaml b/assets/optional/kube-state-metrics/kustomization.aarch64.yaml new file mode 100644 index 0000000000..f5b48a4fbe --- /dev/null +++ b/assets/optional/kube-state-metrics/kustomization.aarch64.yaml @@ -0,0 +1,7 @@ +images: + - name: quay.io/openshift/kube-state-metrics + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:ad7ae7a3c499ed390a36ae17acd5251aa2a5a3833cd4144d1976f4d2b968b654 + - name: quay.io/openshift/kube-rbac-proxy + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:0d6a1c6ebba722e09ff2850010cb8114a8d097ccee1198c1f59680c8c7581d48 diff --git a/assets/optional/kube-state-metrics/kustomization.x86_64.yaml b/assets/optional/kube-state-metrics/kustomization.x86_64.yaml new file mode 100644 index 0000000000..77878bb0e8 --- /dev/null +++ b/assets/optional/kube-state-metrics/kustomization.x86_64.yaml @@ -0,0 +1,7 @@ +images: + - name: quay.io/openshift/kube-state-metrics + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:f2c7f8cb3995b165ed4acf4c2f546b9993986862b427c4b2ef224521e05d1594 + - name: quay.io/openshift/kube-rbac-proxy + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:3b2676dd92a952c620e067cc158c2a0942c602471645d8e367104293cb964147 diff --git a/assets/optional/kube-state-metrics/kustomization.yaml b/assets/optional/kube-state-metrics/kustomization.yaml new file mode 100644 index 0000000000..17942badc5 --- /dev/null +++ b/assets/optional/kube-state-metrics/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - 00-namespace.yaml + - 01-service-account.yaml + - 01-cluster-role.yaml + - 01-cluster-role-binding.yaml + - 02-kube-rbac-proxy-secret.yaml + - 02-custom-resource-state-configmap.yaml + - 03-deployment.yaml + - 04-service.yaml diff --git a/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json b/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json new file mode 100644 index 0000000000..ea791b9165 --- /dev/null +++ b/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json @@ -0,0 +1,8 @@ +{ + "release": { + "base": "placeholder" + }, + "images": { + "kube_state_metrics": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ad7ae7a3c499ed390a36ae17acd5251aa2a5a3833cd4144d1976f4d2b968b654" + } +} diff --git a/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json b/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json new file mode 100644 index 0000000000..842b4c01a3 --- /dev/null +++ b/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json @@ -0,0 +1,8 @@ +{ + "release": { + "base": "placeholder" + }, + "images": { + "kube_state_metrics": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f2c7f8cb3995b165ed4acf4c2f546b9993986862b427c4b2ef224521e05d1594" + } +} From b98b79aeaded628c155c16d7d28f9dcb92717054 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:48:53 -0500 Subject: [PATCH 03/14] USHIFT-6951: register kube-state-metrics healthcheck Add kube-state-metrics Deployment to the optional workload healthcheck map under the openshift-monitoring namespace. Introduces mergeWorkloads() to support multiple optional components deploying to the same namespace. Signed-off-by: Jonathan H. Cope --- .../microshift_optional_workloads.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go index 80e2d9a3b0..cdf928666c 100644 --- a/pkg/healthcheck/microshift_optional_workloads.go +++ b/pkg/healthcheck/microshift_optional_workloads.go @@ -38,6 +38,21 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{ Namespace: "sriov-network-operator", Workloads: NamespaceWorkloads{Deployments: []string{"sriov-network-operator"}}, }, + + "/usr/lib/microshift/manifests.d/081-microshift-kube-state-metrics": { + Namespace: "openshift-monitoring", + Workloads: NamespaceWorkloads{Deployments: []string{"kube-state-metrics"}}, + }, +} + +// mergeWorkloads merges two NamespaceWorkloads, returning a new NamespaceWorkloads. This is helpful for cases +// where components from multiple sources are deployed to the same namespace. +func mergeWorkloads(existing, incoming NamespaceWorkloads) NamespaceWorkloads { + return NamespaceWorkloads{ + Deployments: append(existing.Deployments, incoming.Deployments...), + DaemonSets: append(existing.DaemonSets, incoming.DaemonSets...), + StatefulSets: append(existing.StatefulSets, incoming.StatefulSets...), + } } // fillOptionalMicroShiftWorkloads assembles list of optional MicroShift workloads @@ -73,7 +88,7 @@ func fillOptionalMicroShiftWorkloads(workloadsToCheck map[string]NamespaceWorklo } klog.Infof("Optional component path exists and is configured: %s - expecting %v in namespace %q", path, ow.Workloads.String(), ow.Namespace) - workloadsToCheck[ow.Namespace] = ow.Workloads + workloadsToCheck[ow.Namespace] = mergeWorkloads(workloadsToCheck[ow.Namespace], ow.Workloads) } return nil } From 3c73323a3fd4d24b2a58d05d715e7ee6b0a2bec1 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:48:55 -0500 Subject: [PATCH 04/14] USHIFT-6951: package kube-state-metrics RPM and observability integration Add microshift-metrics-kube-state and microshift-metrics-kube-state- release-info RPM subpackages. The metrics-kube-state package owns the kube-state-metrics manifests and the otelcol.d scrape config fragment, creating the otelcol.d directory as needed. The observability package uses Recommends (not Requires) for metrics-kube-state so users can install the collector without forcing kube-state-metrics deployment. Also adds kube-state-metrics to auto-rebase asset config, test RPM lists, and the otelcol test stub config. Signed-off-by: Jonathan H. Cope --- .../microshift-metrics-kube-state.yaml | 26 +++++++++ packaging/rpm/microshift.spec | 53 +++++++++++++++++++ scripts/auto-rebase/assets.yaml | 21 ++++++++ scripts/auto-rebase/rebase.sh | 38 +++++++++++++ test/assets/observability/otel_config.yaml | 4 ++ test/bin/common.sh | 2 + 6 files changed, 144 insertions(+) create mode 100644 packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml diff --git a/packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml b/packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml new file mode 100644 index 0000000000..b8bb4c76dc --- /dev/null +++ b/packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml @@ -0,0 +1,26 @@ +receivers: + prometheus/kube_state_metrics: + config: + scrape_configs: + - job_name: kube-state-metrics + scrape_interval: 30s + scheme: https + tls_config: + ca_file: /var/lib/microshift/certs/service-ca/ca.crt + server_name: kube-state-metrics.openshift-monitoring.svc + kubernetes_sd_configs: + - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig + role: endpoints + namespaces: + names: [openshift-monitoring] + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kube-state-metrics;https-main + +service: + pipelines: + metrics/kube_state_metrics: + receivers: [prometheus/kube_state_metrics] + processors: [batch] + exporters: [otlp] diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 6362e4f552..2c6ffe4555 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -236,6 +236,7 @@ and can be used to embed those images into osbuilder blueprints or bootc contain Summary: OpenTelemetry-Collector configured for MicroShift BuildArch: noarch Requires: microshift = %{version} +Recommends: microshift-metrics-kube-state = %{version} Requires: opentelemetry-collector %description observability @@ -261,6 +262,25 @@ The microshift-cert-manager-release-info package provides release information fi release. These files contain the list of container image references used by Cert Manager and can be used to embed those images into osbuilder blueprints or bootc containerfiles. +%package metrics-kube-state +Summary: Kubernetes kube-state-metrics for MicroShift +ExclusiveArch: x86_64 aarch64 +Requires: microshift = %{version} + +%description metrics-kube-state +The microshift-metrics-kube-state package provides kube-state-metrics for MicroShift. +Install this package to expose Kubernetes object state metrics via a secure endpoint. + +%package metrics-kube-state-release-info +Summary: Release information for kube-state-metrics for MicroShift +BuildArch: noarch +Requires: microshift-release-info = %{version} + +%description metrics-kube-state-release-info +The microshift-metrics-kube-state-release-info package provides release information files for this +release. These files contain the list of container image references used by kube-state-metrics +and can be used to embed those images into osbuilder blueprints or bootc containerfiles. + %package sriov Summary: SR-IOV Network Operator for MicroShift ExclusiveArch: x86_64 aarch64 @@ -599,6 +619,30 @@ cat assets/optional/cert-manager/manager/images-x86_64.yaml >> %{buildroot}/%{_p mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ +# kube-state-metrics +install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d +install -p -m644 packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ +install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/00-namespace.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/01-cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/01-cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/03-deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/04-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +install -p -m644 assets/optional/kube-state-metrics/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics + +%ifarch %{arm} aarch64 +cat assets/optional/kube-state-metrics/kustomization.aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/kustomization.yaml +%endif +%ifarch x86_64 +cat assets/optional/kube-state-metrics/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/kustomization.yaml +%endif + +# kube-state-metrics-release-info +install -p -m644 assets/optional/kube-state-metrics/release-kube-state-metrics-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ + # sriov install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd @@ -802,6 +846,15 @@ fi %files cert-manager-release-info %{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json +%files metrics-kube-state +%dir %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics +%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/* +%dir %{_sysconfdir}/microshift/observability/otelcol.d +%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-kube-state.yaml + +%files metrics-kube-state-release-info +%{_datadir}/microshift/release/release-kube-state-metrics-{x86_64,aarch64}.json + %files sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml index b4f34d3f6c..e2d70cb981 100644 --- a/scripts/auto-rebase/assets.yaml +++ b/scripts/auto-rebase/assets.yaml @@ -301,6 +301,27 @@ assets: - file: service.yaml - file: serviceaccount.yaml + - dir: optional/kube-state-metrics/ + ignore: "MicroShift-specific kube-state-metrics manifests sourced from CMO" + files: + - file: 00-namespace.yaml + - file: 01-cluster-role-binding.yaml + - file: 01-cluster-role.yaml + - file: 01-service-account.yaml + - file: 02-custom-resource-state-configmap.yaml + - file: 02-kube-rbac-proxy-secret.yaml + - file: 03-deployment.yaml + - file: 04-service.yaml + - file: kustomization.yaml + - file: kustomization.x86_64.yaml + ignore: "gets generated during image rebase" + - file: kustomization.aarch64.yaml + ignore: "gets generated during image rebase" + - file: release-kube-state-metrics-x86_64.json + ignore: "gets generated during image rebase" + - file: release-kube-state-metrics-aarch64.json + ignore: "gets generated during image rebase" + - dir: optional/observability/ ignore: "they don't exist in upstream repository - only in microshift" files: diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index 1bcdb6cae5..8b05494e35 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -921,6 +921,7 @@ EOF update_olm_images update_multus_images + update_kube_state_metrics_images popd >/dev/null } @@ -1111,6 +1112,43 @@ EOF done # for goarch } +update_kube_state_metrics_images() { + title "Rebasing kube-state-metrics images" + + for goarch in amd64 arm64; do + arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} + + local release_file="${STAGING_DIR}/release_${goarch}.json" + local kustomization_arch_file="${REPOROOT}/assets/optional/kube-state-metrics/kustomization.${arch}.yaml" + local ksm_release_json="${REPOROOT}/assets/optional/kube-state-metrics/release-kube-state-metrics-${arch}.json" + + local base_release + base_release=$(jq -r ".metadata.version" "${release_file}") + jq -n "{\"release\": {\"base\": \"$base_release\"}, \"images\": {}}" > "${ksm_release_json}" + + cat < "${kustomization_arch_file}" + +images: +EOF + + for container in kube-state-metrics kube-rbac-proxy; do + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${container}\") | .from.name" "${release_file}") + local new_image_name="${new_image%@*}" + local new_image_digest="${new_image#*@}" + + cat <> "${kustomization_arch_file}" + - name: quay.io/openshift/${container} + newName: ${new_image_name} + digest: ${new_image_digest} +EOF + + local json_key="${container//-/_}" + yq -i -o json ".images += {\"${json_key}\": \"${new_image}\"}" "${ksm_release_json}" + done + done +} + update_olm_images() { title "Rebasing operator-lifecycle-manager manifests" diff --git a/test/assets/observability/otel_config.yaml b/test/assets/observability/otel_config.yaml index 4565f82077..25609b2d17 100644 --- a/test/assets/observability/otel_config.yaml +++ b/test/assets/observability/otel_config.yaml @@ -59,6 +59,10 @@ exporters: enabled: true otlphttp/loki: # only for logs, exports the logs in the loki server endpoint: "http://{{LOKI_HOST}}:{{LOKI_PORT}}/otlp" + otlp: + endpoint: "localhost:4317" + tls: + insecure: true extensions: file_storage: diff --git a/test/bin/common.sh b/test/bin/common.sh index ef682a676f..80460b0ce1 100644 --- a/test/bin/common.sh +++ b/test/bin/common.sh @@ -388,6 +388,8 @@ MICROSHIFT_Y2_OPTIONAL_RPMS_LIST=( microshift-cert-manager-release-info microshift-sriov microshift-sriov-release-info + microshift-metrics-kube-state + microshift-metrics-kube-state-release-info ) MICROSHIFT_Y1_OPTIONAL_RPMS_LIST=( "${MICROSHIFT_Y2_OPTIONAL_RPMS_LIST[@]}" From edd6c1e3326ea969f4a559d05763332c550278da Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 00:45:14 -0500 Subject: [PATCH 05/14] USHIFT-6951: use slices.Concat in mergeWorkloads Co-Authored-By: Claude Opus 4.6 --- pkg/healthcheck/microshift_optional_workloads.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go index cdf928666c..e2501d9a19 100644 --- a/pkg/healthcheck/microshift_optional_workloads.go +++ b/pkg/healthcheck/microshift_optional_workloads.go @@ -1,6 +1,8 @@ package healthcheck import ( + "slices" + "github.com/openshift/microshift/pkg/config" "github.com/openshift/microshift/pkg/util" "k8s.io/klog/v2" @@ -45,13 +47,12 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{ }, } -// mergeWorkloads merges two NamespaceWorkloads, returning a new NamespaceWorkloads. This is helpful for cases -// where components from multiple sources are deployed to the same namespace. +// mergeWorkloads combines two NamespaceWorkloads into one. func mergeWorkloads(existing, incoming NamespaceWorkloads) NamespaceWorkloads { return NamespaceWorkloads{ - Deployments: append(existing.Deployments, incoming.Deployments...), - DaemonSets: append(existing.DaemonSets, incoming.DaemonSets...), - StatefulSets: append(existing.StatefulSets, incoming.StatefulSets...), + Deployments: slices.Concat(existing.Deployments, incoming.Deployments), + DaemonSets: slices.Concat(existing.DaemonSets, incoming.DaemonSets), + StatefulSets: slices.Concat(existing.StatefulSets, incoming.StatefulSets), } } From 06070c90b8bbd0a80427030c16ccfd6b5abebff9 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 10:03:39 -0500 Subject: [PATCH 06/14] otel-col configuration will be implemented after the components themselves have been merged. --- .../microshift-metrics-kube-state.yaml | 26 ------------------- packaging/rpm/microshift.spec | 5 ---- test/assets/observability/otel_config.yaml | 4 --- 3 files changed, 35 deletions(-) delete mode 100644 packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml diff --git a/packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml b/packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml deleted file mode 100644 index b8bb4c76dc..0000000000 --- a/packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml +++ /dev/null @@ -1,26 +0,0 @@ -receivers: - prometheus/kube_state_metrics: - config: - scrape_configs: - - job_name: kube-state-metrics - scrape_interval: 30s - scheme: https - tls_config: - ca_file: /var/lib/microshift/certs/service-ca/ca.crt - server_name: kube-state-metrics.openshift-monitoring.svc - kubernetes_sd_configs: - - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig - role: endpoints - namespaces: - names: [openshift-monitoring] - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: kube-state-metrics;https-main - -service: - pipelines: - metrics/kube_state_metrics: - receivers: [prometheus/kube_state_metrics] - processors: [batch] - exporters: [otlp] diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 2c6ffe4555..9a3ac0f24b 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -236,7 +236,6 @@ and can be used to embed those images into osbuilder blueprints or bootc contain Summary: OpenTelemetry-Collector configured for MicroShift BuildArch: noarch Requires: microshift = %{version} -Recommends: microshift-metrics-kube-state = %{version} Requires: opentelemetry-collector %description observability @@ -620,8 +619,6 @@ mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ # kube-state-metrics -install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d -install -p -m644 packaging/observability/otelcol.d/microshift-metrics-kube-state.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics install -p -m644 assets/optional/kube-state-metrics/00-namespace.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics install -p -m644 assets/optional/kube-state-metrics/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics @@ -849,8 +846,6 @@ fi %files metrics-kube-state %dir %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics %{_prefix}/lib/microshift/manifests.d/081-microshift-kube-state-metrics/* -%dir %{_sysconfdir}/microshift/observability/otelcol.d -%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-kube-state.yaml %files metrics-kube-state-release-info %{_datadir}/microshift/release/release-kube-state-metrics-{x86_64,aarch64}.json diff --git a/test/assets/observability/otel_config.yaml b/test/assets/observability/otel_config.yaml index 25609b2d17..4565f82077 100644 --- a/test/assets/observability/otel_config.yaml +++ b/test/assets/observability/otel_config.yaml @@ -59,10 +59,6 @@ exporters: enabled: true otlphttp/loki: # only for logs, exports the logs in the loki server endpoint: "http://{{LOKI_HOST}}:{{LOKI_PORT}}/otlp" - otlp: - endpoint: "localhost:4317" - tls: - insecure: true extensions: file_storage: From d542bcb18ceb81f06e17a389f1c11b3ed937dfef Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 12:18:17 -0500 Subject: [PATCH 07/14] USHIFT-6951: remove kube-state-metrics rebase logic from shared files Move KSM asset tracking and image update logic out of the shared rebase.sh and assets.yaml in preparation for a standalone rebase script sourced from cluster-monitoring-operator. Signed-off-by: Jonathan H. Cope --- scripts/auto-rebase/assets.yaml | 21 ------------------ scripts/auto-rebase/rebase.sh | 38 --------------------------------- 2 files changed, 59 deletions(-) diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml index e2d70cb981..b4f34d3f6c 100644 --- a/scripts/auto-rebase/assets.yaml +++ b/scripts/auto-rebase/assets.yaml @@ -301,27 +301,6 @@ assets: - file: service.yaml - file: serviceaccount.yaml - - dir: optional/kube-state-metrics/ - ignore: "MicroShift-specific kube-state-metrics manifests sourced from CMO" - files: - - file: 00-namespace.yaml - - file: 01-cluster-role-binding.yaml - - file: 01-cluster-role.yaml - - file: 01-service-account.yaml - - file: 02-custom-resource-state-configmap.yaml - - file: 02-kube-rbac-proxy-secret.yaml - - file: 03-deployment.yaml - - file: 04-service.yaml - - file: kustomization.yaml - - file: kustomization.x86_64.yaml - ignore: "gets generated during image rebase" - - file: kustomization.aarch64.yaml - ignore: "gets generated during image rebase" - - file: release-kube-state-metrics-x86_64.json - ignore: "gets generated during image rebase" - - file: release-kube-state-metrics-aarch64.json - ignore: "gets generated during image rebase" - - dir: optional/observability/ ignore: "they don't exist in upstream repository - only in microshift" files: diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index 8b05494e35..1bcdb6cae5 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -921,7 +921,6 @@ EOF update_olm_images update_multus_images - update_kube_state_metrics_images popd >/dev/null } @@ -1112,43 +1111,6 @@ EOF done # for goarch } -update_kube_state_metrics_images() { - title "Rebasing kube-state-metrics images" - - for goarch in amd64 arm64; do - arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} - - local release_file="${STAGING_DIR}/release_${goarch}.json" - local kustomization_arch_file="${REPOROOT}/assets/optional/kube-state-metrics/kustomization.${arch}.yaml" - local ksm_release_json="${REPOROOT}/assets/optional/kube-state-metrics/release-kube-state-metrics-${arch}.json" - - local base_release - base_release=$(jq -r ".metadata.version" "${release_file}") - jq -n "{\"release\": {\"base\": \"$base_release\"}, \"images\": {}}" > "${ksm_release_json}" - - cat < "${kustomization_arch_file}" - -images: -EOF - - for container in kube-state-metrics kube-rbac-proxy; do - local new_image - new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${container}\") | .from.name" "${release_file}") - local new_image_name="${new_image%@*}" - local new_image_digest="${new_image#*@}" - - cat <> "${kustomization_arch_file}" - - name: quay.io/openshift/${container} - newName: ${new_image_name} - digest: ${new_image_digest} -EOF - - local json_key="${container//-/_}" - yq -i -o json ".images += {\"${json_key}\": \"${new_image}\"}" "${ksm_release_json}" - done - done -} - update_olm_images() { title "Rebasing operator-lifecycle-manager manifests" From c9f09510dd7c8a2e10827e9d4a540b613f7a4a6e Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 12:18:23 -0500 Subject: [PATCH 08/14] USHIFT-6951: add standalone cluster-monitoring-operator rebase script Add rebase_cluster_monitoring_operator.sh and its asset manifest for rebasing metrics exporters from the cluster-monitoring-operator repo. The script handles download, manifest copy, and image updates for all three exporters, keyed on which asset directories exist on the branch. Signed-off-by: Jonathan H. Cope --- .../assets_cluster_monitoring_operator.yaml | 33 ++ .../rebase_cluster_monitoring_operator.sh | 319 ++++++++++++++++++ 2 files changed, 352 insertions(+) create mode 100644 scripts/auto-rebase/assets_cluster_monitoring_operator.yaml create mode 100755 scripts/auto-rebase/rebase_cluster_monitoring_operator.sh diff --git a/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml new file mode 100644 index 0000000000..62babfc169 --- /dev/null +++ b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml @@ -0,0 +1,33 @@ +assets: + - dir: optional/kube-state-metrics/ + no_clean: True + src: cluster-monitoring-operator/assets/kube-state-metrics/ + files: + - file: 00-namespace.yaml + ignore: "MicroShift-specific, no upstream equivalent" + git_restore: True + - file: 01-cluster-role.yaml + src: cluster-role.yaml + - file: 01-cluster-role-binding.yaml + src: cluster-role-binding.yaml + - file: 01-service-account.yaml + src: service-account.yaml + - file: 02-custom-resource-state-configmap.yaml + src: custom-resource-state-configmap.yaml + - file: 02-kube-rbac-proxy-secret.yaml + src: kube-rbac-proxy-secret.yaml + - file: 03-deployment.yaml + src: deployment.yaml + - file: 04-service.yaml + src: service.yaml + - file: kustomization.yaml + ignore: "MicroShift-specific kustomization" + git_restore: True + - file: kustomization.x86_64.yaml + ignore: "gets generated during image rebase" + - file: kustomization.aarch64.yaml + ignore: "gets generated during image rebase" + - file: release-kube-state-metrics-x86_64.json + ignore: "gets generated during image rebase" + - file: release-kube-state-metrics-aarch64.json + ignore: "gets generated during image rebase" diff --git a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh new file mode 100755 index 0000000000..0b039ce108 --- /dev/null +++ b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh @@ -0,0 +1,319 @@ +#!/usr/bin/env bash +# shellcheck disable=all +# Copyright 2022 The MicroShift authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -o errexit +set -o errtrace +set -o nounset +set -o pipefail + +shopt -s expand_aliases +shopt -s extglob + +#debugging options +#trap 'echo "#L$LINENO: $BASH_COMMAND" >&2' DEBUG +#set -xo functrace +#PS4='+ $LINENO ' +REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../..")" +STAGING_DIR="$REPOROOT/_output/staging" +PULL_SECRET_FILE="${HOME}/.pull-secret.json" +REBASE_USE_SSH="${REBASE_USE_SSH:-false}" + +declare -a ARCHS=("amd64" "arm64") +declare -A GOARCH_TO_UNAME_MAP=( ["amd64"]="x86_64" ["arm64"]="aarch64" ) + +# Maps kustomization image name -> OCP release tag name +declare -A IMAGE_MAP=( + ["quay.io/openshift/kube-metrics-server"]="kube-metrics-server" + ["quay.io/openshift/kube-state-metrics"]="kube-state-metrics" + ["quay.io/openshift/node-exporter"]="prometheus-node-exporter" + ["quay.io/openshift/kube-rbac-proxy"]="kube-rbac-proxy" +) + +# Maps component dir -> release JSON key +declare -A COMPONENT_JSON_KEY=( + ["metrics-server"]="metrics_server" + ["kube-state-metrics"]="kube_state_metrics" + ["node-exporter"]="node_exporter" +) + +# Maps release JSON key -> OCP release tag name +declare -A EXPORTER_TAG_MAP=( + ["metrics_server"]="kube-metrics-server" + ["kube_state_metrics"]="kube-state-metrics" + ["node_exporter"]="prometheus-node-exporter" +) + +title() { + echo -e "\E[34m$1\E[00m"; +} + +retry_cmd() { + local -r max_attempts=5 + local timeout=1 + local attempt=1 + local exit_code=0 + + while (( attempt <= max_attempts )); do + if "$@"; then + return 0 + else + exit_code=$? + fi + echo "Attempt ${attempt} of ${max_attempts} failed (exit code ${exit_code}). Retrying in ${timeout}s..." + sleep "${timeout}" + attempt=$(( attempt + 1 )) + timeout=$(( timeout * 2 )) + done + + echo "Command failed after ${max_attempts} attempts: $@" + return "${exit_code}" +} + +check_preconditions() { + if ! hash yq; then + title "Installing yq" + sudo DEST_DIR=/usr/bin/ "${REPOROOT}/scripts/fetch_tools.sh" yq + fi + + if ! hash python3; then + echo "ERROR: python3 is not present on the system - please install" + exit 1 + fi + + if ! python3 -c "import yaml"; then + echo "ERROR: missing python's yaml library - please install" + exit 1 + fi +} + +clone_repo() { + local repo="$1" + local commit="$2" + local destdir="$3" + + local repodir="${destdir}/${repo##*/}" + + if [[ -d "${repodir}" ]]; then + return + fi + + if "${REBASE_USE_SSH}"; then + repo="git@github.com:${repo#https://github.com/}" + fi + + git init "${repodir}" + pushd "${repodir}" >/dev/null + git remote add origin "${repo}" + retry_cmd git fetch origin --quiet --filter=tree:0 --tags "${commit}" + git checkout "${commit}" + popd >/dev/null +} + +download_cluster_monitoring_operator() { + local release_image_amd64="$1" + local release_image_arm64="$2" + + rm -rf "${STAGING_DIR}" + mkdir -p "${STAGING_DIR}" + pushd "${STAGING_DIR}" >/dev/null + + local authentication="" + if [[ -f "${PULL_SECRET_FILE}" ]]; then + authentication="-a ${PULL_SECRET_FILE}" + else + >&2 echo "Warning: no pull secret found at ${PULL_SECRET_FILE}" + fi + + title "# Fetching release info for ${release_image_amd64} (amd64)" + oc adm release info ${authentication} "${release_image_amd64}" -o json > release_amd64.json + title "# Fetching release info for ${release_image_arm64} (arm64)" + oc adm release info ${authentication} "${release_image_arm64}" -o json > release_arm64.json + + title "# Extracting cluster-monitoring-operator source commit" + cat release_amd64.json \ + | jq -r '.references.spec.tags[] | "\(.name) \(.annotations."io.openshift.build.source-location") \(.annotations."io.openshift.build.commit.id")"' > source-commits + + local cmo_line + cmo_line=$(grep '^cluster-monitoring-operator ' source-commits) || { + >&2 echo "ERROR: cluster-monitoring-operator not found in release payload" + return 1 + } + + local repo commit + repo=$(echo "${cmo_line}" | cut -d ' ' -f 2) + commit=$(echo "${cmo_line}" | cut -d ' ' -f 3) + + title "# Cloning cluster-monitoring-operator at ${commit}" + clone_repo "${repo}" "${commit}" "." + + popd >/dev/null +} + +update_node_exporter_manifests() { + [[ -d "${REPOROOT}/assets/optional/node-exporter" ]] || return 0 + + title "Rebasing node-exporter manifests" + + local ne_ds="${REPOROOT}/assets/optional/node-exporter/03-daemonset.yaml" + + yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/node-exporter"' "$ne_ds" + yq -i '.spec.template.spec.containers[1].image = "quay.io/openshift/kube-rbac-proxy"' "$ne_ds" + yq -i '.spec.template.spec.initContainers[0].image = "quay.io/openshift/node-exporter"' "$ne_ds" + + yq -i '(.spec.template.spec.containers[1].args[] | select(test("--secure-listen-address="))) |= "--secure-listen-address=0.0.0.0:9100"' "$ne_ds" + + yq -i '(.spec.template.spec.containers[1].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ne_ds" + yq -i 'del(.spec.template.spec.volumes[] | select(.name == "metrics-client-ca"))' "$ne_ds" + yq -i '.spec.template.spec.volumes += [{"hostPath": {"path": "/var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt", "type": "File"}, "name": "admin-kubeconfig-signer-ca"}]' "$ne_ds" + yq -i 'del(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ne_ds" + yq -i '.spec.template.spec.containers[1].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ne_ds" + + yq -i '(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "node-exporter-tls")).readOnly = true' "$ne_ds" + + local ne_secret="${REPOROOT}/assets/optional/node-exporter/02-kube-rbac-proxy-secret.yaml" + sed -i '/"user":/,/"name":/d' "$ne_secret" +} + +update_cluster_monitoring_operator_images() { + title "Rebasing metrics component images" + + for goarch in amd64 arm64; do + local arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} + local release_file="${STAGING_DIR}/release_${goarch}.json" + + local base_release + base_release=$(jq -r ".metadata.version" "${release_file}") + + for component_dir in metrics-server kube-state-metrics node-exporter; do + [[ -d "${REPOROOT}/assets/optional/${component_dir}" ]] || continue + + local json_key="${COMPONENT_JSON_KEY[$component_dir]}" + local release_tag="${EXPORTER_TAG_MAP[$json_key]}" + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then + >&2 echo "ERROR: Release tag '${release_tag}' not found in payload for ${component_dir}" + return 1 + fi + local component_release_json="${REPOROOT}/assets/optional/${component_dir}/release-${component_dir}-${arch}.json" + jq -n --arg base "$base_release" --arg img "${new_image}" \ + "{\"release\": {\"base\": \$base}, \"images\": {\"${json_key}\": \$img}}" > "${component_release_json}" + + local kustomization_arch_file="${REPOROOT}/assets/optional/${component_dir}/kustomization.${arch}.yaml" + + cat < "${kustomization_arch_file}" +images: +EOF + + local image_names + image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ + | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) + + for orig_image in ${image_names}; do + local release_tag="${IMAGE_MAP[$orig_image]:-}" + if [[ -z "${release_tag}" ]]; then + >&2 echo "ERROR: Unknown metrics image '${orig_image}' in ${component_dir}" + return 1 + fi + + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then + >&2 echo "ERROR: Image for release tag '${release_tag}' not found in payload for ${component_dir}" + return 1 + fi + local new_image_name="${new_image%@*}" + local new_image_digest="${new_image#*@}" + + cat <> "${kustomization_arch_file}" + - name: ${orig_image} + newName: ${new_image_name} + digest: ${new_image_digest} +EOF + done + done + done +} + +copy_manifests() { + title "Copying manifests" + "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets_cluster_monitoring_operator.yaml" +} + +update_last_rebase() { + local release_image_amd64="$1" + local release_image_arm64="$2" + + title "## Updating last_rebase_cluster_monitoring_operator.sh" + + local last_rebase_script="${REPOROOT}/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh" + + rm -f "${last_rebase_script}" + cat - >"${last_rebase_script}" < Date: Fri, 19 Jun 2026 12:42:40 -0500 Subject: [PATCH 09/14] update last_rebase_cluster_monitoring_operator.sh --- scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh | 2 ++ 1 file changed, 2 insertions(+) create mode 100755 scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh diff --git a/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh new file mode 100755 index 0000000000..f61200df82 --- /dev/null +++ b/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh @@ -0,0 +1,2 @@ +#!/bin/bash -x +./scripts/auto-rebase/rebase_cluster_monitoring_operator.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-19-155631" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-19-154904" From ffa9d43043586fefe642f52677346f6a0e078697 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 16:45:48 -0500 Subject: [PATCH 10/14] to simply merging of the components the CMO rebase script is now identical across the 3 PRs Signed-off-by: Jonathan H. Cope --- .../rebase_cluster_monitoring_operator.sh | 58 ++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh index 0b039ce108..be1124f04e 100755 --- a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh +++ b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh @@ -163,6 +163,58 @@ download_cluster_monitoring_operator() { popd >/dev/null } +update_metrics_server_manifests() { + [[ -d "${REPOROOT}/assets/optional/metrics-server" ]] || return 0 + + title "Rebasing metrics-server manifests" + + local ms_crb="${REPOROOT}/assets/optional/metrics-server/01-cluster-role-binding.yaml" + yq -i '.subjects += [{"kind": "User", "name": "system:metrics-server"}]' "$ms_crb" + + local ms_deploy="${REPOROOT}/assets/optional/metrics-server/03-deployment.yaml" + yq -i '.spec.replicas = 1' "$ms_deploy" + yq -i '.spec.strategy = {"type": "Recreate"}' "$ms_deploy" + yq -i 'del(.spec.template.spec.affinity)' "$ms_deploy" + yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/kube-metrics-server"' "$ms_deploy" + yq -i '.spec.template.spec.containers[0].securityContext.capabilities.drop = ["ALL"]' "$ms_deploy" +} + +update_kube_state_metrics_manifests() { + [[ -d "${REPOROOT}/assets/optional/kube-state-metrics" ]] || return 0 + + title "Rebasing kube-state-metrics manifests" + + local ksm_deploy="${REPOROOT}/assets/optional/kube-state-metrics/03-deployment.yaml" + + yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/kube-state-metrics"' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].image = "quay.io/openshift/kube-rbac-proxy"' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].image = "quay.io/openshift/kube-rbac-proxy"' "$ksm_deploy" + + yq -i '.spec.template.spec.containers[0].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy" + yq -i '.spec.template.spec.securityContext = {"runAsNonRoot": true}' "$ksm_deploy" + + yq -i '.spec.template.spec.containers[0].resources.limits = {"cpu": "100m", "memory": "200Mi"}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].resources.limits = {"cpu": "20m", "memory": "40Mi"}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].resources.limits = {"cpu": "20m", "memory": "40Mi"}' "$ksm_deploy" + + yq -i '(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "kube-state-metrics-tls")).readOnly = true' "$ksm_deploy" + yq -i '(.spec.template.spec.containers[2].volumeMounts[] | select(.name == "kube-state-metrics-tls")).readOnly = true' "$ksm_deploy" + + yq -i '(.spec.template.spec.containers[1].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ksm_deploy" + yq -i '(.spec.template.spec.containers[2].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ksm_deploy" + yq -i 'del(.spec.template.spec.volumes[] | select(.name == "metrics-client-ca"))' "$ksm_deploy" + yq -i '.spec.template.spec.volumes += [{"hostPath": {"path": "/var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt", "type": "File"}, "name": "admin-kubeconfig-signer-ca"}]' "$ksm_deploy" + yq -i 'del(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ksm_deploy" + yq -i 'del(.spec.template.spec.containers[2].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ksm_deploy" + + local ksm_secret="${REPOROOT}/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml" + sed -i '/"user":/,/"name":/d' "$ksm_secret" +} + update_node_exporter_manifests() { [[ -d "${REPOROOT}/assets/optional/node-exporter" ]] || return 0 @@ -221,7 +273,7 @@ EOF local image_names image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ - | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) + | sed 's/.*image: *//; s/"//g; s/:.*//; s/@.*//' | sort -u | grep -v '^$') for orig_image in ${image_names}; do local release_tag="${IMAGE_MAP[$orig_image]:-}" @@ -282,6 +334,8 @@ rebase_cluster_monitoring_operator_to() { local release_image_arm64="$2" download_cluster_monitoring_operator "${release_image_amd64}" "${release_image_arm64}" copy_manifests + update_metrics_server_manifests + update_kube_state_metrics_manifests update_node_exporter_manifests update_cluster_monitoring_operator_images update_last_rebase "${release_image_amd64}" "${release_image_arm64}" @@ -313,6 +367,8 @@ case "$command" in ;; manifests) copy_manifests + update_metrics_server_manifests + update_kube_state_metrics_manifests update_node_exporter_manifests ;; *) usage;; From a31ae859f1acc548ed2b2043b6a03cea02e41d25 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 16:45:58 -0500 Subject: [PATCH 11/14] executed rebase script Signed-off-by: Jonathan H. Cope --- .../01-cluster-role-binding.yaml | 2 +- .../kube-state-metrics/01-cluster-role.yaml | 2 +- .../01-service-account.yaml | 2 +- .../02-custom-resource-state-configmap.yaml | 4 +- .../02-kube-rbac-proxy-secret.yaml | 2 - .../kube-state-metrics/03-deployment.yaml | 238 ++++++++++-------- .../kube-state-metrics/04-service.yaml | 2 +- .../kustomization.aarch64.yaml | 8 +- .../kustomization.x86_64.yaml | 8 +- .../release-kube-state-metrics-aarch64.json | 4 +- .../release-kube-state-metrics-x86_64.json | 4 +- 11 files changed, 151 insertions(+), 125 deletions(-) diff --git a/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml b/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml index c8e3419960..c22bfc34ab 100644 --- a/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml +++ b/assets/optional/kube-state-metrics/01-cluster-role-binding.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - app.kubernetes.io/version: 2.19.0 + app.kubernetes.io/version: 2.19.1 name: kube-state-metrics roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/assets/optional/kube-state-metrics/01-cluster-role.yaml b/assets/optional/kube-state-metrics/01-cluster-role.yaml index ab123ee6cd..75cd4e5d26 100644 --- a/assets/optional/kube-state-metrics/01-cluster-role.yaml +++ b/assets/optional/kube-state-metrics/01-cluster-role.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - app.kubernetes.io/version: 2.19.0 + app.kubernetes.io/version: 2.19.1 name: kube-state-metrics rules: - apiGroups: diff --git a/assets/optional/kube-state-metrics/01-service-account.yaml b/assets/optional/kube-state-metrics/01-service-account.yaml index 7f3fe4b1ce..0bfe63ad0e 100644 --- a/assets/optional/kube-state-metrics/01-service-account.yaml +++ b/assets/optional/kube-state-metrics/01-service-account.yaml @@ -7,6 +7,6 @@ metadata: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - app.kubernetes.io/version: 2.19.0 + app.kubernetes.io/version: 2.19.1 name: kube-state-metrics namespace: openshift-monitoring diff --git a/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml b/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml index 63adb89f96..4d0f548939 100644 --- a/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml +++ b/assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml @@ -430,7 +430,7 @@ data: - "maxAllowed" - "cpu" "type": "Gauge" - "help": "Maximum cpu resources the VerticalPodAutoscaler can set for containers matching the name." + "help": "Minimum cpu resources the VerticalPodAutoscaler can set for containers matching the name." "labelsFromPath": "namespace": - "metadata" @@ -467,7 +467,7 @@ data: - "maxAllowed" - "memory" "type": "Gauge" - "help": "Maximum memory resources the VerticalPodAutoscaler can set for containers matching the name." + "help": "Minimum memory resources the VerticalPodAutoscaler can set for containers matching the name." "labelsFromPath": "namespace": - "metadata" diff --git a/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml b/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml index 1cae041683..38b8df0c9c 100644 --- a/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml +++ b/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml @@ -13,7 +13,5 @@ stringData: "static": - "path": "/metrics" "resourceRequest": false - "user": - "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" "verb": "get" type: Opaque diff --git a/assets/optional/kube-state-metrics/03-deployment.yaml b/assets/optional/kube-state-metrics/03-deployment.yaml index 902b4677ea..adc5538666 100644 --- a/assets/optional/kube-state-metrics/03-deployment.yaml +++ b/assets/optional/kube-state-metrics/03-deployment.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - app.kubernetes.io/version: 2.19.0 + app.kubernetes.io/version: 2.19.1 name: kube-state-metrics namespace: openshift-monitoring spec: @@ -16,8 +16,6 @@ spec: app.kubernetes.io/component: exporter app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - strategy: - type: Recreate template: metadata: annotations: @@ -29,101 +27,127 @@ spec: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - app.kubernetes.io/version: 2.19.0 + app.kubernetes.io/version: 2.19.1 spec: automountServiceAccountToken: true containers: - - args: - - --host=127.0.0.1 - - --port=8081 - - --telemetry-host=127.0.0.1 - - --telemetry-port=8082 - - --custom-resource-state-config-file=/etc/kube-state-metrics/custom-resource-state-configmap.yaml - - --metric-denylist=^kube_secret_labels$,^kube_.+_annotations$,^kube_customresource_.+_annotations_info$,^kube_customresource_.+_labels_info$,^kube_.+_created$,^kube_.+_metadata_resource_version$,^kube_replicaset_metadata_generation$,^kube_replicaset_status_observed_generation$,^kube_pod_restart_policy$,^kube_pod_init_container_status_terminated$,^kube_pod_init_container_status_running$,^kube_pod_container_status_terminated$,^kube_pod_container_status_running$,^kube_pod_completion_time$,^kube_pod_status_scheduled$ - - --metric-labels-allowlist=pods=[*],nodes=[*],namespaces=[*],persistentvolumes=[*],persistentvolumeclaims=[*],poddisruptionbudgets=[*] - image: quay.io/openshift/kube-state-metrics - name: kube-state-metrics - resources: - limits: - cpu: 100m - memory: 200Mi - requests: - cpu: 2m - memory: 80Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /tmp - name: volume-directive-shadow - readOnly: false - - mountPath: /etc/kube-state-metrics - name: kube-state-metrics-custom-resource-state-configmap - readOnly: true - - args: - - --secure-listen-address=:8443 - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - --upstream=http://127.0.0.1:8081/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --config-file=/etc/kube-rbac-policy/config.yaml - image: quay.io/openshift/kube-rbac-proxy - name: kube-rbac-proxy-main - ports: - - containerPort: 8443 - name: https-main - resources: - limits: - cpu: 20m - memory: 40Mi - requests: - cpu: 1m - memory: 15Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: kube-state-metrics-tls - readOnly: true - - mountPath: /etc/kube-rbac-policy - name: kube-state-metrics-kube-rbac-proxy-config - readOnly: true - - args: - - --secure-listen-address=:9443 - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - --upstream=http://127.0.0.1:8082/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --config-file=/etc/kube-rbac-policy/config.yaml - image: quay.io/openshift/kube-rbac-proxy - name: kube-rbac-proxy-self - ports: - - containerPort: 9443 - name: https-self - resources: - limits: - cpu: 20m - memory: 40Mi - requests: - cpu: 1m - memory: 15Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: kube-state-metrics-tls - readOnly: true - - mountPath: /etc/kube-rbac-policy - name: kube-state-metrics-kube-rbac-proxy-config - readOnly: true + - args: + - --host=127.0.0.1 + - --port=8081 + - --telemetry-host=127.0.0.1 + - --telemetry-port=8082 + - --custom-resource-state-config-file=/etc/kube-state-metrics/custom-resource-state-configmap.yaml + - | + --metric-denylist= + ^kube_secret_labels$, + ^kube_.+_annotations$, + ^kube_customresource_.+_annotations_info$, + ^kube_customresource_.+_labels_info$ + - --metric-labels-allowlist=pods=[*],nodes=[*],namespaces=[*],persistentvolumes=[*],persistentvolumeclaims=[*],poddisruptionbudgets=[*] + - | + --metric-denylist= + ^kube_.+_created$, + ^kube_.+_metadata_resource_version$, + ^kube_replicaset_metadata_generation$, + ^kube_replicaset_status_observed_generation$, + ^kube_pod_restart_policy$, + ^kube_pod_init_container_status_terminated$, + ^kube_pod_init_container_status_running$, + ^kube_pod_container_status_terminated$, + ^kube_pod_container_status_running$, + ^kube_pod_completion_time$, + ^kube_pod_status_scheduled$ + image: "quay.io/openshift/kube-state-metrics" + name: kube-state-metrics + resources: + requests: + cpu: 2m + memory: 80Mi + limits: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: volume-directive-shadow + readOnly: false + - mountPath: /etc/kube-state-metrics + name: kube-state-metrics-custom-resource-state-configmap + readOnly: true + - args: + - --secure-listen-address=:8443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8081/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --client-ca-file=/etc/tls/client-ca/ca.crt + - --config-file=/etc/kube-rbac-policy/config.yaml + image: "quay.io/openshift/kube-rbac-proxy" + name: kube-rbac-proxy-main + ports: + - containerPort: 8443 + name: https-main + resources: + requests: + cpu: 1m + memory: 15Mi + limits: + cpu: 20m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: kube-state-metrics-tls + readOnly: true + - mountPath: /etc/kube-rbac-policy + name: kube-state-metrics-kube-rbac-proxy-config + readOnly: true + - mountPath: /etc/tls/client-ca/ca.crt + name: admin-kubeconfig-signer-ca + readOnly: true + - args: + - --secure-listen-address=:9443 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:8082/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --client-ca-file=/etc/tls/client-ca/ca.crt + - --config-file=/etc/kube-rbac-policy/config.yaml + image: "quay.io/openshift/kube-rbac-proxy" + name: kube-rbac-proxy-self + ports: + - containerPort: 9443 + name: https-self + resources: + requests: + cpu: 1m + memory: 15Mi + limits: + cpu: 20m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: kube-state-metrics-tls + readOnly: true + - mountPath: /etc/kube-rbac-policy + name: kube-state-metrics-kube-rbac-proxy-config + readOnly: true + - mountPath: /etc/tls/client-ca/ca.crt + name: admin-kubeconfig-signer-ca + readOnly: true nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical @@ -131,14 +155,18 @@ spec: runAsNonRoot: true serviceAccountName: kube-state-metrics volumes: - - emptyDir: {} - name: volume-directive-shadow - - name: kube-state-metrics-tls - secret: - secretName: kube-state-metrics-tls - - name: kube-state-metrics-kube-rbac-proxy-config - secret: - secretName: kube-state-metrics-kube-rbac-proxy-config - - configMap: + - emptyDir: {} + name: volume-directive-shadow + - name: kube-state-metrics-tls + secret: + secretName: kube-state-metrics-tls + - name: kube-state-metrics-kube-rbac-proxy-config + secret: + secretName: kube-state-metrics-kube-rbac-proxy-config + - configMap: + name: kube-state-metrics-custom-resource-state-configmap name: kube-state-metrics-custom-resource-state-configmap - name: kube-state-metrics-custom-resource-state-configmap + - hostPath: + path: /var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt + type: File + name: admin-kubeconfig-signer-ca diff --git a/assets/optional/kube-state-metrics/04-service.yaml b/assets/optional/kube-state-metrics/04-service.yaml index 94b982309d..75fddc4371 100644 --- a/assets/optional/kube-state-metrics/04-service.yaml +++ b/assets/optional/kube-state-metrics/04-service.yaml @@ -12,7 +12,7 @@ metadata: app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: openshift-monitoring - app.kubernetes.io/version: 2.19.0 + app.kubernetes.io/version: 2.19.1 name: kube-state-metrics namespace: openshift-monitoring spec: diff --git a/assets/optional/kube-state-metrics/kustomization.aarch64.yaml b/assets/optional/kube-state-metrics/kustomization.aarch64.yaml index f5b48a4fbe..b400ac1e80 100644 --- a/assets/optional/kube-state-metrics/kustomization.aarch64.yaml +++ b/assets/optional/kube-state-metrics/kustomization.aarch64.yaml @@ -1,7 +1,7 @@ images: - - name: quay.io/openshift/kube-state-metrics - newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:ad7ae7a3c499ed390a36ae17acd5251aa2a5a3833cd4144d1976f4d2b968b654 - name: quay.io/openshift/kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:0d6a1c6ebba722e09ff2850010cb8114a8d097ccee1198c1f59680c8c7581d48 + digest: sha256:8a74d54a45421f51cfc1d50b7fca04e177c8601cec4cf5ecfdac250e36904819 + - name: quay.io/openshift/kube-state-metrics + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:c01bcfe85cec4ea6a2c93f71793d292fd0f2be9d7176fa9b8b5fb63d3a773373 diff --git a/assets/optional/kube-state-metrics/kustomization.x86_64.yaml b/assets/optional/kube-state-metrics/kustomization.x86_64.yaml index 77878bb0e8..a080d292b4 100644 --- a/assets/optional/kube-state-metrics/kustomization.x86_64.yaml +++ b/assets/optional/kube-state-metrics/kustomization.x86_64.yaml @@ -1,7 +1,7 @@ images: - - name: quay.io/openshift/kube-state-metrics - newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:f2c7f8cb3995b165ed4acf4c2f546b9993986862b427c4b2ef224521e05d1594 - name: quay.io/openshift/kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:3b2676dd92a952c620e067cc158c2a0942c602471645d8e367104293cb964147 + digest: sha256:b23eabd4a8578c71398ccde56be77ded55c7cbea36e592f3800347c33ca47c55 + - name: quay.io/openshift/kube-state-metrics + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:4a633470960127f9545b5509dafd8d423108edb74ca7013c9cddde4ff5b0332d diff --git a/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json b/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json index ea791b9165..da01a2f081 100644 --- a/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json +++ b/assets/optional/kube-state-metrics/release-kube-state-metrics-aarch64.json @@ -1,8 +1,8 @@ { "release": { - "base": "placeholder" + "base": "5.0.0-0.nightly-arm64-2026-06-19-154904" }, "images": { - "kube_state_metrics": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ad7ae7a3c499ed390a36ae17acd5251aa2a5a3833cd4144d1976f4d2b968b654" + "kube_state_metrics": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c01bcfe85cec4ea6a2c93f71793d292fd0f2be9d7176fa9b8b5fb63d3a773373" } } diff --git a/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json b/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json index 842b4c01a3..dfdae05ea2 100644 --- a/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json +++ b/assets/optional/kube-state-metrics/release-kube-state-metrics-x86_64.json @@ -1,8 +1,8 @@ { "release": { - "base": "placeholder" + "base": "5.0.0-0.nightly-2026-06-19-155631" }, "images": { - "kube_state_metrics": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f2c7f8cb3995b165ed4acf4c2f546b9993986862b427c4b2ef224521e05d1594" + "kube_state_metrics": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:4a633470960127f9545b5509dafd8d423108edb74ca7013c9cddde4ff5b0332d" } } From b4b66c02cd0456bab35a4508ede1715074852181 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 17:54:05 -0500 Subject: [PATCH 12/14] bug fix: missiong cmo asset filepath in presubmit.py Signed-off-by: Jonathan H. Cope --- scripts/auto-rebase/presubmit.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/auto-rebase/presubmit.py b/scripts/auto-rebase/presubmit.py index 5e90ed4639..ea3f6199b4 100755 --- a/scripts/auto-rebase/presubmit.py +++ b/scripts/auto-rebase/presubmit.py @@ -29,6 +29,7 @@ "./scripts/auto-rebase/assets_ai_model_serving.yaml", "./scripts/auto-rebase/assets_cert_manager.yaml", "./scripts/auto-rebase/assets_sriov.yaml", + "./scripts/auto-rebase/assets_cluster_monitoring_operator.yaml", ] From e4b566c3fe101b8a1e7f17412de88a975a428e97 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Mon, 22 Jun 2026 10:48:20 -0500 Subject: [PATCH 13/14] fix merge conflict artifacts, added missing mkdir -p command to specfile Signed-off-by: Jonathan H. Cope --- packaging/rpm/microshift.spec | 1 + scripts/auto-rebase/last_rebase.sh | 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 9a3ac0f24b..b7fcd50dd9 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -638,6 +638,7 @@ cat assets/optional/kube-state-metrics/kustomization.x86_64.yaml >> %{buildroot} %endif # kube-state-metrics-release-info +mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/kube-state-metrics/release-kube-state-metrics-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ # sriov diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index 3a02040ba3..9c0418ee13 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,6 +1,2 @@ #!/bin/bash -x -<<<<<<< HEAD ./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-18-000016" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-19-034904" -======= -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-14-221055" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-14-225436" ->>>>>>> 73eed7430 (USHIFT-6951: auto-rebase update) From cc962d6626b65625468189f1f83cd5f97e04ee51 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Mon, 22 Jun 2026 11:31:44 -0500 Subject: [PATCH 14/14] resolve merge conflict markers in commits.txt Co-Authored-By: Claude Opus 4.6 --- scripts/auto-rebase/commits.txt | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index 1bb48b3d86..4eacf45d24 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -1,16 +1,8 @@ -<<<<<<< HEAD https://github.com/openshift/api embedded-component 05673ba6e6503fa49f049fb7a85903cb1f7a34ed https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component d6dbe6dd6aaed30d36409d8e54adb0c5b60b6744 https://github.com/openshift/cluster-dns-operator embedded-component 8395f9054f235aec2cd5185019d201146c9827ed https://github.com/openshift/cluster-ingress-operator embedded-component 6c84b7c7250e7412502382dca7d1f065f94fed5b https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 86563261c7e7e4bbbbbf10791fc5065514e4d4de -======= -https://github.com/openshift/api embedded-component 992ec954f8b3debeb041fa3f17caf27b264d9fb8 -https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component ed3c0c6b8b1639d8688309c3e999a6f037436d62 -https://github.com/openshift/cluster-dns-operator embedded-component 4556c40798213ee824f76c26bef66865326fe08b -https://github.com/openshift/cluster-ingress-operator embedded-component 6c84b7c7250e7412502382dca7d1f065f94fed5b -https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 8fe970955c77da87fbbcf2c8f9e0665548185fce ->>>>>>> 73eed7430 (USHIFT-6951: auto-rebase update) https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component c35307f04313369c9ba4dcab3308506a3987065e https://github.com/openshift/cluster-kube-scheduler-operator embedded-component d43423b583269eea8236040424609c3f108ac9c4 https://github.com/openshift/cluster-network-operator embedded-component c376140ed1842c6a5f78cb74c55b4b49ba212041 @@ -20,7 +12,6 @@ https://github.com/openshift/csi-external-snapshotter embedded-component e695e2b https://github.com/openshift/etcd embedded-component bf6c0094589afdf6c814a28c24f8f1bb5a577816 https://github.com/openshift/kubernetes embedded-component d8d517e6bbe7cf7359026cac26bb96ea45e18806 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component 72835e43c7754356645e41031f3a99926b4d42e6 -<<<<<<< HEAD https://github.com/openshift/machine-config-operator embedded-component 49eaf75d2e8cf026da563bd708f6f5512facf41a https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940 https://github.com/openshift/operator-framework-olm embedded-component a78cfd39c259a22c104831c6ddf2572801b0f19d @@ -38,25 +29,6 @@ https://github.com/openshift/oc image-arm64 c639a3143e8d86763c185a5afc6c9b38d24c https://github.com/openshift/coredns image-arm64 97f7cc327ab5df7d6da38137b7be338efa9a3551 https://github.com/openshift/csi-external-snapshotter image-arm64 e695e2bd0b548afd0fce049d86d4af29dd34e574 https://github.com/openshift/router image-arm64 3553702970b094986d91f218e3191487de46e476 -======= -https://github.com/openshift/machine-config-operator embedded-component 6a2c5c65419c3e9c3028f6bd9344690f48ae837c -https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940 -https://github.com/openshift/operator-framework-olm embedded-component 3eb13541cac6e2c0110329b37cb5375ddb52ecc0 -https://github.com/openshift/route-controller-manager embedded-component e454c01fbe561cce9973f54b1ddbcdd35a9d18ff -https://github.com/openshift/service-ca-operator embedded-component 35cf51895f4dc77dca8a709e7635980753f87e17 -https://github.com/openshift/oc image-amd64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 -https://github.com/openshift/coredns image-amd64 3c21b066c9bd86caa06f790dcd1c046667875d46 -https://github.com/openshift/csi-external-snapshotter image-amd64 e695e2bd0b548afd0fce049d86d4af29dd34e574 -https://github.com/openshift/router image-amd64 ce3479af6677053650d617a8165ce80c1178597c -https://github.com/openshift/kube-rbac-proxy image-amd64 d12e274605248f6c59373240a7eae7a7a357dcb3 -https://github.com/openshift/ovn-kubernetes image-amd64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c -https://github.com/openshift/kubernetes image-amd64 d8d517e6bbe7cf7359026cac26bb96ea45e18806 -https://github.com/openshift/service-ca-operator image-amd64 35cf51895f4dc77dca8a709e7635980753f87e17 -https://github.com/openshift/oc image-arm64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 -https://github.com/openshift/coredns image-arm64 3c21b066c9bd86caa06f790dcd1c046667875d46 -https://github.com/openshift/csi-external-snapshotter image-arm64 e695e2bd0b548afd0fce049d86d4af29dd34e574 -https://github.com/openshift/router image-arm64 ce3479af6677053650d617a8165ce80c1178597c ->>>>>>> 73eed7430 (USHIFT-6951: auto-rebase update) https://github.com/openshift/kube-rbac-proxy image-arm64 d12e274605248f6c59373240a7eae7a7a357dcb3 https://github.com/openshift/ovn-kubernetes image-arm64 62baca4832f3aeb3fc7032d38619835c04208c95 https://github.com/openshift/kubernetes image-arm64 d8d517e6bbe7cf7359026cac26bb96ea45e18806