Remove rollout-operator from Helm chart

class/defaults.yml

@@ -27,9 +27,6 @@ parameters:
       nginx:
         registry: docker.io
         repository: nginxinc/nginx-unprivileged
-      rolloutOperator:
-        registry: docker.io
-        repository: grafana/rollout-operator
 
     preset: extra-small
 
@@ -53,8 +50,6 @@ parameters:
       # Backend
       compactor:
         enabled: true
-      rolloutOperator:
-        enabled: false
       # Ingress
       gateway:
         enabled: true

class/mimir.yml

@@ -43,6 +43,3 @@ parameters:
         - type: jsonnet
           filter: postprocess/patch-alerts.jsonnet
           path: ${_instance}/10_mimir_distributed/mimir-distributed/templates/metamonitoring
-        - type: jsonnet
-          filter: postprocess/fixup-securitycontext.jsonnet
-          path: ${_instance}/10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates

component/helm_values.jsonnet

@@ -5,6 +5,7 @@ local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.mimir;
 local isOpenshift = std.member([ 'openshift4', 'oke' ], inv.parameters.facts.distribution);
+local hasRolloutOperator = std.member(inv.applications, 'rollout-operator');
 
 local s3endpoint =
   if params.s3.endpoint != null then
@@ -19,7 +20,12 @@ local s3endpoint =
 // Global Params and Zone Aware Replication
 local globalConfig = params.global + com.makeMergeable({
   nodeSelector: std.get(params, 'globalNodeSelector', params.global.nodeSelector),
-  zoneAwareReplication: params.global.zoneAwareReplication,
+  zoneAwareReplication: params.global.zoneAwareReplication {
+    enabled: if params.global.zoneAwareReplication.enabled then
+      // Assert that zone aware replication is only enabled if rollout-operator is installed
+      if hasRolloutOperator then true else error 'rollout-operator must be installed for zone-aware replication'
+    else false,
+  },
 });
 
 local components = com.makeMergeable({
@@ -52,9 +58,6 @@ local components = com.makeMergeable({
   compactor: {
     nodeSelector: std.get(params.components.compactor, 'nodeSelector', globalConfig.nodeSelector),
   } + com.makeMergeable(params.components.compactor),
-  rollout_operator: {
-    nodeSelector: std.get(params.components.rolloutOperator, 'nodeSelector', globalConfig.nodeSelector),
-  } + com.makeMergeable(params.components.rolloutOperator),
   // Ingress Configuration
   gateway: {
     [if params.components.gateway.enabled then 'enabledNonEnterprise']: params.components.gateway.enabled,
@@ -102,6 +105,7 @@ local openshift = if isOpenshift then com.makeMergeable({
       runAsUser: null,
     },
   },
+  // even when we don't deploy the rollout-operator, we need to define the pod security context
   rollout_operator: {
     podSecurityContext: {
       fsGroup: null,
@@ -137,12 +141,6 @@ local images = com.makeMergeable({
       },
     },
   },
-  rollout_operator: {
-    image: {
-      repository: '%(registry)s/%(repository)s' % params.images.rolloutOperator,
-      [if std.objectHas(params.images.rolloutOperator, 'tag') then 'tag']: params.images.rolloutOperator.tag,
-    },
-  },
 });
 
 local global = com.makeMergeable({
@@ -156,9 +154,6 @@ local global = com.makeMergeable({
       bucketSecretVersion: '%s' % params.s3.auth.secretVersion,
     },
   },
-  minio: {
-    enabled: false,
-  },
   [if params.monitoring then 'metaMonitoring']: {
     serviceMonitor: {
       enabled: params.monitoring,
@@ -280,9 +275,28 @@ local ingress = com.makeMergeable({
   },
 });
 
+// hardcoded removal of rollout-operator
+local hardRestrictions = com.makeMergeable({
+  minio: {
+    enabled: false,
+  },
+  rollout_operator: {
+    enabled: false,
+  },
+  store_gateway: {
+    zoneAwareReplication: {
+      enabled: if hasRolloutOperator && params.global.zoneAwareReplication.enabled then true else false,
+    },
+  },
+  ingester: {
+    zoneAwareReplication: {
+      enabled: if hasRolloutOperator && params.global.zoneAwareReplication.enabled then true else false,
+    },
+  },
+});
 
 {
   ['%s-components' % inv.parameters._instance]: components + caches,
   ['%s-configs' % inv.parameters._instance]: openshift + images + global + mimir + ingress,
-  ['%s-overrides' % inv.parameters._instance]: params.helm_values,
+  ['%s-overrides' % inv.parameters._instance]: params.helm_values + hardRestrictions,
 }

component/main.jsonnet

@@ -36,6 +36,10 @@ local secrets = com.generateResources(
   } + com.makeMergeable(params.secrets),
   function(name) kube.Secret(name) {
     metadata+: {
+      labels+: {
+        'app.kubernetes.io/managed-by': 'commodore',
+        'app.kubernetes.io/name': name,
+      },
       namespace: params.namespace.name,
     },
   }
@@ -45,14 +49,24 @@ local secrets = com.generateResources(
 // Define outputs below
 {
   [if params.namespace.create then '00_namespace']: kube.Namespace(params.namespace.name) {
-    metadata+: com.makeMergeable(params.namespace.metadata),
+    metadata+: {
+      labels+: {
+        'app.kubernetes.io/managed-by': 'commodore',
+        'app.kubernetes.io/name': params.namespace,
+        [if params.global.zoneAwareReplication.enabled then 'rollout-operator.syn.tools/allow']: '',
+      },
+    } + com.makeMergeable(params.namespace.metadata),
   },
   '01_secrets': secrets,
   // Empty file to make sure the directory is created. Later used in patching alerts.
   '10_mimir_distributed/mimir-distributed/templates/metamonitoring/.keep': {},
 
   '20_prometheus_rule': prom.generateRules('mimir-custom', { 'mimir-custom.rules': params.alerts.additionalRules }) {
     metadata+: {
+      labels+: {
+        'app.kubernetes.io/managed-by': 'commodore',
+        'app.kubernetes.io/name': 'mimir-custom',
+      },
       namespace: params.namespace.name,
     },
   },

docs/modules/ROOT/pages/references/parameters.adoc

@@ -74,9 +74,6 @@ images:
   nginx:
     registry: docker.io
     repository: nginxinc/nginx-unprivileged
-  rolloutOperator:
-    registry: docker.io
-    repository: grafana/rollout-operator
 ----
 example::
 +
@@ -92,8 +89,6 @@ images:
     tag: latest
   nginx:
     tag: latest
-  rolloutOperator:
-    tag: latest
 ----
 
 Configures the image registry, repository and tag.
@@ -192,7 +187,6 @@ default::
 components:
   storeGateway:
     enabled: true
-    storage: {}
 ----
 
 The store-gateway component, which is stateful, queries blocks from long-term storage.
@@ -226,14 +220,29 @@ default::
 components:
   ingester:
     enabled: true
-    storage: {}
 ----
 
 The ingester is a stateful component that processes the most recently ingested samples and makes them available for querying.
 Queriers read recent data from ingesters and older data from long-term object storage via store-gateways.
 
+=== `components.kafka`
 
-=== `components.compactor`
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+components:
+  kafka:
+    enabled: false
+----
+
+Grafana Mimir supports using Kafka as the first layer of ingestion in the ingest storage architecture.
+This configuration allows for scalable, decoupled ingestion that separates write and read paths to improve performance and resilience.
+
+
+=== `components.gateway`
 
 [horizontal]
 type:: dict
@@ -242,17 +251,14 @@ default::
 [source,yaml]
 ----
 components:
-  compactor:
+  gateway:
     enabled: true
 ----
 
-The compactor increases query performance and reduces long-term storage usage by combining blocks.
-
-Compacting multiple blocks of a given tenant into a single, optimized larger block.
-This deduplicates chunks and reduces the size of the index, resulting in reduced storage costs.
-Querying fewer blocks is faster, so it also increases query speed.
+The Mimir unified gateway is a critical component for query, write, and alert paths.
+It improves performance and simplifies deployments by acting as a single entry point for all Mimir requests.
 
-=== `components.rolloutOperator`
+=== `components.compactor`
 
 [horizontal]
 type:: dict
@@ -261,10 +267,16 @@ default::
 [source,yaml]
 ----
 components:
-  rolloutOperator:
+  compactor:
     enabled: true
 ----
 
+The compactor increases query performance and reduces long-term storage usage by combining blocks.
+
+Compacting multiple blocks of a given tenant into a single, optimized larger block.
+This deduplicates chunks and reduces the size of the index, resulting in reduced storage costs.
+Querying fewer blocks is faster, so it also increases query speed.
+
 
 === `components.alertmanager`
 
@@ -277,13 +289,8 @@ default::
 components:
   alertmanager:
     enabled: true
-      overridesExporter:
-        enabled: true
-      ruler:
-        enabled: true
 ----
 
-The Mimir Alertmanager adds multi-tenancy support and horizontal scalability to the Prometheus Alertmanager.
 The Mimir Alertmanager is an optional component that accepts alert notifications from the Mimir ruler.
 
 === `components.overridesExporter`
@@ -828,7 +835,7 @@ secrets:
       .htpasswd: "?{vaultkv:${cluster:tenant}/${cluster:name}/example-mimir/htpasswd}"
 
 helm_values:
-  nginx:
+  gateway:
     basicAuth:
       enabled: true
       existingSecret: mimir-nginx-htpasswd

tests/extra-config.yml

@@ -1,4 +1,7 @@
 # Overwrite parameters here
+applications:
+  - rollout-operator
+
 parameters:
   kapitan:
     dependencies:
@@ -23,8 +26,6 @@ parameters:
         tag: latest
       nginx:
         tag: latest
-      rolloutOperator:
-        tag: latest
 
     preset: small
     components:
@@ -52,8 +53,6 @@ parameters:
           nameOverride: mimir-nginx
       kafka:
         enabled: true
-      rolloutOperator:
-        enabled: true
 
     caches:
       results:
@@ -78,7 +77,6 @@ parameters:
         appuio.io/node-class: plus
       zoneAwareReplication:
         enabled: true
-      nginxResolverOverride: '172.30.0.10'
 
     config:
       tenantFederation: true

tests/golden/defaults/defaults/defaults/00_namespace.yaml

@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   annotations: {}
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name:
+      create: true
+      metadata: {}
+      name: defaults
     name: defaults
   name: defaults

tests/golden/defaults/defaults/defaults/01_secrets.yaml

@@ -4,6 +4,8 @@ kind: Secret
 metadata:
   annotations: {}
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: defaults-bucket-secret
     name: defaults-bucket-secret
   name: defaults-bucket-secret
   namespace: defaults

tests/golden/defaults/defaults/defaults/20_prometheus_rule.yaml

@@ -2,6 +2,8 @@ apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: mimir-custom
     name: mimir-custom
   name: mimir-custom
   namespace: defaults

tests/golden/extra-config/extra-config/extra-config/00_namespace.yaml

@@ -3,5 +3,11 @@ kind: Namespace
 metadata:
   annotations: {}
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name:
+      create: true
+      metadata: {}
+      name: extra-config
     name: extra-config
+    rollout-operator.syn.tools/allow: ''
   name: extra-config

tests/golden/extra-config/extra-config/extra-config/01_secrets.yaml

@@ -4,6 +4,8 @@ kind: Secret
 metadata:
   annotations: {}
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: extra-config-bucket-secret
     name: extra-config-bucket-secret
   name: extra-config-bucket-secret
   namespace: extra-config
@@ -18,6 +20,8 @@ kind: Secret
 metadata:
   annotations: {}
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: extra-config-nginx-htpasswd
     name: extra-config-nginx-htpasswd
   name: extra-config-nginx-htpasswd
   namespace: extra-config
@@ -31,6 +35,8 @@ kind: Secret
 metadata:
   annotations: {}
   labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: metrics-receive-example-com-tls
     name: metrics-receive-example-com-tls
   name: metrics-receive-example-com-tls
   namespace: extra-config