Release px-central 2.11.0 chart (#874)

* Added initial changes required for 2.11.0-staging

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

* Updated the tar bundle

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

* Upgrade Keycloak to 26.4.7 (#833)

* Fixing mongodb repo in pre-upgrade hook spec

* PB-13384 | PB-13194: Moving mongodb out of bitnami and moving script cm creation to hooks

* Updating tar ball and repo index

* Pb-13325 | migration from bitnami to official postgres (#839)

PB-13325 | upgrading to official postgres-18

---------

Co-authored-by: Ayush Sharma <aysharma@purestorage.com>

* PB-13257|PB-13260|PB-13261|PB-13262|PB-13263: Updating alertmanager and all prometheus images to fix CVEs

* Updating tar ball and repo index

* Updated the tar ball

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

* PB-12294 | Add app.kubernetes.io/part-of=px-backup label to all Helm resources (#843)


* PB-12294 | Tagging resources with label app.kubernetes.io/part-of

* updated the tar ball and repo index 

updated the tar ball and repo index

* PB-13860 | PB-13859 | PB-13858 | PB-13857 | PB-13864: Updating mongodb, alertmanager and prometheus packages to fix high CVEs

* Updating tar ball and index

* Pb 13866 | mysql upgrade to 8.0.44 (#850)

* PB-13866 | bumping mysql version


---------

Co-authored-by: Ayush Sharma <aysharma@purestorage.com>

* PB-13983 | fix statefulset upgrades and make part-of conditional (#851)

- Add app.kubernetes.io/part-of label only when pxbackup.enabled=true
- Remove labels from StatefulSet volumeClaimTemplates

Co-authored-by: Bhanuchandra K <bk+pure@purestorage.com>

* Updated the tar ball

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

* PB-13931: new metrics exclusion | external metrics

pxb prometheus will not be consuming these metrics, so they are ignored using service monitor

* PB-14400: service monitor enabled for BYOP | Metrics

* Added changes for 2.11.0 dev

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

* Bundle changes

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

* Release px-central 2.11.0 chart

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>

---------

Signed-off-by: Kesavan Thiruvenkadasamy <kthiruvenkadasamy@purestorage.com>
Co-authored-by: Kalaikovan Ravichandran <127825117+kravichandran-px@users.noreply.github.com>
Co-authored-by: ykumari-px <ykumari@purestorage.com>
Co-authored-by: Ayush Sharma <83945775+ayush-px@users.noreply.github.com>
Co-authored-by: Ayush Sharma <aysharma@purestorage.com>
Co-authored-by: bk-px <bk@purestorage.com>
Co-authored-by: Bhanuchandra K <bk+pure@purestorage.com>
Co-authored-by: Nidhin Thomas <nthomas@purestorage.com>

Author: 8 people

charts/px-central/Chart.yaml

@@ -13,6 +13,6 @@ keywords:
 name: px-central
 sources:
 - https://github.com/portworx/helm/tree/master/charts/px-central
-version: 2.10.2
-appVersion: 2.10.2
+version: 2.11.0
+appVersion: 2.11.0
 name: px-central

charts/px-central/templates/_helpers.tpl

@@ -39,8 +39,19 @@ app.kubernetes.io/instance: {{.Release.Name | quote }}
 app.kubernetes.io/managed-by: {{.Release.Service | quote }}
 helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- if .Values.pxbackup.enabled }}
+app.kubernetes.io/part-of: px-backup
+{{- end }}
 {{- end }}
 
+{{/*
+Part-of label for nested templates
+*/}}
+{{- define "px-central.partOfLabel" -}}
+{{- if .Values.pxbackup.enabled }}
+app.kubernetes.io/part-of: px-backup
+{{- end }}
+{{- end }}
 
