[prometheus-node-exporter] Add optional initContainer for permission fixes

Signed-off-by: henrichter <hr.richterhenry@gmail.com>

Author: henrichter

charts/prometheus-node-exporter/Chart.yaml

@@ -6,7 +6,7 @@ keywords:
   - prometheus
   - exporter
 type: application
-version: 4.51.1
+version: 4.52.0
 # renovate: github=prometheus/node_exporter
 appVersion: 1.10.2
 home: https://github.com/prometheus/node_exporter/

charts/prometheus-node-exporter/templates/daemonset.yaml

@@ -38,9 +38,54 @@ spec:
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}
-      {{- with .Values.extraInitContainers }}
+      {{- $fixes := .Values.permissionInitContainers.fixes -}}
+      {{- $fixesEnabled := or $fixes.rapl $fixes.slabinfo (not (empty .Values.permissionInitContainers.extraCommands)) -}}
+      {{- if or .Values.extraInitContainers $fixesEnabled }}
       initContainers:
-        {{- toYaml . | nindent 8 }}
+        {{- if .Values.extraInitContainers }}
+        {{- toYaml .Values.extraInitContainers | nindent 8 }}
+        {{- end }}
+        {{- if $fixesEnabled }}
+        - name: permission-fix
+          {{- if .Values.permissionInitContainers.image.sha }}
+          image: "{{ .Values.global.imageRegistry | default .Values.permissionInitContainers.image.registry}}/{{ .Values.permissionInitContainers.image.repository }}:{{ .Values.permissionInitContainers.image.tag }}@sha256:{{ .Values.permissionInitContainers.image.sha }}"
+          {{- else }}
+          image: "{{ .Values.global.imageRegistry | default .Values.permissionInitContainers.image.registry}}/{{ .Values.permissionInitContainers.image.repository }}:{{ .Values.permissionInitContainers.image.tag }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.permissionInitContainers.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.permissionInitContainers.securityContext | nindent 12 }}
+          command:
+            - /bin/sh
+            - -c
+            - |
+              {{- if $fixes.rapl }}
+              powercap_path="/host/sys/devices/virtual/powercap"
+              if [ -d "$powercap_path" ]; then
+                find "$powercap_path" -name energy_uj -exec chown root:{{ .Values.securityContext.runAsGroup }} {} + -exec chmod g+r -R {} +
+              fi
+              {{- end }}
+              {{- if $fixes.slabinfo }}
+              slabinfo_path="/host/proc/slabinfo"
+              if [ -f "$slabinfo_path" ]; then
+                chown root:{{ .Values.securityContext.runAsGroup }} "$slabinfo_path" && chmod g+r "$slabinfo_path"
+              fi
+              {{- end }}
+              {{- range .Values.permissionInitContainers.extraCommands }}
+              {{ . }}
+              {{- end }}
+          volumeMounts:
+            {{- if $fixes.rapl }}
+            - name: sys
+              mountPath: /host/sys
+              readOnly: false
+            {{- end }}
+            {{- if $fixes.slabinfo }}
+            - name: proc
+              mountPath: /host/proc
+              readOnly: false
+            {{- end }}
+        {{- end }}
       {{- end }}
       serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }}
       {{- with .Values.terminationGracePeriodSeconds }}

charts/prometheus-node-exporter/values.yaml

@@ -543,6 +543,23 @@ sidecarHostVolumeMounts: []
 ##
 extraInitContainers: []
 
+permissionInitContainers:
+  image:
+    registry: quay.io
+    repository: prometheus/busybox
+    tag: latest
+    sha: ""
+    pullPolicy: IfNotPresent
+  securityContext:
+    privileged: true
+    runAsUser: 0
+    runAsGroup: 0
+    runAsNonRoot: false
+  fixes:
+    rapl: false
+    slabinfo: false
+  extraCommands: []
+
 ## Liveness probe
 ##
 livenessProbe: