From 9dcc17908c77cc80d275e94e3a5ad2031d2392fa Mon Sep 17 00:00:00 2001
From: Zach Stone <zach@giantswarm.io>
Date: Fri, 19 Apr 2024 17:01:44 +0200
Subject: [PATCH 1/7] Create sync-from-upstream.yaml

Signed-off-by: Zach Stone <zach@giantswarm.io>
---
 .github/workflows/sync-from-upstream.yaml | 33 +++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .github/workflows/sync-from-upstream.yaml

diff --git a/.github/workflows/sync-from-upstream.yaml b/.github/workflows/sync-from-upstream.yaml
new file mode 100644
index 0000000..6bb8aa8
--- /dev/null
+++ b/.github/workflows/sync-from-upstream.yaml
@@ -0,0 +1,33 @@
+name: Sync from upstream
+
+on:
+  push:
+    branches:
+      - 'main' # Run at every sync
+  schedule:
+    - cron: '0 8 * * 5' # At 07:00 on every Friday
+
+  # Allows to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  sync-reports-server-charts-repository:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - run: |
+          # Fetch tags from upstream repo
+          git fetch https://github.com/kyverno/reports-server --tags
+          # Remove release candidates local tags
+          git tag -d $(git tag -l | grep -E "\-rc|\-beta|\-dev|\-chart")
+          git push --tags

From e4b562b9d4adc9f5f668b682904784c96c51fa39 Mon Sep 17 00:00:00 2001
From: Zach Stone <zach@giantswarm.io>
Date: Fri, 19 Apr 2024 17:09:00 +0200
Subject: [PATCH 2/7] Update sync-from-upstream.yaml

Signed-off-by: Zach Stone <zach@giantswarm.io>
---
 .github/workflows/sync-from-upstream.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-from-upstream.yaml b/.github/workflows/sync-from-upstream.yaml
index 6bb8aa8..ab6a934 100644
--- a/.github/workflows/sync-from-upstream.yaml
+++ b/.github/workflows/sync-from-upstream.yaml
@@ -29,5 +29,5 @@ jobs:
           # Fetch tags from upstream repo
           git fetch https://github.com/kyverno/reports-server --tags
           # Remove release candidates local tags
-          git tag -d $(git tag -l | grep -E "\-rc|\-beta|\-dev|\-chart")
+          git tag -d $(git tag -l | grep -E "\-rc|\-beta|\-dev")
           git push --tags

From edd18c8095acbebbe36e5e92eca597cfacd26ff0 Mon Sep 17 00:00:00 2001
From: Mike Dougherty <mikedougherty@users.noreply.github.com>
Date: Fri, 14 Jun 2024 10:43:55 -0700
Subject: [PATCH 3/7] fix(charts): remove erroneous 'metadata' key from
 ClusterRole object (#119)

Signed-off-by: Mike Dougherty <mike.dougherty@missionlane.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Zach Stone <zach@giantswarm.io>

From 5ccff2e4a53d4c6caf09a59128c76ce148ba51be Mon Sep 17 00:00:00 2001
From: Zach Stone <zach@giantswarm.io>
Date: Thu, 4 Jul 2024 18:10:07 -0400
Subject: [PATCH 4/7] Enable metrics endpoint and add service monitor

Signed-off-by: Zach Stone <zach@giantswarm.io>
---
 charts/reports-server/README.md               |  7 ++++
 .../reports-server/templates/deployment.yaml  |  3 ++
 .../templates/service-monitor.yaml            | 36 +++++++++++++++++++
 charts/reports-server/values.yaml             | 23 ++++++++++++
 4 files changed, 69 insertions(+)
 create mode 100644 charts/reports-server/templates/service-monitor.yaml

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index 6da2e69..680aa07 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -44,6 +44,13 @@ helm install reports-server --namespace reports-server --create-namespace report
 | securityContext | object | See [values.yaml](values.yaml) | Container security context |
 | livenessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/livez","port":"https","scheme":"HTTPS"},"initialDelaySeconds":90,"periodSeconds":10}` | Liveness probe |
 | readinessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/readyz","port":"https","scheme":"HTTPS"},"initialDelaySeconds":100,"periodSeconds":10}` | Readiness probe |
+| metrics.enabled | bool | `true` | Enable prometheus metrics |
+| metrics.serviceMonitor.enabled | bool | `true` | Enable service monitor for scraping prometheus metrics |
+| metrics.serviceMonitor.additionalLabels | object | `{}` | Service monitor additional labels |
+| metrics.serviceMonitor.interval | string | `""` | Service monitor scrape interval |
+| metrics.serviceMonitor.metricRelabelings | list | `[]` | Service monitor metric relabelings |
+| metrics.serviceMonitor.relabelings | list | `[]` | Service monitor relabelings |
+| metrics.serviceMonitor.scrapeTimeout | string | `""` | Service monitor scrape timeout |
 | resources.limits | string | `nil` | Container resource limits |
 | resources.requests | string | `nil` | Container resource requests |
 | autoscaling.enabled | bool | `false` | Enable autoscaling |
diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
index e8dbb0a..5e68bc2 100644
--- a/charts/reports-server/templates/deployment.yaml
+++ b/charts/reports-server/templates/deployment.yaml
@@ -51,6 +51,9 @@ spec:
             {{- end }}
             - --cert-dir=/tmp
             - --secure-port=4443
+            {{- if .Values.metrics.enabled }}
+            - --authorization-always-allow-paths=/metrics
+            {{- end }}
           {{- if .Values.config.db.secretName }}
           env:
             - name: DB_HOST
diff --git a/charts/reports-server/templates/service-monitor.yaml b/charts/reports-server/templates/service-monitor.yaml
new file mode 100644
index 0000000..74e5fe8
--- /dev/null
+++ b/charts/reports-server/templates/service-monitor.yaml
@@ -0,0 +1,36 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+    {{- with .Values.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "reports-server.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: https
+      path: /metrics
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true
+      {{- if .Values.metrics.serviceMonitor.interval}}
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      {{- end }}
+      {{- if .Values.metrics.serviceMonitor.scrapeTimeout}}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      {{- end }}  
+      {{- with .Values.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}
diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index 87e7193..c14248d 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -98,6 +98,29 @@ readinessProbe:
     port: https
     scheme: HTTPS
 
+metrics:
+  # -- Enable prometheus metrics
+  enabled: true
+
+  serviceMonitor:
+    # -- Enable service monitor for scraping prometheus metrics
+    enabled: true
+
+    # -- Service monitor additional labels
+    additionalLabels: {}
+
+    # -- Service monitor scrape interval
+    interval: ""
+
+    # -- Service monitor metric relabelings
+    metricRelabelings: []
+
+    # -- Service monitor relabelings
+    relabelings: []
+
+    # -- Service monitor scrape timeout
+    scrapeTimeout: ""
+
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
 # resources, such as Minikube. If you do want to specify resources, uncomment the following

From 010c8317a09d3fa58be8047b6831c89b40583fd2 Mon Sep 17 00:00:00 2001
From: Zach Stone <zach@giantswarm.io>
Date: Thu, 4 Jul 2024 18:14:07 -0400
Subject: [PATCH 5/7] Update generated install

Signed-off-by: Zach Stone <zach@giantswarm.io>
---
 .github/workflows/sync-from-upstream.yaml | 33 -----------------------
 config/install-inmemory.yaml              | 24 +++++++++++++++++
 config/install.yaml                       | 24 +++++++++++++++++
 3 files changed, 48 insertions(+), 33 deletions(-)
 delete mode 100644 .github/workflows/sync-from-upstream.yaml

diff --git a/.github/workflows/sync-from-upstream.yaml b/.github/workflows/sync-from-upstream.yaml
deleted file mode 100644
index ab6a934..0000000
--- a/.github/workflows/sync-from-upstream.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-name: Sync from upstream
-
-on:
-  push:
-    branches:
-      - 'main' # Run at every sync
-  schedule:
-    - cron: '0 8 * * 5' # At 07:00 on every Friday
-
-  # Allows to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  sync-reports-server-charts-repository:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - run: |
-          # Fetch tags from upstream repo
-          git fetch https://github.com/kyverno/reports-server --tags
-          # Remove release candidates local tags
-          git tag -d $(git tag -l | grep -E "\-rc|\-beta|\-dev")
-          git push --tags
diff --git a/config/install-inmemory.yaml b/config/install-inmemory.yaml
index 734d1f0..cacdc55 100644
--- a/config/install-inmemory.yaml
+++ b/config/install-inmemory.yaml
@@ -172,6 +172,7 @@ spec:
             - --debug
             - --cert-dir=/tmp
             - --secure-port=4443
+            - --authorization-always-allow-paths=/metrics
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -258,3 +259,26 @@ spec:
     namespace: reports-server
   version: v1
   versionPriority: 100
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: reports-server
+  namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.0-alpha.1
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.0-alpha.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: reports-server
+      app.kubernetes.io/instance: reports-server
+  endpoints:
+    - port: https
+      path: /metrics
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true
diff --git a/config/install.yaml b/config/install.yaml
index 0c4bd0d..d8885c0 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -267,6 +267,7 @@ spec:
             - --dbsslcert=
             - --cert-dir=/tmp
             - --secure-port=4443
+            - --authorization-always-allow-paths=/metrics
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -522,3 +523,26 @@ spec:
     namespace: reports-server
   version: v1
   versionPriority: 100
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: reports-server
+  namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.0-alpha.1
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.0-alpha.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: reports-server
+      app.kubernetes.io/instance: reports-server
+  endpoints:
+    - port: https
+      path: /metrics
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true

From 40e0c11f2179c75c65f802c26908ea3f5cfa9dd8 Mon Sep 17 00:00:00 2001
From: Zach Stone <zach@giantswarm.io>
Date: Tue, 9 Jul 2024 08:57:06 -0400
Subject: [PATCH 6/7] Do not enable ServiceMonitor by default

Signed-off-by: Zach Stone <zach@giantswarm.io>
---
 charts/reports-server/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index c14248d..76f4d38 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -104,7 +104,7 @@ metrics:
 
   serviceMonitor:
     # -- Enable service monitor for scraping prometheus metrics
-    enabled: true
+    enabled: false
 
     # -- Service monitor additional labels
     additionalLabels: {}

From de9c4b38b88c8d08155ba278cf35630d1056c19a Mon Sep 17 00:00:00 2001
From: Zach Stone <zach@giantswarm.io>
Date: Tue, 9 Jul 2024 09:02:42 -0400
Subject: [PATCH 7/7] Rerun codegen

Signed-off-by: Zach Stone <zach@giantswarm.io>
---
 charts/reports-server/README.md |  2 +-
 config/install-inmemory.yaml    | 23 -----------------------
 config/install.yaml             | 23 -----------------------
 3 files changed, 1 insertion(+), 47 deletions(-)

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index 42a6382..95ee74e 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -45,7 +45,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | livenessProbe | object | `{"failureThreshold":10,"httpGet":{"path":"/livez","port":"https","scheme":"HTTPS"},"initialDelaySeconds":20,"periodSeconds":10}` | Liveness probe |
 | readinessProbe | object | `{"failureThreshold":10,"httpGet":{"path":"/readyz","port":"https","scheme":"HTTPS"},"initialDelaySeconds":30,"periodSeconds":10}` | Readiness probe |
 | metrics.enabled | bool | `true` | Enable prometheus metrics |
-| metrics.serviceMonitor.enabled | bool | `true` | Enable service monitor for scraping prometheus metrics |
+| metrics.serviceMonitor.enabled | bool | `false` | Enable service monitor for scraping prometheus metrics |
 | metrics.serviceMonitor.additionalLabels | object | `{}` | Service monitor additional labels |
 | metrics.serviceMonitor.interval | string | `""` | Service monitor scrape interval |
 | metrics.serviceMonitor.metricRelabelings | list | `[]` | Service monitor metric relabelings |
diff --git a/config/install-inmemory.yaml b/config/install-inmemory.yaml
index 80f2e99..266bf72 100644
--- a/config/install-inmemory.yaml
+++ b/config/install-inmemory.yaml
@@ -263,26 +263,3 @@ spec:
     namespace: reports-server
   version: v1
   versionPriority: 100
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: reports-server
-  namespace: reports-server
-  labels:
-    helm.sh/chart: reports-server-0.1.0-alpha.1
-    app.kubernetes.io/name: reports-server
-    app.kubernetes.io/instance: reports-server
-    app.kubernetes.io/version: "v0.1.0-alpha.1"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: reports-server
-      app.kubernetes.io/instance: reports-server
-  endpoints:
-    - port: https
-      path: /metrics
-      scheme: https
-      tlsConfig:
-        insecureSkipVerify: true
diff --git a/config/install.yaml b/config/install.yaml
index e592c1d..5215cd5 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -527,26 +527,3 @@ spec:
     namespace: reports-server
   version: v1
   versionPriority: 100
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: reports-server
-  namespace: reports-server
-  labels:
-    helm.sh/chart: reports-server-0.1.0-alpha.1
-    app.kubernetes.io/name: reports-server
-    app.kubernetes.io/instance: reports-server
-    app.kubernetes.io/version: "v0.1.0-alpha.1"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: reports-server
-      app.kubernetes.io/instance: reports-server
-  endpoints:
-    - port: https
-      path: /metrics
-      scheme: https
-      tlsConfig:
-        insecureSkipVerify: true