From b8120ec017a6c998074f35129611bf2a5308e480 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 21:26:25 +0000 Subject: [PATCH] chore: Update manifests after change --- .../ClusterRole-grafana-operator.yaml | 19 +- .../ClusterRoleBinding-grafana-operator.yaml | 4 +- ...tion-grafanas.grafana.integreatly.org.yaml | 817 ++++++++++++++++-- .../Deployment-grafana-operator.yaml | 10 +- .../Role-grafana-operator-leases.yaml | 4 +- .../RoleBinding-grafana-operator-leases.yaml | 4 +- ...vice-grafana-operator-metrics-service.yaml | 4 +- .../ServiceAccount-grafana-operator.yaml | 4 +- .../ServiceMonitor-grafana-operator.yaml | 4 +- 9 files changed, 754 insertions(+), 116 deletions(-) diff --git a/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml index 2eafe778e..9edffa8d4 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml @@ -3,10 +3,10 @@ kind: ClusterRole metadata: name: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator @@ -27,6 +27,14 @@ rules: - patch - update - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch - apiGroups: - apps resources: @@ -39,13 +47,6 @@ rules: - patch - update - watch - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch - apiGroups: - gateway.networking.k8s.io resources: diff --git a/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml index fd0cdfd6b..ff3a24304 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml @@ -3,10 +3,10 @@ kind: ClusterRoleBinding metadata: name: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml b/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml index b06ce20bc..bafcef524 100644 --- a/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml @@ -4094,6 +4094,7 @@ spec: type: string maxItems: 16 type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -4312,6 +4313,7 @@ spec: type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic rules: description: |- Rules are a list of HTTP matchers, filters and actions. @@ -4403,8 +4405,8 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. - - + + properties: cors: description: |- @@ -4412,31 +4414,27 @@ spec: cross-origin request based on HTTP response header. Support: Extended - - properties: allowCredentials: description: |- AllowCredentials indicates whether the actual cross-origin request allows to include credentials. - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). Support: Extended - enum: - - true type: boolean allowHeaders: description: |- AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -4455,18 +4453,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -4490,6 +4491,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -4498,7 +4502,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -4518,18 +4522,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is specified and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -4595,10 +4602,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is specified and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -4608,19 +4624,21 @@ spec: Support: Extended items: description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or IP address as the host. - The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative. maxLength: 253 minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside other origins + rule: '!(''*'' in self && self.size() > 1)' exposeHeaders: description: |- ExposeHeaders indicates which HTTP response headers can be exposed @@ -4643,15 +4661,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -4687,6 +4708,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -4725,6 +4749,249 @@ spec: - kind - name type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. + + If there is any problem communicating with the external service, + this filter MUST fail closed. + + Support: Extended + + + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. + + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. + + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. + + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. + + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. + + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. + + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. + + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. + + If this list is empty, then all headers must be sent. + + If the list has entries, only those entries must be sent. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. + + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. + + When empty or unspecified, no prefix is added. + + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. + + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto + + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. + + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol is set to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) : true' + - message: protocol must be 'GRPC' when grpc is set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' : true' + - message: http must be specified when protocol is set to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) : true' + - message: protocol must be 'HTTP' when http is set + rule: 'has(self.http) ? self.protocol == ''HTTP'' : true' requestHeaderModifier: description: |- RequestHeaderModifier defines a schema for a filter that modifies request @@ -4768,7 +5035,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -4840,7 +5114,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -5142,6 +5423,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -5187,7 +5471,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -5259,7 +5550,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -5308,7 +5606,7 @@ spec: Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - + enum: - RequestHeaderModifier - ResponseHeaderModifier @@ -5316,6 +5614,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -5397,6 +5696,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -5423,9 +5726,8 @@ spec: rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' maxItems: 16 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' - message: RequestHeaderModifier filter cannot be repeated @@ -5524,6 +5826,7 @@ spec: rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' maxItems: 16 type: array + x-kubernetes-list-type: atomic filters: description: |- Filters define the filters that are applied to requests that match @@ -5571,8 +5874,8 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. - - + + properties: cors: description: |- @@ -5580,31 +5883,27 @@ spec: cross-origin request based on HTTP response header. Support: Extended - - properties: allowCredentials: description: |- AllowCredentials indicates whether the actual cross-origin request allows to include credentials. - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). Support: Extended - enum: - - true type: boolean allowHeaders: description: |- AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -5623,18 +5922,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -5658,6 +5960,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -5666,7 +5971,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -5686,18 +5991,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is specified and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -5763,10 +6071,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is specified and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -5776,19 +6093,21 @@ spec: Support: Extended items: description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or IP address as the host. - The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative. maxLength: 253 minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside other origins + rule: '!(''*'' in self && self.size() > 1)' exposeHeaders: description: |- ExposeHeaders indicates which HTTP response headers can be exposed @@ -5811,15 +6130,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -5855,6 +6177,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -5893,6 +6218,249 @@ spec: - kind - name type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. + + If there is any problem communicating with the external service, + this filter MUST fail closed. + + Support: Extended + + + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. + + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. + + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. + + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. + + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. + + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. + + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. + + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. + + If this list is empty, then all headers must be sent. + + If the list has entries, only those entries must be sent. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. + + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. + + When empty or unspecified, no prefix is added. + + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. + + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto + + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. + + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol is set to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) : true' + - message: protocol must be 'GRPC' when grpc is set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' : true' + - message: http must be specified when protocol is set to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) : true' + - message: protocol must be 'HTTP' when http is set + rule: 'has(self.http) ? self.protocol == ''HTTP'' : true' requestHeaderModifier: description: |- RequestHeaderModifier defines a schema for a filter that modifies request @@ -5936,7 +6504,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6008,7 +6583,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6310,6 +6892,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -6355,7 +6940,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6427,7 +7019,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6476,7 +7075,7 @@ spec: Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - + enum: - RequestHeaderModifier - ResponseHeaderModifier @@ -6484,6 +7083,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -6565,6 +7165,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -6591,6 +7195,7 @@ spec: rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' maxItems: 16 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' @@ -6715,7 +7320,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6865,12 +7477,12 @@ spec: type: object maxItems: 64 type: array + x-kubernetes-list-type: atomic name: description: |- Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended - maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6904,7 +7516,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -6947,7 +7559,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -6965,6 +7577,7 @@ spec: minimum: 400 type: integer type: array + x-kubernetes-list-type: atomic type: object sessionPersistence: description: |- @@ -7041,7 +7654,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -7055,6 +7668,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -7127,10 +7742,32 @@ spec: - message: Within backendRefs, When using URLRewrite filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: While 16 rules and 64 matches per rule are allowed, the total number of matches across all rules in a route must be less than 128 rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + + + enum: + - All + - None + type: string type: object type: object ingress: @@ -8245,7 +8882,7 @@ spec: description: |- Version sets the tag of the default image: docker.io/grafana/grafana. Allows full image refs with/without sha256checksum: "registry/repo/image:tag@sha" - default: 12.3.3 + default: 12.4.1 type: string type: object status: diff --git a/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml index c1c5fe588..248ad6a57 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator @@ -20,10 +20,10 @@ spec: template: metadata: labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator @@ -38,7 +38,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/grafana/grafana-operator:v5.22.0" + image: "ghcr.io/grafana/grafana-operator:v5.22.1" imagePullPolicy: IfNotPresent env: - name: WATCH_NAMESPACE diff --git a/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml b/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml index 2a71fbf75..afefca68d 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml @@ -4,10 +4,10 @@ metadata: namespace: grafana-operator name: grafana-operator-leases labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml b/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml index 5c8e150ab..d7d4af92b 100644 --- a/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator-leases namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml index b0f7dac48..e733693a6 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator-metrics-service namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml index 60ea87ca1..ba8411b5c 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml index a374e942d..ec9dda5b0 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator