[kube-prometheus-stack] Add prometheusOperator.admissionWebhooks.name…

…spaceSelector

Signed-off-by: Jan-Otto Kröpke <[email protected]>

charts/kube-prometheus-stack/Chart.yaml

@@ -21,7 +21,7 @@ name: kube-prometheus-stack
 sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
-version: 55.4.0
+version: 55.5.0
 appVersion: v0.70.0
 kubeVersion: ">=1.19.0-0"
 home: https://github.com/prometheus-operator/kube-prometheus

charts/kube-prometheus-stack/ci/03-non-defaults-values.yaml

@@ -7,6 +7,19 @@ defaultRules:
     kubernetesSystem:
       key2: value2
 
+prometheusOperator:
+  denyNamespaces:
+    - kube-system
+  admissionWebhooks:
+    namespaceSelector:
+      matchLabels:
+        key: value
+      matchExpressions:
+      - key: control-plane
+        operator: NotIn
+        values:
+        - "true"
+
 alertmanager:
   alertmanagerSpec:
     additionalConfig:

charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -43,17 +43,24 @@ webhooks:
     timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector }}
     namespaceSelector:
+      {{- with (omit .Values.prometheusOperator.admissionWebhooks.namespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions }}
       matchExpressions:
-      {{- if .Values.prometheusOperator.denyNamespaces }}
+        {{- with (.Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions) }}
+        {{- toYaml . | nindent 6 }}
+        {{- end }}
+        {{- if .Values.prometheusOperator.denyNamespaces }}
       - key: kubernetes.io/metadata.name
         operator: NotIn
         values:
         {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} 
         - {{ $namespace }}
         {{- end }}
-      {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+        {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
       - key: kubernetes.io/metadata.name
         operator: In
         values:
@@ -64,6 +71,7 @@ webhooks:
         {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }} 
         - {{ $namespace }}
         {{- end }}
+        {{- end }}
       {{- end }}
     {{- end }}
 {{- end }}

charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml

@@ -43,26 +43,34 @@ webhooks:
     timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
     admissionReviewVersions: ["v1", "v1beta1"]
     sideEffects: None
-    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces }}
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector }}
     namespaceSelector:
+      {{- with (omit .Values.prometheusOperator.admissionWebhooks.namespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions }}
       matchExpressions:
-      {{- if .Values.prometheusOperator.denyNamespaces }}
-      - key: kubernetes.io/metadata.name
-        operator: NotIn
-        values:
-        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }} 
-        - {{ $namespace }}
+        {{- with (.Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions) }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.prometheusOperator.denyNamespaces }}
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
+            - {{ $namespace }}
         {{- end }}
-      {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
-      - key: kubernetes.io/metadata.name
-        operator: In
-        values:
+        {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
         {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
         {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
-        - {{ $namespace }}
+            - {{ $namespace }}
+        {{- end }}
+        {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
+            - {{ $namespace }}
         {{- end }}
-        {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }} 
-        - {{ $namespace }}
         {{- end }}
       {{- end }}
     {{- end }}

charts/kube-prometheus-stack/values.yaml

@@ -2087,6 +2087,8 @@ prometheusOperator:
     #   argocd.argoproj.io/hook: PreSync
     #   argocd.argoproj.io/hook-delete-policy: HookSucceeded
 
+    namespaceSelector: {}
+
     deployment:
       enabled: false