projectsyn · simu · Jan 21, 2026 · Feb 25, 2025 · Feb 25, 2025 · Feb 25, 2025
diff --git a/.cruft.json b/.cruft.json
@@ -7,7 +7,7 @@
       "name": "mimir",
       "slug": "mimir",
       "parameter_key": "mimir",
-      "test_cases": "defaults global-node-selector",
+      "test_cases": "defaults global-node-selector openshift",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -34,6 +34,7 @@ jobs:
         instance:
           - defaults
           - global-node-selector
+          - openshift
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -50,6 +51,7 @@ jobs:
         instance:
           - defaults
           - global-node-selector
+          - openshift
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

diff --git a/.yamllint.yml b/.yamllint.yml
@@ -22,3 +22,4 @@ ignore: |
   manifests/
   vendor/
   compiled/
+  component/helmchart-fix/
diff --git a/Makefile.vars.mk b/Makefile.vars.mk
@@ -50,4 +50,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/global-node-selector.yml
+test_instances = tests/defaults.yml tests/global-node-selector.yml tests/openshift.yml
diff --git a/class/mimir.yml b/class/mimir.yml
@@ -18,6 +18,16 @@ parameters:
         input_type: jsonnet
         output_path: ${_instance}/
 
+      - input_type: external
+        input_paths:
+          - ${_base_directory}/run-patch
+        output_path: .
+        args:
+          - -d
+          - ${_base_directory}/helmcharts/mimir-distributed/${mimir:charts:mimir-distributed:version}/templates/
+          - -p1
+          - -i
+          - ${_base_directory}/component/helmchart-fix/validate.patch
       - input_type: helm
         output_type: yaml
         input_paths:
@@ -39,3 +49,6 @@ parameters:
         - type: jsonnet
           filter: postprocess/patch-alerts.jsonnet
           path: ${_instance}/10_mimir_distributed/mimir-distributed/templates/metamonitoring
+        - type: jsonnet
+          filter: postprocess/fixup-securitycontext.jsonnet
+          path: ${_instance}/10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates
diff --git a/component/app.jsonnet b/component/app.jsonnet
@@ -6,7 +6,8 @@ local argocd = import 'lib/argocd.libjsonnet';
 
 local instance = inv.parameters._instance;
 
-local app = argocd.App(instance, params.namespace);
+local app = argocd.App(instance, params.namespace.name);
+
 local appPath =
   local project = std.get(std.get(app, 'spec', {}), 'project', 'syn');
   if project == 'syn' then 'apps' else 'apps-%s' % project;

diff --git a/component/helmchart-fix/validate.patch b/component/helmchart-fix/validate.patch
@@ -0,0 +1,11 @@
+--- a/validate.yaml	2026-01-20 13:09:54.025066136 +0100
++++ b/validate.yaml	2026-01-20 11:44:41.953503344 +0100
+@@ -255,7 +255,7 @@
+
+ {{- if eq .Values.rbac.type "scc" -}}
+ {{- with .Values.rollout_operator.podSecurityContext -}}
+-{{- if or (hasKey . "fsGroup") (hasKey . "runAsGroup") (hasKey . "runAsUser") -}}
++{{- if not (and (empty .fsGroup) (empty .runAsGroup) (empty .runAsUser)) -}}
+ {{- fail "You have selected rbac.type=scc, you must set the values fsGroup, runAsGroup, runAsUser to null in rollout_operator.podSecurityContext" -}}
+ {{- end -}}
+ {{- end -}}
diff --git a/postprocess/fixup-securitycontext.jsonnet b/postprocess/fixup-securitycontext.jsonnet
@@ -0,0 +1,5 @@
+local com = import 'lib/commodore.libjsonnet';
+
+local dir = std.extVar('output_path');
+
+com.fixupDir(dir, std.prune)
diff --git a/run-patch b/run-patch
@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+# Wrapper around `patch` which provides some convenience features
+# 1) The wrapper searches for the `patch` binary in ${PATH}
+#
+set -e
+
+# Kapitan provides a fairly standard PATH variable, we add /opt/homebrew/bin for macOS
+export PATH="${PATH}:/opt/homebrew/bin"
+
+patch=$(which patch) || (>&2 echo "patch not found in ${PATH}"; exit 7)
+
+exec "$patch" "${@}"
diff --git a/tests/golden/openshift/mimir/apps/mimir.yaml b/tests/golden/openshift/mimir/apps/mimir.yaml
diff --git a/tests/golden/openshift/mimir/mimir/00_namespace.yaml b/tests/golden/openshift/mimir/mimir/00_namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    name: syn-mimir
+  name: syn-mimir
diff --git a/tests/golden/openshift/mimir/mimir/01_secrets.yaml b/tests/golden/openshift/mimir/mimir/01_secrets.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    name: mimir-bucket-secret
+  name: mimir-bucket-secret
+  namespace: syn-mimir
+stringData:
+  S3_ACCESS_KEY_ID: null
+  S3_ENDPOINT: null
+  S3_SECRET_ACCESS_KEY: null
+type: Opaque
diff --git a/.../10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates/deployment.yaml b/.../10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: mimir
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: rollout-operator
+    app.kubernetes.io/version: v0.2.0
+    helm.sh/chart: rollout-operator-0.2.0
+  name: mimir-rollout-operator
+spec:
+  minReadySeconds: 10
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: mimir
+      app.kubernetes.io/name: rollout-operator
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: mimir
+        app.kubernetes.io/name: rollout-operator
+    spec:
+      containers:
+        - args:
+            - -kubernetes.namespace=syn-mimir
+          image: grafana/rollout-operator:v0.2.0
+          imagePullPolicy: IfNotPresent
+          name: rollout-operator
+          ports:
+            - containerPort: 8001
+              name: http-metrics
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: '1'
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: mimir-rollout-operator
diff --git a/.../mimir/10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates/role.yaml b/.../mimir/10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates/role.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mimir-rollout-operator
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+    verbs:
+      - list
+      - get
+      - watch
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/status
+    verbs:
+      - update
diff --git a/...10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates/rolebinding.yaml b/...10_mimir_distributed/mimir-distributed/charts/rollout_operator/templates/rolebinding.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mimir-rollout-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mimir-rollout-operator
+subjects:
+  - kind: ServiceAccount
+    name: mimir-rollout-operator
diff --git a/...mimir_distributed/mimir-distributed/charts/rollout_operator/templates/serviceaccount.yaml b/...mimir_distributed/mimir-distributed/charts/rollout_operator/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: mimir
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: rollout-operator
+    app.kubernetes.io/version: v0.2.0
+    helm.sh/chart: rollout-operator-0.2.0
+  name: mimir-rollout-operator
diff --git a/...ir/10_mimir_distributed/mimir-distributed/templates/alertmanager/alertmanager-config.yaml b/...ir/10_mimir_distributed/mimir-distributed/templates/alertmanager/alertmanager-config.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+data:
+  alertmanager_fallback_config.yaml: |
+    receivers:
+        - name: default-receiver
+    route:
+        receiver: default-receiver
+kind: ConfigMap
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: alertmanager
+    app.kubernetes.io/instance: mimir
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/part-of: memberlist
+    app.kubernetes.io/version: 2.7.1
+    helm.sh/chart: mimir-distributed-4.3.0
+  name: mimir-alertmanager-fallback-config
+  namespace: syn-mimir
diff --git a/..._mimir_distributed/mimir-distributed/templates/alertmanager/alertmanager-statefulset.yaml b/..._mimir_distributed/mimir-distributed/templates/alertmanager/alertmanager-statefulset.yaml
@@ -0,0 +1,138 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: alertmanager
+    app.kubernetes.io/instance: mimir
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/part-of: memberlist
+    app.kubernetes.io/version: 2.7.1
+    helm.sh/chart: mimir-distributed-4.3.0
+  name: mimir-alertmanager
+  namespace: syn-mimir
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: alertmanager
+      app.kubernetes.io/instance: mimir
+      app.kubernetes.io/name: mimir
+  serviceName: mimir-alertmanager
+  template:
+    metadata:
+      annotations:
+        bucketSecretVersion: '0'
+        checksum/alertmanager-fallback-config: d7cc002124943a504c792ba298711410d73b0a974b149fc6920c045c425952c1
+        checksum/config: 6c6481e85996c18964e926efa4714f8a0730c55921d824719ba3f616ce18dc35
+      labels:
+        app.kubernetes.io/component: alertmanager
+        app.kubernetes.io/instance: mimir
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: mimir
+        app.kubernetes.io/part-of: memberlist
+        app.kubernetes.io/version: 2.7.1
+        helm.sh/chart: mimir-distributed-4.3.0
+      namespace: syn-mimir
+    spec:
+      affinity: {}
+      containers:
+        - args:
+            - -target=alertmanager
+            - -config.expand-env=true
+            - -config.file=/etc/mimir/mimir.yaml
+          env: null
+          envFrom:
+            - secretRef:
+                name: mimir-bucket-secret
+          image: grafana/mimir:2.7.1
+          imagePullPolicy: IfNotPresent
+          livenessProbe: null
+          name: alertmanager
+          ports:
+            - containerPort: 8080
+              name: http-metrics
+              protocol: TCP
+            - containerPort: 9095
+              name: grpc
+              protocol: TCP
+            - containerPort: 7946
+              name: memberlist
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 45
+          resources:
+            limits:
+              memory: 1.4Gi
+            requests:
+              cpu: 1
+              memory: 1Gi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /etc/mimir
+              name: config
+            - mountPath: /var/mimir
+              name: runtime-config
+            - mountPath: /data
+              name: storage
+            - mountPath: /configs/
+              name: alertmanager-fallback-config
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /active-query-tracker
+              name: active-queries
+      initContainers: []
+      nodeSelector: {}
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: mimir
+      terminationGracePeriodSeconds: 60
+      tolerations: []
+      topologySpreadConstraints:
+        - labelSelector:
+            matchLabels:
+              app.kubernetes.io/component: alertmanager
+              app.kubernetes.io/instance: mimir
+              app.kubernetes.io/name: mimir
+          maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+      volumes:
+        - configMap:
+            items:
+              - key: mimir.yaml
+                path: mimir.yaml
+            name: mimir-config
+          name: config
+        - configMap:
+            name: mimir-runtime
+          name: runtime-config
+        - emptyDir: {}
+          name: tmp
+        - emptyDir: {}
+          name: active-queries
+        - configMap:
+            name: mimir-alertmanager-fallback-config
+          name: alertmanager-fallback-config
+  updateStrategy:
+    type: RollingUpdate
+  volumeClaimTemplates:
+    - metadata:
+        name: storage
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi