chore: remove references to Prometheus in Helm chart (#2814)

Remove references to deprecated prometheus values. 

Signed-off-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

deploy/charts/external-secrets/README.md

@@ -48,6 +48,7 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | certController.image.tag | string | `""` |  |
 | certController.imagePullSecrets | list | `[]` |  |
+| certController.metrics.listen.port | int | `8080` |  |
 | certController.metrics.service.annotations | object | `{}` | Additional service annotations |
 | certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
 | certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
@@ -58,8 +59,6 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.podLabels | object | `{}` |  |
 | certController.podSecurityContext | object | `{}` |  |
 | certController.priorityClassName | string | `""` | Pod priority class name. |
-| certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
-| certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
 | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | certController.readinessProbe.address | string | `""` | Address for readiness probe |
 | certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
@@ -105,6 +104,7 @@ The command removes all the Kubernetes components associated with the chart and
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
 | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
+| metrics.listen.port | int | `8080` |  |
 | metrics.service.annotations | object | `{}` | Additional service annotations |
 | metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
 | metrics.service.port | int | `8080` | Metrics service port to scrape |
@@ -118,8 +118,6 @@ The command removes all the Kubernetes components associated with the chart and
 | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
 | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
 | processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
-| prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
-| prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
 | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
 | replicaCount | int | `1` |  |
@@ -172,6 +170,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
 | webhook.imagePullSecrets | list | `[]` |  |
 | webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
+| webhook.metrics.listen.port | int | `8080` |  |
 | webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
 | webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
 | webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
@@ -183,8 +182,6 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.podSecurityContext | object | `{}` |  |
 | webhook.port | int | `10250` | The port the webhook will listen to |
 | webhook.priorityClassName | string | `""` | Pod priority class name. |
-| webhook.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
-| webhook.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
 | webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | webhook.readinessProbe.address | string | `""` | Address for readiness probe |
 | webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |

deploy/charts/external-secrets/templates/NOTES.txt

@@ -6,8 +6,3 @@ or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
 More information on the different types of SecretStores and how to configure them
 can be found in our Github: {{ .Chart.Home }}
 
-{{ if  .Values.prometheus.enabled -}}
-deprecation warning:
-> The flag `prometheus.enabled` is deprecated and will be removed in the next release.
-  Please migrate to using servicemonitor instead.
-{{ end }}

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -54,7 +54,7 @@ spec:
           - --service-namespace={{ .Release.Namespace }}
           - --secret-name={{ include "external-secrets.fullname" . }}-webhook
           - --secret-namespace={{ .Release.Namespace }}
-          - --metrics-addr=:{{ .Values.certController.prometheus.service.port }}
+          - --metrics-addr=:{{ .Values.certController.metrics.listen.port }}
           - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}
           {{ if not .Values.crds.createClusterSecretStore -}}
           - --crd-names=externalsecrets.external-secrets.io
@@ -68,7 +68,7 @@ spec:
             {{- end }}
           {{- end }}
           ports:
-            - containerPort: {{ .Values.certController.prometheus.service.port }}
+            - containerPort: {{ .Values.certController.metrics.listen.port }}
               protocol: TCP
               name: metrics
           readinessProbe:

deploy/charts/external-secrets/templates/cert-controller-service.yaml

@@ -1,30 +1,20 @@
-{{- if or (and .Values.certController.create .Values.certController.prometheus.enabled) (and .Values.certController.create .Values.certController.metrics.service.enabled) }}
+{{- if and .Values.certController.create .Values.certController.metrics.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
-  {{- if .Values.certController.prometheus.enabled }}
-  annotations:
-    prometheus.io/path: "/metrics"
-    prometheus.io/scrape: "true"
-    prometheus.io/port: {{ .Values.certController.prometheus.service.port | quote }}
-  {{- else }}
   {{- with .Values.metrics.service.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- end }}
 spec:
   type: ClusterIP
   ports:
-  {{- if .Values.certController.prometheus.enabled }}
-  - port: {{ .Values.certController.prometheus.service.port }}
-  {{- else }}
   - port: {{ .Values.certController.metrics.service.port }}
-  {{- end }}
     protocol: TCP
+    targetPort: metrics
     name: metrics
   selector:
     {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}

deploy/charts/external-secrets/templates/deployment.yaml

@@ -86,8 +86,9 @@ spec:
             {{- end }}
           {{- end }}
           {{- end }}
+          - --metrics-addr=:{{ .Values.metrics.listen.port }}
           ports:
-            - containerPort: {{ .Values.prometheus.service.port }}
+            - containerPort: {{ .Values.metrics.listen.port }}
               protocol: TCP
               name: metrics
           {{- with .Values.extraEnv }}

deploy/charts/external-secrets/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.prometheus.enabled .Values.metrics.service.enabled }}
+{{- if .Values.metrics.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -6,26 +6,16 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
-  {{- if .Values.prometheus.enabled }}
-  annotations:
-    prometheus.io/path: "/metrics"
-    prometheus.io/scrape: "true"
-    prometheus.io/port: {{ .Values.prometheus.service.port | quote }}
-  {{- else }}
   {{- with .Values.metrics.service.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- end }}
 spec:
   type: ClusterIP
   ports:
-    {{- if .Values.prometheus.enabled }}
-    - port: {{ .Values.prometheus.service.port }}
-    {{- else }}
     - port: {{ .Values.metrics.service.port }}
-    {{- end }}
       protocol: TCP
+      targetPort: metrics
       name: metrics
   selector:
     {{- include "external-secrets.selectorLabels" . | nindent 4 }}

deploy/charts/external-secrets/templates/servicemonitor.yaml

@@ -9,7 +9,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-    - port: 8080
+    - port: {{ .Values.metrics.service.port }}
       protocol: TCP
       name: metrics
   selector:
@@ -57,7 +57,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-    - port: 8080
+    - port: {{ .Values.webhook.metrics.service.port }}
       protocol: TCP
       name: metrics
   selector:
@@ -106,7 +106,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-    - port: 8080
+    - port: {{ .Values.certController.metrics.listen.port }}
       protocol: TCP
       name: metrics
   selector:

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -53,7 +53,7 @@ spec:
           - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
           - --cert-dir={{ .Values.webhook.certDir }}
           - --check-interval={{ .Values.webhook.certCheckInterval }}
-          - --metrics-addr=:{{ .Values.webhook.prometheus.service.port }}
+          - --metrics-addr=:{{ .Values.webhook.metrics.listen.port }}
           - --healthz-addr={{ .Values.webhook.readinessProbe.address }}:{{ .Values.webhook.readinessProbe.port }}
           {{- if .Values.webhook.lookaheadInterval }}
           - --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
@@ -66,7 +66,7 @@ spec:
             {{- end }}
           {{- end }}
           ports:
-            - containerPort: {{ .Values.webhook.prometheus.service.port }}
+            - containerPort: {{ .Values.webhook.metrics.listen.port }}
               protocol: TCP
               name: metrics
             - containerPort: {{ .Values.webhook.port }}

deploy/charts/external-secrets/templates/webhook-service.yaml

@@ -7,12 +7,7 @@ metadata:
   labels:
     {{- include "external-secrets-webhook.labels" . | nindent 4 }}
     external-secrets.io/component: webhook
-  {{- if .Values.webhook.prometheus.enabled}}
-  annotations:
-    prometheus.io/path: "/metrics"
-    prometheus.io/scrape: "true"
-    prometheus.io/port: {{ .Values.prometheus.service.port | quote }}
-  {{- else }}
+  {{- if .Values.webhook.metrics.service.enabled }}
   {{- with .Values.webhook.metrics.service.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -25,15 +20,10 @@ spec:
     targetPort: {{ .Values.webhook.port }}
     protocol: TCP
     name: webhook
-  {{- if or .Values.webhook.prometheus.enabled .Values.webhook.metrics.service.enabled }}
-  {{- if .Values.webhook.prometheus.enabled }}
-  - port: {{ .Values.webhook.prometheus.service.port }}
-    targetPort: {{ .Values.webhook.prometheus.service.port }}
-  {{- else }}
+  {{- if .Values.webhook.metrics.service.enabled }}
   - port: {{ .Values.webhook.metrics.service.port }}
-    targetPort: {{ .Values.webhook.metrics.service.port }}
-  {{- end }}
     protocol: TCP
+    targetPort: metrics
     name: metrics
   {{- end }}
   selector:

deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap

@@ -31,6 +31,7 @@ should match snapshot of default values:
           containers:
             - args:
                 - --concurrent=1
+                - --metrics-addr=:8080
               image: ghcr.io/external-secrets/external-secrets:v0.9.9
               imagePullPolicy: IfNotPresent
               name: external-secrets

deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap

@@ -716,6 +716,11 @@ should match snapshot of default values:
                               type: string
                             principalType:
                               description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+                              enum:
+                                - ""
+                                - UserPrincipal
+                                - InstancePrincipal
+                                - Workload
                               type: string
                             region:
                               description: Region is the region where vault is located.
@@ -1443,7 +1448,7 @@ should match snapshot of default values:
                           description: AWS configures this store to sync secrets using AWS Secret Manager provider
                           properties:
                             additionalRoles:
-                              description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
+                              description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
                               items:
                                 type: string
                               type: array
@@ -1522,8 +1527,19 @@ should match snapshot of default values:
                               description: AWS Region to be used for the provider
                               type: string
                             role:
-                              description: Role is a Role ARN which the SecretManager provider will assume
+                              description: Role is a Role ARN which the provider will assume
                               type: string
+                            secretsManager:
+                              description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
+                              properties:
+                                forceDeleteWithoutRecovery:
+                                  description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
+                                  type: boolean
+                                recoveryWindowInDays:
+                                  description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
+                                  format: int64
+                                  type: integer
+                              type: object
                             service:
                               description: Service defines which service should be used to fetch the secrets
                               enum:
@@ -1544,7 +1560,7 @@ should match snapshot of default values:
                                 type: object
                               type: array
                             transitiveTagKeys:
-                              description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore
+                              description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
                               items:
                                 type: string
                               type: array
@@ -2260,6 +2276,11 @@ should match snapshot of default values:
                               type: string
                             principalType:
                               description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+                              enum:
+                                - ""
+                                - UserPrincipal
+                                - InstancePrincipal
+                                - Workload
                               type: string
                             region:
                               description: Region is the region where vault is located.

deploy/charts/external-secrets/tests/cert_controller_test.yaml

@@ -56,7 +56,7 @@ tests:
           value: "--healthz-addr=:8082"
   - it: should override metrics port
     set:
-      certController.prometheus.service.port: 8888
+      certController.metrics.listen.port: 8888
     asserts:
       - equal:
           path: spec.template.spec.containers[0].args[6]

deploy/charts/external-secrets/tests/controller_test.yaml

@@ -47,3 +47,10 @@ tests:
       - equal:
           path: spec.template.spec.hostNetwork
           value: true
+  - it: should override metrics port
+    set:
+      metrics.listen.port: 8888
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].args[1]
+          value: "--metrics-addr=:8888"

deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -161,3 +161,12 @@ tests:
     templates:
       - validatingwebhook.yaml
       - crds/externalsecret.yaml
+  - it: should override metrics port
+    set:
+      webhook.metrics.listen.port: 8888
+    templates:
+      - webhook-deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].args[5]
+          value: "--metrics-addr=:8888"

deploy/charts/external-secrets/values.yaml

@@ -132,13 +132,6 @@ resources: {}
   #   cpu: 10m
   #   memory: 32Mi
 
-prometheus:
-  # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
-  enabled: false
-  service:
-    # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
-    port: 8080
-
 serviceMonitor:
   # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
   enabled: false
@@ -177,6 +170,10 @@ serviceMonitor:
   #   action: replace
 
 metrics:
+
+  listen:
+    port: 8080
+
   service:
     # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
     enabled: false
@@ -299,14 +296,12 @@ webhook:
     enabled: false
     minAvailable: 1
     # maxUnavailable: 1
-  prometheus:
-    # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
-    enabled: false
-    service:
-      # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
-      port: 8080
 
   metrics:
+
+    listen:
+      port: 8080
+
     service:
       # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
       enabled: false
@@ -418,14 +413,11 @@ certController:
     minAvailable: 1
     # maxUnavailable: 1
 
-  prometheus:
-    # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
-    enabled: false
-    service:
-      # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
+  metrics:
+
+    listen:
       port: 8080
 
-  metrics:
     service:
       # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
       enabled: false