 {{/*
 Selector labels

charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml

@@ -19,6 +19,7 @@ metadata:
   labels:
     name: pxcentral-pre-install-hook
     app.kubernetes.io/component: pxcentral-pre-install-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 rules:
   - apiGroups: ["apps"]
     resources: ["statefulsets"]
@@ -78,6 +79,7 @@ metadata:
   labels:
     name: pxcentral-pre-install-hook
     app.kubernetes.io/component: pxcentral-pre-install-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: default
@@ -95,6 +97,7 @@ metadata:
   labels:
     name: pxcentral-pre-install-hook
     app.kubernetes.io/component: pxcentral-pre-install-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-install
     {{- if .Values.isArgoCD }}
@@ -121,6 +124,7 @@ metadata:
   labels:
     name: pxcentral-pre-install-hook
     app.kubernetes.io/component: pxcentral-pre-install-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-install
     "helm.sh/hook-weight": "6"
@@ -248,6 +252,7 @@ metadata:
   labels:
     name: pxcentral-preflight-check-hook
     app.kubernetes.io/component: pxcentral-preflight-check-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "4"
@@ -356,6 +361,7 @@ metadata:
   labels:
     name: pxcentral-pre-setup-hook
     app.kubernetes.io/component: pxcentral-pre-setup-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 rules:
   - apiGroups: [ "storage.k8s.io" ]
     resources: [ "storageclasses" ]
@@ -375,6 +381,7 @@ metadata:
   labels:
     name: pxcentral-pre-setup-hook
     app.kubernetes.io/component: pxcentral-pre-setup-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: default

charts/px-central/templates/px-backup/pre-rollback-hook/pre-rollback-check.yaml

@@ -9,6 +9,7 @@ metadata:
   labels:
     name: pxcentral-pre-install-hook
     app.kubernetes.io/component: pxcentral-pre-install-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-rollback
     "helm.sh/hook-delete-policy": hook-succeeded

charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml

@@ -43,6 +43,7 @@ metadata:
   labels:
     name: pxcentral-pre-upgrade-hook
     app.kubernetes.io/component: pxcentral-pre-upgrade-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 rules:
   - apiGroups: ["apps"]
     resources: ["statefulsets"]
@@ -101,6 +102,7 @@ metadata:
   labels:
     name: pxcentral-pre-upgrade-hook
     app.kubernetes.io/component: pxcentral-pre-upgrade-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: default
@@ -118,6 +120,7 @@ metadata:
   labels:
     name: pxcentral-pre-upgrade-hook
     app.kubernetes.io/component: pxcentral-pre-upgrade-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade
     {{- if .Values.isArgoCD }}
@@ -144,6 +147,7 @@ metadata:
   labels:
     name: pxcentral-pre-upgrade-hook
     app.kubernetes.io/component: pxcentral-pre-upgrade-hook
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade
     "helm.sh/hook-weight": "6"
@@ -254,7 +258,7 @@ spec:
             - name: POSTGRES_DB
               value: "keycloak"
             - name: POSTGRES_PVC_NAME
-              value: pxcentral-keycloak-data-postgres17
+              value: pxcentral-keycloak-data-postgres18
             - name: JOB_TIMEOUT_SECONDS
               value: "600"
             - name: PX_BACKUP_ENABLED

charts/px-central/templates/px-backup/pxcentral-alertmanager.yaml

@@ -9,6 +9,8 @@ kind: Alertmanager
 metadata:
   name: px-backup-alertmanager
   namespace: {{ .Release.Namespace }}
+  labels:
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 spec:
   affinity:
     nodeAffinity:
@@ -25,11 +27,13 @@ spec:
             - "false"
           {{- end }}
   configSecret: px-backup-alertmanager-custom-config
-  {{- if and (eq $azureProxyEnabled true) (not (has "px-backup-alertmanager" .Values.proxy.excludeAzureProxyList)) }}
   podMetadata:
+    {{- if and (eq $azureProxyEnabled true) (not (has "px-backup-alertmanager" .Values.proxy.excludeAzureProxyList)) }}
     annotations:
       kubernetes.azure.com/no-http-proxy-vars: "true"
-  {{- end }}
+    {{- end }}
+    labels:
+{{- include "px-central.partOfLabel" . | nindent 6 }}
   alertmanagerConfigSelector:
     matchLabels:
       app: px-backup-alert-configs
@@ -157,6 +161,9 @@ spec:
   {{- if .Values.persistentStorage.storageClassName }}
   storage:
     volumeClaimTemplate:
+      metadata:
+        labels:
+{{- include "px-central.partOfLabel" . | nindent 10 }}
       spec:
         storageClassName: {{ .Values.persistentStorage.storageClassName }}
         resources:
@@ -174,6 +181,8 @@ kind: Secret
 metadata:
   name: px-backup-alertmanager-custom-config
   namespace: {{ .Release.Namespace }}
+  labels:
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 type: Opaque
 stringData:
   alertmanager.yaml: |

