diff --git a/go.mod b/go.mod index 85c9c24be7..01c485ee96 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,6 @@ module sigs.k8s.io/security-profiles-operator go 1.22.7 - toolchain go1.23.2 require ( @@ -23,7 +22,7 @@ require ( github.com/opencontainers/runtime-spec v1.2.0 github.com/openshift/api v0.0.0-20221205111557-f2fbb1d1cd5e github.com/pjbgf/go-apparmor v0.1.3-0.20241107184909-1375e5e7aa89 - github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.76.2 + github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2 github.com/prometheus/client_golang v1.20.5 github.com/prometheus/client_model v0.6.1 github.com/seccomp/libseccomp-golang v0.10.0 diff --git a/go.sum b/go.sum index 45223ff37f..f60ee12752 100644 --- a/go.sum +++ b/go.sum @@ -596,8 +596,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.76.2 h1:BpGDC87A2SaxbKgONsFLEX3kRcRJee2aLQbjXsuz0hA= -github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.76.2/go.mod h1:Rd8YnCqz+2FYsiGmE2DMlaLjQRB4v2jFNnzCt9YY4IM= +github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2 h1:SyoVBXD/r0PntR1rprb90ClI32FSUNOCWqqTatnipHM= +github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2/go.mod h1:SvsRXw4m1F2vk7HquU5h475bFpke27mIUswfyw9u3ug= github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/alertmanager_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/alertmanager_types.go index 5566305fa0..a3e99d5851 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/alertmanager_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/alertmanager_types.go @@ -177,6 +177,14 @@ type AlertmanagerSpec struct { // SecurityContext holds pod-level security attributes and common container settings. // This defaults to the default PodSecurityContext. SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"` + // Defines the DNS policy for the pods. + // + // +optional + DNSPolicy *DNSPolicy `json:"dnsPolicy,omitempty"` + // Defines the DNS configuration for the pods. + // + // +optional + DNSConfig *PodDNSConfig `json:"dnsConfig,omitempty"` // ServiceAccountName is the name of the ServiceAccount to use to run the // Prometheus Pods. ServiceAccountName string `json:"serviceAccountName,omitempty"` @@ -465,9 +473,9 @@ type HTTPConfig struct { // TLS configuration for the client. // +optional TLSConfig *SafeTLSConfig `json:"tlsConfig,omitempty"` - // Optional proxy URL. - // +optional - ProxyURL string `json:"proxyURL,omitempty"` + + ProxyConfig `json:",inline"` + // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. // +optional FollowRedirects *bool `json:"followRedirects,omitempty"` diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/dns_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/dns_types.go new file mode 100644 index 0000000000..a4731458b7 --- /dev/null +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/dns_types.go @@ -0,0 +1,82 @@ +// Copyright 2024 The prometheus-operator Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package v1 + +// PodDNSConfig defines the DNS parameters of a pod in addition to +// those generated from DNSPolicy. +type PodDNSConfig struct { + // A list of DNS name server IP addresses. + // This will be appended to the base nameservers generated from DNSPolicy. + // +kubebuilder:validation:Optional + // +listType:=set + // +kubebuilder:validation:items:MinLength:=1 + Nameservers []string `json:"nameservers,omitempty"` + + // A list of DNS search domains for host-name lookup. + // This will be appended to the base search paths generated from DNSPolicy. + // +kubebuilder:validation:Optional + // +listType:=set + // +kubebuilder:validation:items:MinLength:=1 + Searches []string `json:"searches,omitempty"` + + // A list of DNS resolver options. + // This will be merged with the base options generated from DNSPolicy. + // Resolution options given in Options + // will override those that appear in the base DNSPolicy. + // +kubebuilder:validation:Optional + // +listType=map + // +listMapKey=name + Options []PodDNSConfigOption `json:"options,omitempty"` +} + +// PodDNSConfigOption defines DNS resolver options of a pod. +type PodDNSConfigOption struct { + // Name is required and must be unique. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // Value is optional. + // +kubebuilder:validation:Optional + Value *string `json:"value,omitempty"` +} + +// DNSPolicy specifies the DNS policy for the pod. +// +kubebuilder:validation:Enum=ClusterFirstWithHostNet;ClusterFirst;Default;None +type DNSPolicy string + +const ( + // DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS + // first, if it is available, then fall back on the default + // (as determined by kubelet) DNS settings. + DNSClusterFirstWithHostNet DNSPolicy = "ClusterFirstWithHostNet" + + // DNSClusterFirst indicates that the pod should use cluster DNS + // first unless hostNetwork is true, if it is available, then + // fall back on the default (as determined by kubelet) DNS settings. + DNSClusterFirst DNSPolicy = "ClusterFirst" + + // DNSDefault indicates that the pod should use the default (as + // determined by kubelet) DNS settings. + DNSDefault DNSPolicy = "Default" + + // DNSNone indicates that the pod should use empty DNS settings. DNS + // parameters such as nameservers and search paths should be defined via + // DNSConfig. + DNSNone DNSPolicy = "None" +) + +const ( +// DefaultTerminationGracePeriodSeconds indicates the default duration in +// seconds a pod needs to terminate gracefully. +) diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/podmonitor_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/podmonitor_types.go index 5a3ced2f91..a6e2c1605d 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/podmonitor_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/podmonitor_types.go @@ -123,6 +123,9 @@ type PodMonitorSpec struct { // // +optional LabelValueLengthLimit *uint64 `json:"labelValueLengthLimit,omitempty"` + + NativeHistogramConfig `json:",inline"` + // Per-scrape limit on the number of targets dropped by relabeling // that will be kept in memory. 0 means no limit. // diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/probe_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/probe_types.go index 203f720752..16c927ad60 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/probe_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/probe_types.go @@ -112,6 +112,8 @@ type ProbeSpec struct { // Only valid in Prometheus versions 2.27.0 and newer. // +optional LabelValueLengthLimit *uint64 `json:"labelValueLengthLimit,omitempty"` + + NativeHistogramConfig `json:",inline"` // Per-scrape limit on the number of targets dropped by relabeling // that will be kept in memory. 0 means no limit. // diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheus_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheus_types.go index b3baf2482d..406613435e 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheus_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheus_types.go @@ -41,6 +41,15 @@ const ( // +kubebuilder:validation:Enum=PrometheusProto;OpenMetricsText0.0.1;OpenMetricsText1.0.0;PrometheusText0.0.4 type ScrapeProtocol string +// RuntimeConfig configures the values for the process behavior. +type RuntimeConfig struct { + // The Go garbage collection target percentage. Lowering this number may increase the CPU usage. + // See: https://tip.golang.org/doc/gc-guide#GOGC + // +optional + // +kubebuilder:validation:Minimum=-1 + GoGC *int32 `json:"goGC,omitempty"` +} + // PrometheusInterface is used by Prometheus and PrometheusAgent to share common methods, e.g. config generation. // +k8s:deepcopy-gen=false type PrometheusInterface interface { @@ -298,6 +307,16 @@ type CommonPrometheusFields struct { // It requires Prometheus >= v2.33.0. EnableRemoteWriteReceiver bool `json:"enableRemoteWriteReceiver,omitempty"` + // List of the protobuf message versions to accept when receiving the + // remote writes. + // + // It requires Prometheus >= v2.54.0. + // + // +kubebuilder:validation:MinItems=1 + // +listType:=set + // +optional + RemoteWriteReceiverMessageVersions []RemoteWriteMessageVersion `json:"remoteWriteReceiverMessageVersions,omitempty"` + // Enable access to Prometheus feature flags. By default, no features are enabled. // // Enabling features which are disabled by default is entirely outside the @@ -391,11 +410,25 @@ type CommonPrometheusFields struct { // +optional RemoteWrite []RemoteWriteSpec `json:"remoteWrite,omitempty"` + // Settings related to the OTLP receiver feature. + // It requires Prometheus >= v2.55.0. + // + // +optional + OTLP *OTLPConfig `json:"otlp,omitempty"` + // SecurityContext holds pod-level security attributes and common container settings. // This defaults to the default PodSecurityContext. // +optional SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"` + // Defines the DNS policy for the pods. + // + // +optional + DNSPolicy *DNSPolicy `json:"dnsPolicy,omitempty"` + // Defines the DNS configuration for the pods. + // + // +optional + DNSConfig *PodDNSConfig `json:"dnsConfig,omitempty"` // When true, the Prometheus server listens on the loopback address // instead of the Pod IP's address. ListenLocal bool `json:"listenLocal,omitempty"` @@ -677,7 +710,8 @@ type CommonPrometheusFields struct { // it (https://kubernetes.io/docs/concepts/configuration/overview/). // // When hostNetwork is enabled, this will set the DNS policy to - // `ClusterFirstWithHostNet` automatically. + // `ClusterFirstWithHostNet` automatically (unless `.spec.DNSPolicy` is set + // to a different value). HostNetwork bool `json:"hostNetwork,omitempty"` // PodTargetLabels are appended to the `spec.podTargetLabels` field of all @@ -781,6 +815,12 @@ type CommonPrometheusFields struct { // // +optional ServiceDiscoveryRole *ServiceDiscoveryRole `json:"serviceDiscoveryRole,omitempty"` + + // Defines the runtime reloadable configuration of the timeseries database(TSDB). + // It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0. + // + // +optional + TSDB *TSDBSpec `json:"tsdb,omitempty"` } // +kubebuilder:validation:Enum=HTTP;ProcessSignal @@ -879,6 +919,10 @@ func (l *PrometheusList) DeepCopyObject() runtime.Object { type PrometheusSpec struct { CommonPrometheusFields `json:",inline"` + // RuntimeConfig configures the values for the Prometheus process behavior + // +optional + Runtime *RuntimeConfig `json:"runtime,omitempty"` + // Deprecated: use 'spec.image' instead. BaseImage string `json:"baseImage,omitempty"` // Deprecated: use 'spec.image' instead. The image's tag can be specified as part of the image name. @@ -993,6 +1037,11 @@ type PrometheusSpec struct { // +kubebuilder:default:="30s" EvaluationInterval Duration `json:"evaluationInterval,omitempty"` + // Defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past. + // It requires Prometheus >= v2.53.0. + // +optional + RuleQueryOffset *Duration `json:"ruleQueryOffset,omitempty"` + // Enables access to the Prometheus web admin API. // // WARNING: Enabling the admin APIs enables mutating endpoints, to delete data, @@ -1003,10 +1052,6 @@ type PrometheusSpec struct { // For more information: // https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis EnableAdminAPI bool `json:"enableAdminAPI,omitempty"` - - // Defines the runtime reloadable configuration of the timeseries database - // (TSDB). - TSDB TSDBSpec `json:"tsdb,omitempty"` } type PrometheusTracingConfig struct { @@ -1303,6 +1348,8 @@ type ThanosSpec struct { // +k8s:openapi-gen=true type RemoteWriteSpec struct { // The URL of the endpoint to send samples to. + // +kubebuilder:validation:MinLength=1 + // +required URL string `json:"url"` // The name of the remote write queue, it must be unique if specified. The @@ -1310,10 +1357,27 @@ type RemoteWriteSpec struct { // // It requires Prometheus >= v2.15.0. // - Name string `json:"name,omitempty"` + //+optional + Name *string `json:"name,omitempty"` + + // The Remote Write message's version to use when writing to the endpoint. + // + // `Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0. + // `Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0. + // + // When `Version2.0` is selected, Prometheus will automatically be + // configured to append the metadata of scraped metrics to the WAL. + // + // Before setting this field, consult with your remote storage provider + // what message version it supports. + // + // It requires Prometheus >= v2.54.0. + // + // +optional + MessageVersion *RemoteWriteMessageVersion `json:"messageVersion,omitempty"` // Enables sending of exemplars over remote write. Note that - // exemplar-storage itself must be enabled using the `spec.enableFeature` + // exemplar-storage itself must be enabled using the `spec.enableFeatures` // option for exemplars to be scraped in the first place. // // It requires Prometheus >= v2.27.0. @@ -1330,7 +1394,8 @@ type RemoteWriteSpec struct { SendNativeHistograms *bool `json:"sendNativeHistograms,omitempty"` // Timeout for requests to the remote write endpoint. - RemoteTimeout Duration `json:"remoteTimeout,omitempty"` + // +optional + RemoteTimeout *Duration `json:"remoteTimeout,omitempty"` // Custom HTTP headers to be sent along with each remote write request. // Be aware that headers that are set by Prometheus itself can't be overwritten. @@ -1351,16 +1416,19 @@ type RemoteWriteSpec struct { // Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`. // +optional OAuth2 *OAuth2 `json:"oauth2,omitempty"` + // BasicAuth configuration for the URL. // // Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`. // // +optional BasicAuth *BasicAuth `json:"basicAuth,omitempty"` + // File from which to read bearer token for the URL. // // Deprecated: this will be removed in a future release. Prefer using `authorization`. BearerTokenFile string `json:"bearerTokenFile,omitempty"` + // Authorization section for the URL. // // It requires Prometheus >= v2.26.0. @@ -1369,6 +1437,7 @@ type RemoteWriteSpec struct { // // +optional Authorization *Authorization `json:"authorization,omitempty"` + // Sigv4 allows to configures AWS's Signature Verification 4 for the URL. // // It requires Prometheus >= v2.26.0. @@ -1421,6 +1490,16 @@ type RemoteWriteSpec struct { EnableHttp2 *bool `json:"enableHTTP2,omitempty"` } +// +kubebuilder:validation:Enum=V1.0;V2.0 +type RemoteWriteMessageVersion string + +const ( + // Remote Write message's version 1.0. + RemoteWriteMessageVersion1_0 = RemoteWriteMessageVersion("V1.0") + // Remote Write message's version 2.0. + RemoteWriteMessageVersion2_0 = RemoteWriteMessageVersion("V2.0") +) + // QueueConfig allows the tuning of remote write's queue_config parameters. // This object is referenced in the RemoteWriteSpec object. // +k8s:openapi-gen=true @@ -1558,7 +1637,8 @@ type RemoteReadSpec struct { RequiredMatchers map[string]string `json:"requiredMatchers,omitempty"` // Timeout for requests to the remote read endpoint. - RemoteTimeout Duration `json:"remoteTimeout,omitempty"` + // +optional + RemoteTimeout *Duration `json:"remoteTimeout,omitempty"` // Custom HTTP headers to be sent along with each remote read request. // Be aware that headers that are set by Prometheus itself can't be overwritten. @@ -1875,8 +1955,9 @@ type TSDBSpec struct { // This is an *experimental feature*, it may change in any upcoming release // in a breaking way. // - // It requires Prometheus >= v2.39.0. - OutOfOrderTimeWindow Duration `json:"outOfOrderTimeWindow,omitempty"` + // It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0. + // +optional + OutOfOrderTimeWindow *Duration `json:"outOfOrderTimeWindow,omitempty"` } type Exemplars struct { @@ -2011,3 +2092,16 @@ type ScrapeClass struct { // +optional AttachMetadata *AttachMetadata `json:"attachMetadata,omitempty"` } + +// OTLPConfig is the configuration for writing to the OTLP endpoint. +// +// +k8s:openapi-gen=true +type OTLPConfig struct { + // List of OpenTelemetry Attributes that should be promoted to metric labels, defaults to none. + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:items:MinLength=1 + // +listType=set + // +optional + PromoteResourceAttributes []string `json:"promoteResourceAttributes,omitempty"` +} diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheusrule_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheusrule_types.go index f0a1cf4b18..b321bafc3d 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheusrule_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/prometheusrule_types.go @@ -66,6 +66,12 @@ type RuleGroup struct { // Interval determines how often rules in the group are evaluated. // +optional Interval *Duration `json:"interval,omitempty"` + // Defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past. + // + // It requires Prometheus >= v2.53.0. + // It is not supported for ThanosRuler. + // +optional + QueryOffset *Duration `json:"query_offset,omitempty"` // List of alerting and recording rules. // +optional Rules []Rule `json:"rules,omitempty"` diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/servicemonitor_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/servicemonitor_types.go index 2b977a33e5..0b40e4a9ea 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/servicemonitor_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/servicemonitor_types.go @@ -128,6 +128,9 @@ type ServiceMonitorSpec struct { // // +optional LabelValueLengthLimit *uint64 `json:"labelValueLengthLimit,omitempty"` + + NativeHistogramConfig `json:",inline"` + // Per-scrape limit on the number of targets dropped by relabeling // that will be kept in memory. 0 means no limit. // diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/thanos_types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/thanos_types.go index 14908da1ad..e25590d2eb 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/thanos_types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/thanos_types.go @@ -110,6 +110,15 @@ type ThanosRulerSpec struct { // SecurityContext holds pod-level security attributes and common container settings. // This defaults to the default PodSecurityContext. SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"` + // Defines the DNS policy for the pods. + // + // +optional + DNSPolicy *DNSPolicy `json:"dnsPolicy,omitempty"` + // Defines the DNS configuration for the pods. + // + // +optional + DNSConfig *PodDNSConfig `json:"dnsConfig,omitempty"` + // Priority class assigned to the Pods PriorityClassName string `json:"priorityClassName,omitempty"` // ServiceAccountName is the name of the ServiceAccount to use to run the @@ -296,7 +305,7 @@ type ThanosRulerStatus struct { AvailableReplicas int32 `json:"availableReplicas"` // Total number of unavailable pods targeted by this ThanosRuler deployment. UnavailableReplicas int32 `json:"unavailableReplicas"` - // The current state of the Alertmanager object. + // The current state of the ThanosRuler object. // +listType=map // +listMapKey=type // +optional diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/types.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/types.go index 62d6e29fa2..6d43b90c79 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/types.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/types.go @@ -17,9 +17,11 @@ package v1 import ( "errors" "fmt" + "reflect" "strings" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/intstr" @@ -80,7 +82,6 @@ type PrometheusRuleExcludeConfig struct { type ProxyConfig struct { // `proxyURL` defines the HTTP proxy server to use. // - // It requires Prometheus >= v2.43.0. // +kubebuilder:validation:Pattern:="^http(s)?://.+$" // +optional ProxyURL *string `json:"proxyUrl,omitempty"` @@ -88,24 +89,67 @@ type ProxyConfig struct { // that should be excluded from proxying. IP and domain names can // contain port numbers. // - // It requires Prometheus >= v2.43.0. + // It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0. // +optional NoProxy *string `json:"noProxy,omitempty"` // Whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - // If unset, Prometheus uses its default value. // - // It requires Prometheus >= v2.43.0. + // It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0. // +optional ProxyFromEnvironment *bool `json:"proxyFromEnvironment,omitempty"` // ProxyConnectHeader optionally specifies headers to send to // proxies during CONNECT requests. // - // It requires Prometheus >= v2.43.0. + // It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0. // +optional // +mapType:=atomic ProxyConnectHeader map[string][]v1.SecretKeySelector `json:"proxyConnectHeader,omitempty"` } +// Validate semantically validates the given ProxyConfig. +func (pc *ProxyConfig) Validate() error { + if pc == nil { + return nil + } + + if reflect.ValueOf(pc).IsZero() { + return nil + } + + proxyFromEnvironmentDefined := pc.ProxyFromEnvironment != nil && *pc.ProxyFromEnvironment + proxyURLDefined := pc.ProxyURL != nil && *pc.ProxyURL != "" + noProxyDefined := pc.NoProxy != nil && *pc.NoProxy != "" + + if len(pc.ProxyConnectHeader) > 0 && (!proxyFromEnvironmentDefined && !proxyURLDefined) { + return fmt.Errorf("if proxyConnectHeader is configured, proxyUrl or proxyFromEnvironment must also be configured") + } + + if proxyFromEnvironmentDefined && proxyURLDefined { + return fmt.Errorf("if proxyFromEnvironment is configured, proxyUrl must not be configured") + } + + if proxyFromEnvironmentDefined && noProxyDefined { + return fmt.Errorf("if proxyFromEnvironment is configured, noProxy must not be configured") + } + + if !proxyURLDefined && noProxyDefined { + return fmt.Errorf("if noProxy is configured, proxyUrl must also be configured") + } + + for k, v := range pc.ProxyConnectHeader { + if len(v) == 0 { + return fmt.Errorf("proxyConnetHeader[%s]: selector must not be empty", k) + } + for i, sel := range v { + if sel == (v1.SecretKeySelector{}) { + return fmt.Errorf("proxyConnectHeader[%s][%d]: selector must be defined", k, i) + } + } + } + + return nil +} + // ObjectReference references a PodMonitor, ServiceMonitor, Probe or PrometheusRule object. type ObjectReference struct { // Group of the referent. When not specified, it defaults to `monitoring.coreos.com` @@ -315,16 +359,16 @@ type WebHTTPHeaders struct { // WebTLSConfig defines the TLS parameters for HTTPS. // +k8s:openapi-gen=true type WebTLSConfig struct { - // Secret containing the TLS key for the server. - KeySecret v1.SecretKeySelector `json:"keySecret"` // Contains the TLS certificate for the server. - Cert SecretOrConfigMap `json:"cert"` + Cert SecretOrConfigMap `json:"cert,omitempty"` + // Contains the CA certificate for client certificate authentication to the server. + ClientCA SecretOrConfigMap `json:"client_ca,omitempty"` + // Secret containing the TLS key for the server. + KeySecret v1.SecretKeySelector `json:"keySecret,omitempty"` // Server policy for client authentication. Maps to ClientAuth Policies. // For more detail on clientAuth options: // https://golang.org/pkg/crypto/tls/#ClientAuthType ClientAuthType string `json:"clientAuthType,omitempty"` - // Contains the CA certificate for client certificate authentication to the server. - ClientCA SecretOrConfigMap `json:"client_ca,omitempty"` // Minimum TLS version that is acceptable. Defaults to TLS12. MinVersion string `json:"minVersion,omitempty"` // Maximum TLS version that is acceptable. Defaults to TLS13. @@ -342,10 +386,19 @@ type WebTLSConfig struct { // order. Available curves are documented in the go documentation: // https://golang.org/pkg/crypto/tls/#CurveID CurvePreferences []string `json:"curvePreferences,omitempty"` + // Path to the TLS key file in the Prometheus container for the server. + // Mutually exclusive with `keySecret`. + KeyFile string `json:"keyFile,omitempty"` + // Path to the TLS certificate file in the Prometheus container for the server. + // Mutually exclusive with `cert`. + CertFile string `json:"certFile,omitempty"` + // Path to the CA certificate file for client certificate authentication to the server. + // Mutually exclusive with `client_ca`. + ClientCAFile string `json:"clientCAFile,omitempty"` } // Validate returns an error if one of the WebTLSConfig fields is invalid. -// A valid WebTLSConfig should have Cert and KeySecret fields which are not +// A valid WebTLSConfig should have (Cert or CertFile) and (KeySecret or KeyFile) fields which are not // zero values. func (c *WebTLSConfig) Validate() error { if c == nil { @@ -353,21 +406,39 @@ func (c *WebTLSConfig) Validate() error { } if c.ClientCA != (SecretOrConfigMap{}) { + if c.ClientCAFile != "" { + return errors.New("cannot specify both clientCAFile and clientCA") + } + if err := c.ClientCA.Validate(); err != nil { - return fmt.Errorf("client CA: %w", err) + return fmt.Errorf("invalid web tls config: %s", err.Error()) } } - if c.Cert == (SecretOrConfigMap{}) { - return errors.New("TLS cert must be defined") - } else if err := c.Cert.Validate(); err != nil { - return fmt.Errorf("TLS cert: %w", err) + if c.Cert != (SecretOrConfigMap{}) { + if c.CertFile != "" { + return errors.New("cannot specify both cert and certFile") + } + if err := c.Cert.Validate(); err != nil { + return fmt.Errorf("invalid web tls config: %s", err.Error()) + } } - if c.KeySecret == (v1.SecretKeySelector{}) { + if c.KeyFile != "" && c.KeySecret != (v1.SecretKeySelector{}) { + return errors.New("cannot specify both keyFile and keySecret") + } + + hasCert := c.CertFile != "" || c.Cert != (SecretOrConfigMap{}) + hasKey := c.KeyFile != "" || c.KeySecret != (v1.SecretKeySelector{}) + + if !hasKey { return errors.New("TLS key must be defined") } + if !hasCert { + return errors.New("TLS certificate must be defined") + } + return nil } @@ -578,7 +649,6 @@ type OAuth2 struct { // Proxy configuration to use when connecting to the OAuth2 server. // It requires Prometheus >= v2.43.0. - // It is not supported yet for Alertmanager. // // +optional ProxyConfig `json:",inline"` @@ -836,3 +906,27 @@ const ( RoleEndpointSlice = "endpointslice" RoleIngress = "ingress" ) + +// NativeHistogramConfig extends the native histogram configuration settings. +// +k8s:openapi-gen=true +type NativeHistogramConfig struct { + // Whether to scrape a classic histogram that is also exposed as a native histogram. + // It requires Prometheus >= v2.45.0. + // + // +optional + ScrapeClassicHistograms *bool `json:"scrapeClassicHistograms,omitempty"` + + // If there are more than this many buckets in a native histogram, + // buckets will be merged to stay within the limit. + // It requires Prometheus >= v2.45.0. + // + // +optional + NativeHistogramBucketLimit *uint64 `json:"nativeHistogramBucketLimit,omitempty"` + + // If the growth factor of one bucket to the next is smaller than this, + // buckets will be merged to increase the factor sufficiently. + // It requires Prometheus >= v2.50.0. + // + // +optional + NativeHistogramMinBucketFactor *resource.Quantity `json:"nativeHistogramMinBucketFactor,omitempty"` +} diff --git a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/zz_generated.deepcopy.go b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/zz_generated.deepcopy.go index bf72f1451f..43d2e9b837 100644 --- a/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1/zz_generated.deepcopy.go @@ -356,6 +356,16 @@ func (in *AlertmanagerSpec) DeepCopyInto(out *AlertmanagerSpec) { *out = new(corev1.PodSecurityContext) (*in).DeepCopyInto(*out) } + if in.DNSPolicy != nil { + in, out := &in.DNSPolicy, &out.DNSPolicy + *out = new(DNSPolicy) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(PodDNSConfig) + (*in).DeepCopyInto(*out) + } if in.Containers != nil { in, out := &in.Containers, &out.Containers *out = make([]corev1.Container, len(*in)) @@ -742,6 +752,11 @@ func (in *CommonPrometheusFields) DeepCopyInto(out *CommonPrometheusFields) { (*out)[key] = val } } + if in.RemoteWriteReceiverMessageVersions != nil { + in, out := &in.RemoteWriteReceiverMessageVersions, &out.RemoteWriteReceiverMessageVersions + *out = make([]RemoteWriteMessageVersion, len(*in)) + copy(*out, *in) + } if in.EnableFeatures != nil { in, out := &in.EnableFeatures, &out.EnableFeatures *out = make([]EnableFeature, len(*in)) @@ -825,11 +840,26 @@ func (in *CommonPrometheusFields) DeepCopyInto(out *CommonPrometheusFields) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.OTLP != nil { + in, out := &in.OTLP, &out.OTLP + *out = new(OTLPConfig) + (*in).DeepCopyInto(*out) + } if in.SecurityContext != nil { in, out := &in.SecurityContext, &out.SecurityContext *out = new(corev1.PodSecurityContext) (*in).DeepCopyInto(*out) } + if in.DNSPolicy != nil { + in, out := &in.DNSPolicy, &out.DNSPolicy + *out = new(DNSPolicy) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(PodDNSConfig) + (*in).DeepCopyInto(*out) + } if in.Containers != nil { in, out := &in.Containers, &out.Containers *out = make([]corev1.Container, len(*in)) @@ -979,6 +1009,11 @@ func (in *CommonPrometheusFields) DeepCopyInto(out *CommonPrometheusFields) { *out = new(ServiceDiscoveryRole) **out = **in } + if in.TSDB != nil { + in, out := &in.TSDB, &out.TSDB + *out = new(TSDBSpec) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonPrometheusFields. @@ -1303,6 +1338,7 @@ func (in *HTTPConfig) DeepCopyInto(out *HTTPConfig) { *out = new(SafeTLSConfig) (*in).DeepCopyInto(*out) } + in.ProxyConfig.DeepCopyInto(&out.ProxyConfig) if in.FollowRedirects != nil { in, out := &in.FollowRedirects, &out.FollowRedirects *out = new(bool) @@ -1405,6 +1441,36 @@ func (in *NamespaceSelector) DeepCopy() *NamespaceSelector { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NativeHistogramConfig) DeepCopyInto(out *NativeHistogramConfig) { + *out = *in + if in.ScrapeClassicHistograms != nil { + in, out := &in.ScrapeClassicHistograms, &out.ScrapeClassicHistograms + *out = new(bool) + **out = **in + } + if in.NativeHistogramBucketLimit != nil { + in, out := &in.NativeHistogramBucketLimit, &out.NativeHistogramBucketLimit + *out = new(uint64) + **out = **in + } + if in.NativeHistogramMinBucketFactor != nil { + in, out := &in.NativeHistogramMinBucketFactor, &out.NativeHistogramMinBucketFactor + x := (*in).DeepCopy() + *out = &x + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NativeHistogramConfig. +func (in *NativeHistogramConfig) DeepCopy() *NativeHistogramConfig { + if in == nil { + return nil + } + out := new(NativeHistogramConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuth2) DeepCopyInto(out *OAuth2) { *out = *in @@ -1455,6 +1521,26 @@ func (in *OAuth2ValidationError) DeepCopy() *OAuth2ValidationError { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OTLPConfig) DeepCopyInto(out *OTLPConfig) { + *out = *in + if in.PromoteResourceAttributes != nil { + in, out := &in.PromoteResourceAttributes, &out.PromoteResourceAttributes + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OTLPConfig. +func (in *OTLPConfig) DeepCopy() *OTLPConfig { + if in == nil { + return nil + } + out := new(OTLPConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { *out = *in @@ -1470,6 +1556,58 @@ func (in *ObjectReference) DeepCopy() *ObjectReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodDNSConfig) DeepCopyInto(out *PodDNSConfig) { + *out = *in + if in.Nameservers != nil { + in, out := &in.Nameservers, &out.Nameservers + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Searches != nil { + in, out := &in.Searches, &out.Searches + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Options != nil { + in, out := &in.Options, &out.Options + *out = make([]PodDNSConfigOption, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDNSConfig. +func (in *PodDNSConfig) DeepCopy() *PodDNSConfig { + if in == nil { + return nil + } + out := new(PodDNSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodDNSConfigOption) DeepCopyInto(out *PodDNSConfigOption) { + *out = *in + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDNSConfigOption. +func (in *PodDNSConfigOption) DeepCopy() *PodDNSConfigOption { + if in == nil { + return nil + } + out := new(PodDNSConfigOption) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PodMetricsEndpoint) DeepCopyInto(out *PodMetricsEndpoint) { *out = *in @@ -1664,6 +1802,7 @@ func (in *PodMonitorSpec) DeepCopyInto(out *PodMonitorSpec) { *out = new(uint64) **out = **in } + in.NativeHistogramConfig.DeepCopyInto(&out.NativeHistogramConfig) if in.KeepDroppedTargets != nil { in, out := &in.KeepDroppedTargets, &out.KeepDroppedTargets *out = new(uint64) @@ -1805,6 +1944,7 @@ func (in *ProbeSpec) DeepCopyInto(out *ProbeSpec) { *out = new(uint64) **out = **in } + in.NativeHistogramConfig.DeepCopyInto(&out.NativeHistogramConfig) if in.KeepDroppedTargets != nil { in, out := &in.KeepDroppedTargets, &out.KeepDroppedTargets *out = new(uint64) @@ -2074,6 +2214,11 @@ func (in *PrometheusRuleSpec) DeepCopy() *PrometheusRuleSpec { func (in *PrometheusSpec) DeepCopyInto(out *PrometheusSpec) { *out = *in in.CommonPrometheusFields.DeepCopyInto(&out.CommonPrometheusFields) + if in.Runtime != nil { + in, out := &in.Runtime, &out.Runtime + *out = new(RuntimeConfig) + (*in).DeepCopyInto(*out) + } out.Rules = in.Rules if in.PrometheusRulesExcludedFromEnforce != nil { in, out := &in.PrometheusRulesExcludedFromEnforce, &out.PrometheusRulesExcludedFromEnforce @@ -2127,7 +2272,11 @@ func (in *PrometheusSpec) DeepCopyInto(out *PrometheusSpec) { *out = new(Exemplars) (*in).DeepCopyInto(*out) } - out.TSDB = in.TSDB + if in.RuleQueryOffset != nil { + in, out := &in.RuleQueryOffset, &out.RuleQueryOffset + *out = new(Duration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusSpec. @@ -2403,6 +2552,11 @@ func (in *RemoteReadSpec) DeepCopyInto(out *RemoteReadSpec) { (*out)[key] = val } } + if in.RemoteTimeout != nil { + in, out := &in.RemoteTimeout, &out.RemoteTimeout + *out = new(Duration) + **out = **in + } if in.Headers != nil { in, out := &in.Headers, &out.Headers *out = make(map[string]string, len(*in)) @@ -2456,6 +2610,16 @@ func (in *RemoteReadSpec) DeepCopy() *RemoteReadSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RemoteWriteSpec) DeepCopyInto(out *RemoteWriteSpec) { *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.MessageVersion != nil { + in, out := &in.MessageVersion, &out.MessageVersion + *out = new(RemoteWriteMessageVersion) + **out = **in + } if in.SendExemplars != nil { in, out := &in.SendExemplars, &out.SendExemplars *out = new(bool) @@ -2466,6 +2630,11 @@ func (in *RemoteWriteSpec) DeepCopyInto(out *RemoteWriteSpec) { *out = new(bool) **out = **in } + if in.RemoteTimeout != nil { + in, out := &in.RemoteTimeout, &out.RemoteTimeout + *out = new(Duration) + **out = **in + } if in.Headers != nil { in, out := &in.Headers, &out.Headers *out = make(map[string]string, len(*in)) @@ -2591,6 +2760,11 @@ func (in *RuleGroup) DeepCopyInto(out *RuleGroup) { *out = new(Duration) **out = **in } + if in.QueryOffset != nil { + in, out := &in.QueryOffset, &out.QueryOffset + *out = new(Duration) + **out = **in + } if in.Rules != nil { in, out := &in.Rules, &out.Rules *out = make([]Rule, len(*in)) @@ -2646,6 +2820,26 @@ func (in *RulesAlert) DeepCopy() *RulesAlert { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RuntimeConfig) DeepCopyInto(out *RuntimeConfig) { + *out = *in + if in.GoGC != nil { + in, out := &in.GoGC, &out.GoGC + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeConfig. +func (in *RuntimeConfig) DeepCopy() *RuntimeConfig { + if in == nil { + return nil + } + out := new(RuntimeConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SafeAuthorization) DeepCopyInto(out *SafeAuthorization) { *out = *in @@ -2875,6 +3069,7 @@ func (in *ServiceMonitorSpec) DeepCopyInto(out *ServiceMonitorSpec) { *out = new(uint64) **out = **in } + in.NativeHistogramConfig.DeepCopyInto(&out.NativeHistogramConfig) if in.KeepDroppedTargets != nil { in, out := &in.KeepDroppedTargets, &out.KeepDroppedTargets *out = new(uint64) @@ -2992,6 +3187,11 @@ func (in *TLSConfig) DeepCopy() *TLSConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TSDBSpec) DeepCopyInto(out *TSDBSpec) { *out = *in + if in.OutOfOrderTimeWindow != nil { + in, out := &in.OutOfOrderTimeWindow, &out.OutOfOrderTimeWindow + *out = new(Duration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TSDBSpec. @@ -3101,6 +3301,16 @@ func (in *ThanosRulerSpec) DeepCopyInto(out *ThanosRulerSpec) { *out = new(corev1.PodSecurityContext) (*in).DeepCopyInto(*out) } + if in.DNSPolicy != nil { + in, out := &in.DNSPolicy, &out.DNSPolicy + *out = new(DNSPolicy) + **out = **in + } + if in.DNSConfig != nil { + in, out := &in.DNSConfig, &out.DNSConfig + *out = new(PodDNSConfig) + (*in).DeepCopyInto(*out) + } if in.Storage != nil { in, out := &in.Storage, &out.Storage *out = new(StorageSpec) @@ -3450,9 +3660,9 @@ func (in *WebHTTPHeaders) DeepCopy() *WebHTTPHeaders { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WebTLSConfig) DeepCopyInto(out *WebTLSConfig) { *out = *in - in.KeySecret.DeepCopyInto(&out.KeySecret) in.Cert.DeepCopyInto(&out.Cert) in.ClientCA.DeepCopyInto(&out.ClientCA) + in.KeySecret.DeepCopyInto(&out.KeySecret) if in.CipherSuites != nil { in, out := &in.CipherSuites, &out.CipherSuites *out = make([]string, len(*in)) diff --git a/vendor/modules.txt b/vendor/modules.txt index 7e81998b25..1b4bd31bae 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -993,8 +993,8 @@ github.com/pkg/errors # github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 ## explicit github.com/pmezard/go-difflib/difflib -# github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.76.2 -## explicit; go 1.22.0 +# github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2 +## explicit; go 1.23 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1 # github.com/prometheus/client_golang v1.20.5