fix: seed observability dependencies

2026-04-26 10:32:25 +00:00
parent daf6ccd0e4
commit 499a3462e7
330 changed files with 97287 additions and 19 deletions
@@ -0,0 +1,7 @@
+{{/* Generate basic labels for prometheus-operator */}}
+{{- define "kube-prometheus-stack.prometheus-operator.labels" }}
+{{- include "kube-prometheus-stack.labels" . }}
+app: {{ template "kube-prometheus-stack.name" . }}-operator
+app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator
+app.kubernetes.io/component: prometheus-operator
+{{- end }}
@@ -0,0 +1,13 @@
+{{/* Generate basic labels for prometheus-operator-webhook */}}
+{{- define "kube-prometheus-stack.prometheus-operator-webhook.labels" }}
+{{- include "kube-prometheus-stack.labels" . }}
+app.kubernetes.io/name: {{ template "kube-prometheus-stack.name" . }}-prometheus-operator
+app.kubernetes.io/component: prometheus-operator-webhook
+{{- end }}
+
+{{- define "kube-prometheus-stack.prometheus-operator-webhook.annotations" }}
+{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}
+certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
+cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (include "kube-prometheus-stack.namespace" .) (include "kube-prometheus-stack.fullname" .) | quote }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,143 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.labels }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.labels | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.annotations }}
+  annotations:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.annotations | indent 4 }}
+{{- end }}
+spec:
+  replicas: {{ .Values.prometheusOperator.admissionWebhooks.deployment.replicas }}
+  revisionHistoryLimit: {{ .Values.prometheusOperator.admissionWebhooks.deployment.revisionHistoryLimit }}
+  {{- with .Values.prometheusOperator.admissionWebhooks.deployment.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+      release: {{ $.Release.Name | quote }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+        {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 8 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podLabels }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podLabels | indent 8 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podAnnotations }}
+      annotations:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+    {{- if .Values.prometheusOperator.admissionWebhooks.deployment.priorityClassName }}
+      priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.deployment.priorityClassName }}
+    {{- end }}
+    {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+      {{- include "kube-prometheus-stack.imagePullSecrets" . | indent 8 }}
+    {{- end }}
+      containers:
+        - name: prometheus-operator-admission-webhook
+          {{- $operatorRegistry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.deployment.image.registry -}}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.image.sha }}
+          image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.sha }}"
+          {{- else }}
+          image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.tag | default .Chart.AppVersion }}"
+          {{- end }}
+          imagePullPolicy: "{{ .Values.prometheusOperator.admissionWebhooks.deployment.image.pullPolicy }}"
+          args:
+            {{- if .Values.prometheusOperator.admissionWebhooks.deployment.logFormat }}
+            - --log-format={{ .Values.prometheusOperator.admissionWebhooks.deployment.logFormat }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.admissionWebhooks.deployment.logLevel }}
+            - --log-level={{ .Values.prometheusOperator.admissionWebhooks.deployment.logLevel }}
+            {{- end }}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+            - "--web.enable-tls=true"
+            - "--web.cert-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.crt{{ else }}cert{{ end }}"
+            - "--web.key-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.key{{ else }}key{{ end }}"
+            - "--web.listen-address=:{{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.internalPort }}"
+            - "--web.tls-min-version={{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.tlsMinVersion }}"
+          ports:
+            - containerPort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.internalPort }}
+              name: https
+          {{- else }}
+          ports:
+            - containerPort: 8080
+              name: http
+          {{- end }}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "https" "http" }}
+              scheme: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "HTTPS" "HTTP" }}
+            initialDelaySeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.readinessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "https" "http" }}
+              scheme: {{ .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled | ternary "HTTPS" "HTTP" }}
+            initialDelaySeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.prometheusOperator.admissionWebhooks.deployment.livenessProbe.failureThreshold }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.resources | indent 12 }}
+          securityContext:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.containerSecurityContext | indent 12 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+          volumeMounts:
+            - name: tls-secret
+              mountPath: /cert
+              readOnly: true
+      volumes:
+        - name: tls-secret
+          secret:
+            defaultMode: 420
+            secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
+{{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.dnsConfig }}
+      dnsConfig:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.securityContext }}
+      securityContext:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.securityContext | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}-webhook
+      automountServiceAccountToken: {{ .Values.prometheusOperator.admissionWebhooks.deployment.automountServiceAccountToken }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.deployment.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- end }}
@@ -0,0 +1,15 @@
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget -}}
+apiVersion: {{ include "kube-prometheus-stack.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+      release: {{ $.Release.Name | quote }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget | indent 2 }}
+{{- end }}
@@ -0,0 +1,62 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-webhook
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.labels }}
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.annotations }}
+  annotations:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.annotations | indent 4 }}
+{{- end }}
+spec:
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.clusterIP }}
+  clusterIP: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.clusterIP }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.ipDualStack.enabled }}
+  ipFamilies: {{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.ipDualStack.ipFamilies | nindent 4 }}
+  ipFamilyPolicy: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.ipDualStack.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.externalIPs }}
+  externalIPs:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.deployment.service.externalIPs | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerIP }}
+{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range $cidr := .Values.prometheusOperator.admissionWebhooks.deployment.service.loadBalancerSourceRanges }}
+    - {{ $cidr }}
+  {{- end }}
+{{- end }}
+{{- if ne .Values.prometheusOperator.admissionWebhooks.deployment.service.type "ClusterIP" }}
+  externalTrafficPolicy: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.externalTrafficPolicy }}
+{{- end }}
+  ports:
+  {{- if not .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+  - name: http
+    {{- if eq .Values.prometheusOperator.admissionWebhooks.deployment.service.type "NodePort" }}
+    nodePort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.nodePort }}
+    {{- end }}
+    port: 8080
+    targetPort: http
+  {{- end }}
+  {{- if .Values.prometheusOperator.admissionWebhooks.deployment.tls.enabled }}
+  - name: https
+    {{- if eq .Values.prometheusOperator.admissionWebhooks.deployment.service.type "NodePort"}}
+    nodePort: {{ .Values.prometheusOperator.admissionWebhooks.deployment.service.nodePortTls }}
+    {{- end }}
+    port: 443
+    targetPort: https
+  {{- end }}
+  selector:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator-webhook
+    release: {{ $.Release.Name | quote }}
+  type: "{{ .Values.prometheusOperator.admissionWebhooks.deployment.service.type }}"
+{{- end }}
@@ -0,0 +1,18 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.admissionWebhooks.serviceAccountName" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | indent 4 }}
+  {{- with .Values.prometheusOperator.admissionWebhooks.deployment.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,36 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-create
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    ## Ensure this is run before the job
+    helm.sh/hook-weight: "-5"
+    {{- with .Values.prometheusOperator.admissionWebhooks.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+      {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
+      {{- else }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
+      {{- end }}
+  egress:
+    {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
+    {{- else }}
+    - toEntities:
+      - kube-apiserver
+    {{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,36 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    ## Ensure this is run before the job
+    helm.sh/hook-weight: "-5"
+    {{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+      {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
+      {{- else }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
+      {{- end }}
+  egress:
+    {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
+    {{- else }}
+    - toEntities:
+      - kube-apiserver
+    {{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,33 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.global.rbac.pspEnabled }}
+{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
+{{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }}
+  - apiGroups: ['policy']
+{{- else }}
+  - apiGroups: ['extensions']
+{{- end }}
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - {{ template "kube-prometheus-stack.fullname" . }}-admission
+{{- end }}
+{{- end }}
@@ -0,0 +1,20 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+    namespace: {{ template "kube-prometheus-stack.namespace" . }}
+{{- end }}
@@ -0,0 +1,70 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-create
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- with .Values.prometheusOperator.admissionWebhooks.annotations }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.prometheusOperator.admissionWebhooks.patch.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-create
+{{- with .Values.prometheusOperator.admissionWebhooks.patch.podAnnotations }}
+      annotations:
+{{ toYaml .  | indent 8 }}
+{{- end }}
+      labels:
+        app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+        {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 8 }}
+    spec:
+      {{- if .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
+      priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
+      {{- end }}
+      containers:
+        - name: create
+          {{- $registry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.patch.image.registry -}}
+          {{- if .Values.prometheusOperator.admissionWebhooks.patch.image.sha }}
+          image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }}
+          {{- else }}
+          image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }}
+          args:
+            - create
+            - --host={{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | replace "\n" "," }}
+            - --namespace={{ template "kube-prometheus-stack.namespace" . }}
+            - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission
+          {{- with .Values.prometheusOperator.admissionWebhooks.createSecretJob }}
+          securityContext:
+          {{ toYaml .securityContext | nindent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.resources | indent 12 }}
+      restartPolicy: OnFailure
+      serviceAccountName: {{ template "kube-prometheus-stack.fullname" . }}-admission
+      {{- with .Values.prometheusOperator.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- with .Values.prometheusOperator.admissionWebhooks.patch.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- with .Values.prometheusOperator.admissionWebhooks.patch.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }}
+      securityContext:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,71 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.prometheusOperator.admissionWebhooks.patch.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
+{{- with .Values.prometheusOperator.admissionWebhooks.patch.podAnnotations }}
+      annotations:
+{{ toYaml . | indent 8 }}
+{{- end }}
+      labels:
+        app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+        {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 8 }}
+    spec:
+      {{- if .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
+      priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
+      {{- end }}
+      containers:
+        - name: patch
+          {{- $registry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.patch.image.registry -}}
+          {{- if .Values.prometheusOperator.admissionWebhooks.patch.image.sha }}
+          image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }}
+          {{- else }}
+          image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ template "kube-prometheus-stack.fullname" . }}-admission
+            - --namespace={{ template "kube-prometheus-stack.namespace" . }}
+            - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission
+            - --patch-failure-policy={{ .Values.prometheusOperator.admissionWebhooks.failurePolicy }}
+          {{- with .Values.prometheusOperator.admissionWebhooks.patchWebhookJob }}
+          securityContext:
+          {{ toYaml .securityContext | nindent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.resources | indent 12 }}
+      restartPolicy: OnFailure
+      serviceAccountName: {{ template "kube-prometheus-stack.fullname" . }}-admission
+      {{- with .Values.prometheusOperator.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- with .Values.prometheusOperator.admissionWebhooks.patch.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- with .Values.prometheusOperator.admissionWebhooks.patch.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }}
+      securityContext:
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,33 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-create
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    ## Ensure this is run before the job
+    "helm.sh/hook-weight": "-5"
+    {{- with .Values.prometheusOperator.admissionWebhooks.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" $ }}-admission-create
+      {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
+      {{- else }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
+      {{- end }}
+  egress:
+  - {}
+  policyTypes:
+  - Egress
+{{- end }}
+{{- end }}
@@ -0,0 +1,33 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    ## Ensure this is run before the job
+    "helm.sh/hook-weight": "-5"
+    {{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
+      {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
+      {{- else }}
+      {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 6 }}
+      {{- end }}
+  egress:
+  - {}
+  policyTypes:
+  - Egress
+{{- end }}
+{{- end }}
@@ -0,0 +1,47 @@
+{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- if .Values.global.rbac.pspAnnotations }}
+{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Permits the container to run with root privileges as well.
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Allow adding the root group.
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Allow adding the root group.
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+    namespace: {{ template "kube-prometheus-stack.namespace" . }}
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.prometheusOperator.admissionWebhooks.patch.serviceAccount.create (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+  {{- with .Values.prometheusOperator.admissionWebhooks.patch.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.prometheusOperator.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,81 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  annotations:
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.annotations" $ | trim |nindent 4 }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.mutatingWebhookConfiguration.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+webhooks:
+  - name: prometheusrulemutate.monitoring.coreos.com
+    {{- if eq .Values.prometheusOperator.admissionWebhooks.failurePolicy "IgnoreOnInstallOnly" }}
+    failurePolicy: {{ .Release.IsInstall | ternary "Ignore" "Fail" }}
+    {{- else if .Values.prometheusOperator.admissionWebhooks.failurePolicy  }}
+    failurePolicy: {{ .Values.prometheusOperator.admissionWebhooks.failurePolicy }}
+    {{- else if .Values.prometheusOperator.admissionWebhooks.patch.enabled }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    rules:
+      - apiGroups:
+          - monitoring.coreos.com
+        apiVersions:
+          - "*"
+        resources:
+          - prometheusrules
+        operations:
+          - CREATE
+          - UPDATE
+    clientConfig:
+      service:
+        namespace: {{ template "kube-prometheus-stack.namespace" . }}
+        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}{{ if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}-webhook{{ end }}
+        path: /admission-prometheusrules/mutate
+      {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+      caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }}
+      {{- end }}
+    timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector }}
+    namespaceSelector:
+      {{- with (omit .Values.prometheusOperator.admissionWebhooks.namespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions }}
+      matchExpressions:
+        {{- with (.Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions) }}
+        {{- toYaml . | nindent 6 }}
+        {{- end }}
+        {{- if .Values.prometheusOperator.denyNamespaces }}
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
+        - {{ $namespace }}
+        {{- end }}
+        {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+        {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
+        {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
+        - {{ $namespace }}
+        {{- end }}
+        {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
+        - {{ $namespace }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.objectSelector }}
+    objectSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end }}
@@ -0,0 +1,81 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
+  annotations:
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.annotations" $ | trim | nindent 4 }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.validatingWebhookConfiguration.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" $ }}-admission
+    {{- include "kube-prometheus-stack.prometheus-operator-webhook.labels" $ | nindent 4 }}
+webhooks:
+  - name: prometheusrulemutate.monitoring.coreos.com
+    {{- if eq .Values.prometheusOperator.admissionWebhooks.failurePolicy "IgnoreOnInstallOnly" }}
+    failurePolicy: {{ .Release.IsInstall | ternary "Ignore" "Fail" }}
+    {{- else if .Values.prometheusOperator.admissionWebhooks.failurePolicy  }}
+    failurePolicy: {{ .Values.prometheusOperator.admissionWebhooks.failurePolicy }}
+    {{- else if .Values.prometheusOperator.admissionWebhooks.patch.enabled }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    rules:
+      - apiGroups:
+          - monitoring.coreos.com
+        apiVersions:
+          - "*"
+        resources:
+          - prometheusrules
+        operations:
+          - CREATE
+          - UPDATE
+    clientConfig:
+      service:
+        namespace: {{ template "kube-prometheus-stack.namespace" . }}
+        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}{{ if .Values.prometheusOperator.admissionWebhooks.deployment.enabled }}-webhook{{ end }}
+        path: /admission-prometheusrules/validate
+      {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+      caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }}
+      {{- end }}
+    timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }}
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector }}
+    namespaceSelector:
+      {{- with (omit .Values.prometheusOperator.admissionWebhooks.namespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- if or .Values.prometheusOperator.denyNamespaces .Values.prometheusOperator.namespaces .Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions }}
+      matchExpressions:
+        {{- with (.Values.prometheusOperator.admissionWebhooks.namespaceSelector.matchExpressions) }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.prometheusOperator.denyNamespaces }}
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+        {{- range $namespace := mustUniq .Values.prometheusOperator.denyNamespaces }}
+            - {{ $namespace }}
+        {{- end }}
+        {{- else if and .Values.prometheusOperator.namespaces .Values.prometheusOperator.namespaces.additional }}
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
+        {{- if and .Values.prometheusOperator.namespaces.releaseNamespace (default .Values.prometheusOperator.namespaces.releaseNamespace true) }}
+        {{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
+            - {{ $namespace }}
+        {{- end }}
+        {{- range $namespace := mustUniq .Values.prometheusOperator.namespaces.additional }}
+            - {{ $namespace }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.admissionWebhooks.objectSelector }}
+    objectSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end }}
@@ -0,0 +1,29 @@
+{{/* This file is based on https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/rbac-crd.md */}}
+{{- if and .Values.global.rbac.create .Values.global.rbac.createAggregateClusterRoles }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus-crd-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["monitoring.coreos.com"]
+  resources: ["alertmanagers", "alertmanagerconfigs", "podmonitors",  "probes", "prometheuses", "prometheusagents", "prometheusrules", "scrapeconfigs", "servicemonitors"]
+  verbs: ["get", "list", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus-crd-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["monitoring.coreos.com"]
+  resources: ["alertmanagers", "alertmanagerconfigs", "podmonitors",  "probes", "prometheuses", "prometheusagents", "prometheusrules", "scrapeconfigs", "servicemonitors"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}
@@ -0,0 +1,55 @@
+{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled -}}
+{{- if not .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef -}}
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+spec:
+  selfSigned: {}
+---
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+spec:
+  secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
+  duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
+  issuerRef:
+    name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
+  commonName: "ca.webhook.kube-prometheus-stack"
+  isCA: true
+---
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+spec:
+  ca:
+    secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
+{{- end }}
+---
+# generate a server certificate for the apiservices to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+spec:
+  secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
+  duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
+  issuerRef:
+    {{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }}
+    {{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }}
+    {{- else }}
+    name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
+    {{- end }}
+  dnsNames:
+    {{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }}
+{{- end -}}
@@ -0,0 +1,40 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "cilium") }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      app: {{ template "kube-prometheus-stack.name" . }}-operator
+      {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
+      {{- else }}
+      {{- include "kube-prometheus-stack.prometheus-operator.labels" $ | nindent 6 }}
+      {{- end }}
+  egress:
+    {{- if and .Values.prometheusOperator.networkPolicy.cilium .Values.prometheusOperator.networkPolicy.cilium.egress }}
+    {{ toYaml .Values.prometheusOperator.networkPolicy.cilium.egress | nindent 6 }}
+    {{- else }}
+  - toEntities:
+    - kube-apiserver
+  {{- end }}
+  ingress:
+  - toPorts:
+    - ports:
+      {{- if .Values.prometheusOperator.tls.enabled }}
+      - port: {{ .Values.prometheusOperator.tls.internalPort | quote }}
+      {{- else }}
+      - port: "8080"
+      {{- end }}
+        protocol: "TCP"
+      {{- if not .Values.prometheusOperator.tls.enabled }}
+      rules:
+        http:
+        - method: "GET"
+          path: "/metrics"
+      {{- end }}
+{{- end }}
@@ -0,0 +1,112 @@
+{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - alertmanagers/finalizers
+  - alertmanagers/status
+  - alertmanagerconfigs
+  - prometheuses
+  - prometheuses/finalizers
+  - prometheuses/status
+  - prometheusagents
+  - prometheusagents/finalizers
+  - prometheusagents/status
+  - thanosrulers
+  - thanosrulers/finalizers
+  - thanosrulers/status
+  - scrapeconfigs
+  - servicemonitors
+  - podmonitors
+  - probes
+  - prometheusrules
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - services/finalizers
+  - endpoints
+  verbs:
+  - get
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - patch
+  - create
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+{{- if .Capabilities.APIVersions.Has "discovery.k8s.io/v1/EndpointSlice" }}
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+  - update
+  - delete
+{{- end }}
+{{- end }}
@@ -0,0 +1,16 @@
+{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+{{- end }}
@@ -0,0 +1,241 @@
+{{- $namespace := printf "%s" (include "kube-prometheus-stack.namespace" .) }}
+{{- $defaultKubeletSvcName := printf "%s-kubelet" (include "kube-prometheus-stack.fullname" .) }}
+{{- if .Values.prometheusOperator.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+{{- if .Values.prometheusOperator.labels }}
+{{ toYaml .Values.prometheusOperator.labels | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.annotations }}
+  annotations:
+{{ toYaml .Values.prometheusOperator.annotations | indent 4 }}
+{{- end }}
+spec:
+  replicas: 1
+  revisionHistoryLimit: {{ .Values.prometheusOperator.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator
+      release: {{ $.Release.Name | quote }}
+  {{- with .Values.prometheusOperator.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 8 }}
+{{- if .Values.prometheusOperator.podLabels }}
+{{ toYaml .Values.prometheusOperator.podLabels | indent 8 }}
+{{- end }}
+{{- if .Values.prometheusOperator.podAnnotations }}
+      annotations:
+{{ toYaml .Values.prometheusOperator.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+    {{- if .Values.prometheusOperator.priorityClassName }}
+      priorityClassName: {{ .Values.prometheusOperator.priorityClassName }}
+    {{- end }}
+    {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+      {{- include "kube-prometheus-stack.imagePullSecrets" . | indent 8 }}
+    {{- end }}
+      containers:
+        - name: {{ template "kube-prometheus-stack.name" . }}
+          {{- $configReloaderRegistry := .Values.global.imageRegistry | default .Values.prometheusOperator.prometheusConfigReloader.image.registry -}}
+          {{- $operatorRegistry := .Values.global.imageRegistry | default .Values.prometheusOperator.image.registry -}}
+          {{- $thanosRegistry := .Values.global.imageRegistry | default .Values.prometheusOperator.thanosImage.registry -}}
+          {{- if .Values.prometheusOperator.image.sha }}
+          image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.image.repository }}:{{ .Values.prometheusOperator.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.prometheusOperator.image.sha }}"
+          {{- else }}
+          image: "{{ $operatorRegistry }}/{{ .Values.prometheusOperator.image.repository }}:{{ .Values.prometheusOperator.image.tag | default .Chart.AppVersion }}"
+          {{- end }}
+          imagePullPolicy: "{{ .Values.prometheusOperator.image.pullPolicy }}"
+          args:
+            {{- if .Values.prometheusOperator.kubeletService.enabled }}
+            - --kubelet-service={{ .Values.prometheusOperator.kubeletService.namespace }}/{{ default $defaultKubeletSvcName .Values.prometheusOperator.kubeletService.name  }}
+            {{- if .Values.prometheusOperator.kubeletService.selector }}
+            - --kubelet-selector={{ .Values.prometheusOperator.kubeletService.selector }}
+            {{- end }}
+            {{- end }}
+            - --kubelet-endpoints={{ .Values.prometheusOperator.kubeletEndpointsEnabled }}
+            - --kubelet-endpointslice={{ .Values.prometheusOperator.kubeletEndpointSliceEnabled }}
+            {{- if .Values.prometheusOperator.logFormat }}
+            - --log-format={{ .Values.prometheusOperator.logFormat }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.logLevel }}
+            - --log-level={{ .Values.prometheusOperator.logLevel }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.denyNamespaces }}
+            - --deny-namespaces={{ tpl (.Values.prometheusOperator.denyNamespaces | join ",") $ }}
+            {{- end }}
+            {{- with $.Values.prometheusOperator.namespaces }}
+            {{- $namespaces := list }}
+            {{- if .releaseNamespace }}
+            {{- $namespaces = append $namespaces $namespace }}
+            {{- end }}
+            {{- if .additional }}
+            {{- range $ns := .additional }}
+            {{- $namespaces = append $namespaces (tpl $ns $) }}
+            {{- end }}
+            {{- end }}
+            - --namespaces={{ $namespaces | mustUniq | join "," }}
+            {{- end }}
+            - --localhost=127.0.0.1
+            {{- if .Values.prometheusOperator.prometheusDefaultBaseImage }}
+            - --prometheus-default-base-image={{ .Values.global.imageRegistry | default .Values.prometheusOperator.prometheusDefaultBaseImageRegistry }}/{{ .Values.prometheusOperator.prometheusDefaultBaseImage }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.alertmanagerDefaultBaseImage }}
+            - --alertmanager-default-base-image={{ .Values.global.imageRegistry | default .Values.prometheusOperator.alertmanagerDefaultBaseImageRegistry }}/{{ .Values.prometheusOperator.alertmanagerDefaultBaseImage }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.prometheusConfigReloader.image.sha }}
+            - --prometheus-config-reloader={{ $configReloaderRegistry }}/{{ .Values.prometheusOperator.prometheusConfigReloader.image.repository }}:{{ .Values.prometheusOperator.prometheusConfigReloader.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.prometheusOperator.prometheusConfigReloader.image.sha }}
+            {{- else }}
+            - --prometheus-config-reloader={{ $configReloaderRegistry }}/{{ .Values.prometheusOperator.prometheusConfigReloader.image.repository }}:{{ .Values.prometheusOperator.prometheusConfigReloader.image.tag | default .Chart.AppVersion }}
+            {{- end }}
+            - --config-reloader-cpu-request={{ (((.Values.prometheusOperator.prometheusConfigReloader.resources).requests).cpu) | default 0 }}
+            - --config-reloader-cpu-limit={{ (((.Values.prometheusOperator.prometheusConfigReloader.resources).limits).cpu) | default 0 }}
+            - --config-reloader-memory-request={{ (((.Values.prometheusOperator.prometheusConfigReloader.resources).requests).memory) | default 0 }}
+            - --config-reloader-memory-limit={{ (((.Values.prometheusOperator.prometheusConfigReloader.resources).limits).memory) | default 0 }}
+            {{- if .Values.prometheusOperator.prometheusConfigReloader.enableProbe }}
+            - --enable-config-reloader-probes=true
+            {{- end }}
+            {{- if .Values.prometheusOperator.alertmanagerInstanceNamespaces }}
+            - --alertmanager-instance-namespaces={{ .Values.prometheusOperator.alertmanagerInstanceNamespaces | join "," }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.alertmanagerInstanceSelector }}
+            - --alertmanager-instance-selector={{ .Values.prometheusOperator.alertmanagerInstanceSelector }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.alertmanagerConfigNamespaces }}
+            - --alertmanager-config-namespaces={{ .Values.prometheusOperator.alertmanagerConfigNamespaces | join "," }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.prometheusInstanceNamespaces }}
+            - --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.prometheusInstanceSelector }}
+            - --prometheus-instance-selector={{ .Values.prometheusOperator.prometheusInstanceSelector }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.thanosImage.sha }}
+            - --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }}
+            {{- else }}
+            - --thanos-default-base-image={{ $thanosRegistry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.thanosRulerInstanceNamespaces }}
+            - --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.thanosRulerInstanceSelector }}
+            - --thanos-ruler-instance-selector={{ .Values.prometheusOperator.thanosRulerInstanceSelector }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.secretFieldSelector }}
+            - --secret-field-selector={{ tpl (.Values.prometheusOperator.secretFieldSelector) $ }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.clusterDomain }}
+            - --cluster-domain={{ .Values.prometheusOperator.clusterDomain }}
+            {{- end }}
+            {{- if .Values.prometheusOperator.tls.enabled }}
+            - --web.enable-tls=true
+            - --web.cert-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.crt{{ else }}cert{{ end }}
+            - --web.key-file=/cert/{{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}tls.key{{ else }}key{{ end }}
+            - --web.listen-address=:{{ .Values.prometheusOperator.tls.internalPort }}
+            - --web.tls-min-version={{ .Values.prometheusOperator.tls.tlsMinVersion }}
+            {{- with .Values.prometheusOperator.extraArgs }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+            {{- end }}
+          {{- with .Values.prometheusOperator.lifecycle }}
+          lifecycle: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.prometheusOperator.tls.internalPort }}
+              name: https
+          {{- else }}
+          ports:
+            - containerPort: 8080
+              name: http
+          {{- end }}
+          env:
+          {{- range $key, $value := .Values.prometheusOperator.env }}
+          - name: {{ $key }}
+            value: {{ $value | quote }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.prometheusOperator.resources | indent 12 }}
+          securityContext:
+{{ toYaml .Values.prometheusOperator.containerSecurityContext | indent 12 }}
+          volumeMounts:
+          {{- if .Values.prometheusOperator.tls.enabled }}
+            - name: tls-secret
+              mountPath: /cert
+              readOnly: true
+          {{- end }}
+          {{- with .Values.prometheusOperator.extraVolumeMounts }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.prometheusOperator.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.prometheusOperator.tls.enabled | ternary "https" "http" }}
+              scheme: {{ .Values.prometheusOperator.tls.enabled | ternary "HTTPS" "HTTP" }}
+            initialDelaySeconds: {{ .Values.prometheusOperator.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.prometheusOperator.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.prometheusOperator.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.prometheusOperator.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.prometheusOperator.readinessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.prometheusOperator.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.prometheusOperator.tls.enabled | ternary "https" "http" }}
+              scheme: {{ .Values.prometheusOperator.tls.enabled | ternary "HTTPS" "HTTP" }}
+            initialDelaySeconds: {{ .Values.prometheusOperator.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.prometheusOperator.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.prometheusOperator.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.prometheusOperator.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.prometheusOperator.livenessProbe.failureThreshold }}
+          {{- end }}
+      volumes:
+        {{- if .Values.prometheusOperator.tls.enabled }}
+        - name: tls-secret
+          secret:
+            defaultMode: 420
+            secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
+        {{- end }}
+        {{- with .Values.prometheusOperator.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    {{- with .Values.prometheusOperator.dnsConfig }}
+      dnsConfig:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- if .Values.prometheusOperator.securityContext }}
+      securityContext:
+{{ toYaml .Values.prometheusOperator.securityContext | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.prometheusOperator.automountServiceAccountToken }}
+{{- if .Values.prometheusOperator.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+    {{- with .Values.prometheusOperator.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+    {{- end }}
+    {{- with .Values.prometheusOperator.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- end }}
@@ -0,0 +1,29 @@
+{{- if and .Values.prometheusOperator.networkPolicy.enabled (eq .Values.prometheusOperator.networkPolicy.flavor "kubernetes") }}
+apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+spec:
+  egress:
+    - {}
+  ingress:
+    - ports:
+      {{- if .Values.prometheusOperator.tls.enabled }}
+      - port: {{ .Values.prometheusOperator.tls.internalPort }}
+      {{- else }}
+      - port: 8080
+      {{- end }}
+  policyTypes:
+    - Egress
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator
+      release: {{ $.Release.Name | quote }}
+      {{- if .Values.prometheusOperator.networkPolicy.matchLabels }}
+      {{ toYaml .Values.prometheusOperator.networkPolicy.matchLabels | nindent 6 }}
+      {{- end }}
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-psp
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+rules:
+{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
+{{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }}
+- apiGroups: ['policy']
+{{- else }}
+- apiGroups: ['extensions']
+{{- end }}
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "kube-prometheus-stack.operator.fullname" . }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,18 @@
+{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-psp
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
+    namespace: {{ template "kube-prometheus-stack.namespace" . }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,46 @@
+{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+{{- if .Values.global.rbac.pspAnnotations }}
+  annotations:
+{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
+{{- end }}
+spec:
+  privileged: false
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: {{ .Values.prometheusOperator.hostNetwork }}
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Permits the container to run with root privileges as well.
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Allow adding the root group.
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Allow adding the root group.
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
+{{- end }}
@@ -0,0 +1,61 @@
+{{- if .Values.prometheusOperator.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+{{- if .Values.prometheusOperator.service.labels }}
+{{ toYaml .Values.prometheusOperator.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.service.annotations }}
+  annotations:
+{{ toYaml .Values.prometheusOperator.service.annotations | indent 4 }}
+{{- end }}
+spec:
+{{- if .Values.prometheusOperator.service.clusterIP }}
+  clusterIP: {{ .Values.prometheusOperator.service.clusterIP }}
+{{- end }}
+{{- if .Values.prometheusOperator.service.ipDualStack.enabled }}
+  ipFamilies: {{ toYaml .Values.prometheusOperator.service.ipDualStack.ipFamilies | nindent 4 }}
+  ipFamilyPolicy: {{ .Values.prometheusOperator.service.ipDualStack.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.prometheusOperator.service.externalIPs }}
+  externalIPs:
+{{ toYaml .Values.prometheusOperator.service.externalIPs | indent 4 }}
+{{- end }}
+{{- if .Values.prometheusOperator.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.prometheusOperator.service.loadBalancerIP }}
+{{- end }}
+{{- if .Values.prometheusOperator.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range $cidr := .Values.prometheusOperator.service.loadBalancerSourceRanges }}
+    - {{ $cidr }}
+  {{- end }}
+{{- end }}
+{{- if ne .Values.prometheusOperator.service.type "ClusterIP" }}
+  externalTrafficPolicy: {{ .Values.prometheusOperator.service.externalTrafficPolicy }}
+{{- end }}
+  ports:
+  {{- if not .Values.prometheusOperator.tls.enabled }}
+  - name: http
+    {{- if eq .Values.prometheusOperator.service.type "NodePort" }}
+    nodePort: {{ .Values.prometheusOperator.service.nodePort }}
+    {{- end }}
+    port: 8080
+    targetPort: http
+  {{- end }}
+  {{- if .Values.prometheusOperator.tls.enabled }}
+  - name: https
+    {{- if eq .Values.prometheusOperator.service.type "NodePort"}}
+    nodePort: {{ .Values.prometheusOperator.service.nodePortTls }}
+    {{- end }}
+    port: 443
+    targetPort: https
+  {{- end }}
+  selector:
+    app: {{ template "kube-prometheus-stack.name" . }}-operator
+    release: {{ $.Release.Name | quote }}
+  type: "{{ .Values.prometheusOperator.service.type }}"
+{{- end }}
@@ -0,0 +1,17 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+  {{- with .Values.prometheusOperator.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.prometheusOperator.serviceAccount.automountServiceAccountToken }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ include "kube-prometheus-stack.imagePullSecrets" . | trim | indent 2 }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,47 @@
+{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.serviceMonitor.selfMonitor }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+{{- with .Values.prometheusOperator.serviceMonitor.additionalLabels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  {{- include "servicemonitor.scrapeLimits" .Values.prometheusOperator.serviceMonitor | nindent 2 }}
+  endpoints:
+  {{- if .Values.prometheusOperator.tls.enabled }}
+  - port: https
+    scheme: https
+    tlsConfig:
+      serverName: {{ template "kube-prometheus-stack.operator.fullname" . }}
+      ca:
+        secret:
+          name: {{ template "kube-prometheus-stack.fullname" . }}-admission
+          key: {{ if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}ca.crt{{ else }}ca{{ end }}
+          optional: false
+  {{- else }}
+  - port: http
+  {{- end }}
+    honorLabels: true
+    {{- if .Values.prometheusOperator.serviceMonitor.interval }}
+    interval: {{ .Values.prometheusOperator.serviceMonitor.interval }}
+    {{- end }}
+{{- if .Values.prometheusOperator.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+{{ tpl (toYaml .Values.prometheusOperator.serviceMonitor.metricRelabelings | indent 6) . }}
+{{- end }}
+{{- if .Values.prometheusOperator.serviceMonitor.relabelings }}
+    relabelings:
+{{ toYaml .Values.prometheusOperator.serviceMonitor.relabelings | indent 6 }}
+{{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "kube-prometheus-stack.name" . }}-operator
+      release: {{ $.Release.Name | quote }}
+  namespaceSelector:
+    matchNames:
+      - {{ printf "%s" (include "kube-prometheus-stack.namespace" .) | quote }}
+{{- end }}
@@ -0,0 +1,40 @@
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.prometheusOperator.verticalPodAutoscaler.enabled) }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+spec:
+  {{- with .Values.prometheusOperator.verticalPodAutoscaler.recommenders }}
+  recommenders:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  resourcePolicy:
+    containerPolicies:
+    - containerName: {{ template "kube-prometheus-stack.name" . }}
+      {{- with .Values.prometheusOperator.verticalPodAutoscaler.controlledResources }}
+      controlledResources:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.prometheusOperator.verticalPodAutoscaler.controlledValues }}
+      controlledValues: {{ .Values.prometheusOperator.verticalPodAutoscaler.controlledValues }}
+      {{- end }}
+      {{- if .Values.prometheusOperator.verticalPodAutoscaler.maxAllowed }}
+      maxAllowed:
+        {{- toYaml .Values.prometheusOperator.verticalPodAutoscaler.maxAllowed | nindent 8 }}
+      {{- end }}
+      {{- if .Values.prometheusOperator.verticalPodAutoscaler.minAllowed }}
+      minAllowed:
+        {{- toYaml .Values.prometheusOperator.verticalPodAutoscaler.minAllowed | nindent 8 }}
+      {{- end }}
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  {{- with .Values.prometheusOperator.verticalPodAutoscaler.updatePolicy }}
+  updatePolicy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}