charts/px-central/templates/px-backup/pxcentral-backup.yaml

@@ -186,6 +186,7 @@ spec:
     metadata:
       labels:
         app: px-backup
+{{- include "px-central.partOfLabel" . | nindent 8 }}
       {{- if and (eq $azureProxyEnabled true) (not (has "px-backup" .Values.proxy.excludeAzureProxyList)) }}
       annotations:
         kubernetes.azure.com/no-http-proxy-vars: "true"

charts/px-central/templates/px-backup/pxcentral-mongodb.yaml

@@ -66,6 +66,7 @@ spec:
         app.kubernetes.io/instance: {{.Release.Name }}
         app.kubernetes.io/managed-by: {{.Release.Service }}
         app.kubernetes.io/component: pxc-backup-mongodb
+{{- include "px-central.partOfLabel" . | nindent 8 }}
     spec:
       affinity:
         nodeAffinity:

charts/px-central/templates/px-backup/pxcentral-prometheus.yaml

@@ -133,6 +133,7 @@ spec:
     metadata:
       labels:
         k8s-app: prometheus-operator
+{{- include "px-central.partOfLabel" . | nindent 8 }}
       {{- if and (eq $azureProxyEnabled true) (not (has "prometheus-operator" .Values.proxy.excludeAzureProxyList)) }}
       annotations:
         kubernetes.azure.com/no-http-proxy-vars: "true"
@@ -287,6 +288,8 @@ kind: Prometheus
 metadata:
    name: px-backup-dashboard-prometheus
    namespace: {{ .Release.Namespace }}
+   labels:
+{{- include "px-central.partOfLabel" . | nindent 5 }}
 spec:
   affinity:
     nodeAffinity:
@@ -305,8 +308,8 @@ spec:
   additionalAlertManagerConfigs:
     key: am-configs.yaml
     name: pxc-backup-metrics
-  {{- if or $hasAzureAnnotation $hasIstioAnnotation }}
   podMetadata:
+    {{- if or $hasAzureAnnotation $hasIstioAnnotation }}
     annotations:
   {{- if $hasAzureAnnotation }}
       kubernetes.azure.com/no-http-proxy-vars: "true"
@@ -318,10 +321,15 @@ spec:
       sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]'
       traffic.sidecar.istio.io/includeOutboundIPRanges: ""
   {{- end}}
-  {{- end}}
+    {{- end }}
+    labels:
+{{- include "px-central.partOfLabel" . | nindent 6 }}
   {{- if .Values.persistentStorage.storageClassName }}
   storage:
     volumeClaimTemplate:
+      metadata:
+        labels:
+{{- include "px-central.partOfLabel" . | nindent 10 }}
       spec:
         storageClassName: {{ .Values.persistentStorage.storageClassName }}
         resources:
@@ -498,7 +506,7 @@ spec:
 
 ---
 # ServiceMonitor for px-backup's dedicated Prometheus dashboard
-# Only created when dedicated monitoring system is enabled
+# Created when dedicated monitoring system is enabled (deployDedicatedMonitoringSystem=true)
 # Includes metric drops to optimize for dashboard use
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
@@ -527,11 +535,11 @@ spec:
       sourceLabels:
       - __name__
     - action: drop
-      regex: (pxbackup_backup_duration_seconds|pxbackup_backup_resource_count|pxbackup_backup_schedule_status|pxbackup_backup_size_bytes|pxbackup_backup_volume_count|pxbackup_backuplocation_metrics|pxbackup_cloudcred_metrics|pxbackup_schedpolicy_metrics|pxbackup_restore_duration_seconds|pxbackup_restore_resource_count|pxbackup_restore_size_bytes|pxbackup_restore_volume_count|pxbackup_backup_object_info|pxbackup_backup_volume_info|pxbackup_virtual_machine_info|pxbackup_virtual_machine_resource_info)
+      regex: (pxbackup_backup_duration_seconds|pxbackup_backup_resource_count|pxbackup_backup_schedule_status|pxbackup_backup_size_bytes|pxbackup_backup_volume_count|pxbackup_backuplocation_metrics|pxbackup_cloudcred_metrics|pxbackup_schedpolicy_metrics|pxbackup_restore_duration_seconds|pxbackup_restore_resource_count|pxbackup_restore_size_bytes|pxbackup_restore_volume_count|pxbackup_backup_object_info|pxbackup_backup_volume_info|pxbackup_virtual_machine_info|pxbackup_virtual_machine_resource_info|pxbackup_namespace_resource_type_info|pxbackup_namespace_resource_info)
       sourceLabels:
       - __name__
     port: http-rest-api
-    {{- if and .Values.istio.enabled (eq $deployDedicatedMonitoringSystem true) }}
+    {{- if .Values.istio.enabled }}
     scheme: https
     tlsConfig:
       caFile: /etc/prom-certs/root-cert.pem
@@ -545,14 +553,66 @@ spec:
   selector:
     matchLabels:
       app: px-backup
+{{- else if eq $enableExternalMetricsScraping false }}
+---
+# ServiceMonitor for px-backup's dashboard Prometheus or external monitoring
+# Created when dedicated monitoring is disabled AND external scraping is disabled
+# This handles the case: deployDedicatedMonitoringSystem=false, enableExternalMetricsScraping=false
+# Allows external Prometheus to discover and scrape px-backup metrics
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: px-backup-dashboard-prometheus-sm
+  labels:
+    name: px-backup-dashboard-prometheus-sm
+    app.kubernetes.io/component: px-backup
+{{- include "px-central.labels" . | nindent 4 }}
+spec:
+  endpoints:
+  - metricRelabelings:
+    - action: labeldrop
+      regex: (instance|pod)
+    - action: drop
+      regex: process_.*
+      sourceLabels:
+      - __name__
+    - action: drop
+      regex: go_.*
+      sourceLabels:
+      - __name__
+    - action: drop
+      regex: grpc_.*
+      sourceLabels:
+      - __name__
+    - action: drop
+      regex: (pxbackup_backup_duration_seconds|pxbackup_backup_resource_count|pxbackup_backup_schedule_status|pxbackup_backup_size_bytes|pxbackup_backup_volume_count|pxbackup_backuplocation_metrics|pxbackup_cloudcred_metrics|pxbackup_schedpolicy_metrics|pxbackup_restore_duration_seconds|pxbackup_restore_resource_count|pxbackup_restore_size_bytes|pxbackup_restore_volume_count|pxbackup_backup_object_info|pxbackup_backup_volume_info|pxbackup_virtual_machine_info|pxbackup_virtual_machine_resource_info|pxbackup_namespace_resource_type_info|pxbackup_namespace_resource_info)
+      sourceLabels:
+      - __name__
+    port: http-rest-api
+    {{- if .Values.istio.enabled }}
+    scheme: https
+    tlsConfig:
+      caFile: /etc/istio-output-certs/root-cert.pem
+      certFile: /etc/istio-output-certs/cert-chain.pem
+      insecureSkipVerify: true
+      keyFile: /etc/istio-output-certs/key.pem
+    {{- end }}
+    targetPort: 10001
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      app: px-backup
 {{- end}}
 
-{{- if $enableExternalMetricsScraping }}
+{{- if eq $enableExternalMetricsScraping true }}
 ---
 # ServiceMonitor for external monitoring systems (e.g., central monitoring namespace)
 # Drops noisy metrics (process/go/grpc) and legacy pxbackup metrics
 # But KEEPS detailed metrics for comprehensive monitoring
 # External Prometheus should select this using label: prometheus=external-monitoring
+# Can coexist with px-backup-dashboard-prometheus-sm when both monitoring systems are enabled
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -610,6 +670,7 @@ kind: PrometheusRule
 metadata:
   labels:
     app: px-backup-alerts
+{{- include "px-central.partOfLabel" . | nindent 4 }}
   name: px-backup-dashboard-prometheus-rules
 spec:
   groups:

charts/px-central/templates/px-backup/service-mesh/pxcentral-istio.yaml

@@ -9,6 +9,8 @@ metadata:
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "0"
+  labels:
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 spec:
   selector:
     istio: ingressgateway
@@ -28,6 +30,8 @@ metadata:
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "0"
+  labels:
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 spec:
   mtls:
     mode: STRICT
@@ -40,6 +44,8 @@ metadata:
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "0"
+  labels:
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 spec:
   gateways:
   - pxcentral-gateway
@@ -61,6 +67,8 @@ kind: PeerAuthentication
 metadata:
   name: allow-external-prometheus-scrape
   namespace: {{ .Release.Namespace }}
+  labels:
+{{- include "px-central.partOfLabel" . | nindent 4 }}
 spec:
   selector:
     matchLabels: