From 49f9f2b28e5af9ba9c0e55e4d7108d136896cf23 Mon Sep 17 00:00:00 2001
From: r0bj <r0bj@users.noreply.github.com>
Date: Thu, 23 Jan 2025 18:51:41 -0800
Subject: [PATCH 1/3] use kube-rbac-proxy ports for probes when enabled

Signed-off-by: r0bj <r0bj@users.noreply.github.com>
---
 charts/kube-state-metrics/Chart.yaml          |  2 +-
 .../templates/deployment.yaml                 | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/charts/kube-state-metrics/Chart.yaml b/charts/kube-state-metrics/Chart.yaml
index bc94bd519956..fe5d7cfef1ad 100644
--- a/charts/kube-state-metrics/Chart.yaml
+++ b/charts/kube-state-metrics/Chart.yaml
@@ -7,7 +7,7 @@ keywords:
   - prometheus
   - kubernetes
 type: application
-version: 5.28.0
+version: 5.29.0
 appVersion: 2.14.0
 home: https://github.com/kubernetes/kube-state-metrics/
 sources:
diff --git a/charts/kube-state-metrics/templates/deployment.yaml b/charts/kube-state-metrics/templates/deployment.yaml
index bc93d42b714e..e647a80c9568 100644
--- a/charts/kube-state-metrics/templates/deployment.yaml
+++ b/charts/kube-state-metrics/templates/deployment.yaml
@@ -79,6 +79,9 @@ spec:
         {{-  if .Values.extraArgs  }}
         {{- .Values.extraArgs | toYaml | nindent 8 }}
         {{-  end  }}
+        {{- if .Values.kubeRBACProxy.enabled }}
+        - --host=127.0.0.1
+        {{-  end  }}
         - --port={{ $servicePort }}
         {{-  if .Values.collectors  }}
         - --resources={{ .Values.collectors | join "," }}
@@ -171,8 +174,13 @@ spec:
               value: {{ $header.value }}
             {{- end }}
             path: /healthz
+            {{- if .Values.kubeRBACProxy.enabled }}
+            port: {{ .Values.service.port | default 8080 }}
+            scheme: HTTPS
+            {{- else }}
             port: {{ $servicePort }}
             scheme: {{ upper .Values.startupProbe.httpGet.scheme }}
+            {{-  end  }}
           initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.startupProbe.periodSeconds }}
           successThreshold: {{ .Values.startupProbe.successThreshold }}
@@ -190,8 +198,13 @@ spec:
               value: {{ $header.value }}
             {{- end }}
             path: /livez
+            {{- if .Values.kubeRBACProxy.enabled }}
+            port: {{ .Values.service.port | default 8080 }}
+            scheme: HTTPS
+            {{- else }}
             port: {{ $servicePort }}
             scheme: {{ upper .Values.livenessProbe.httpGet.scheme }}
+            {{-  end  }}
           initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
           successThreshold: {{ .Values.livenessProbe.successThreshold }}
@@ -208,8 +221,13 @@ spec:
               value: {{ $header.value }}
             {{- end }}
             path: /readyz
+            {{- if .Values.kubeRBACProxy.enabled }}
+            port: {{ .Values.service.port | default 8081 }}
+            scheme: HTTPS
+            {{- else }}
             port: {{ $telemetryPort }}
             scheme: {{ upper .Values.readinessProbe.httpGet.scheme }}
+            {{-  end  }}
           initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
           successThreshold: {{ .Values.readinessProbe.successThreshold }}
@@ -230,6 +248,9 @@ spec:
         - --upstream=http://127.0.0.1:{{ $servicePort }}/
         - --proxy-endpoints-port=8888
         - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
+        {{- if .Values.kubeRBACProxy.enabled }}
+        - --ignore-paths=/livez
+        {{-  end  }}
         volumeMounts:
           - name: kube-rbac-proxy-config
             mountPath: /etc/kube-rbac-proxy-config
@@ -268,6 +289,9 @@ spec:
         - --upstream=http://127.0.0.1:{{ $telemetryPort }}/
         - --proxy-endpoints-port=8889
         - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
+        {{- if .Values.kubeRBACProxy.enabled }}
+        - --ignore-paths=/readyz
+        {{-  end  }}
         volumeMounts:
           - name: kube-rbac-proxy-config
             mountPath: /etc/kube-rbac-proxy-config

From 321878ea7546ec4995f8dbf258db8ba3a98f327e Mon Sep 17 00:00:00 2001
From: r0bj <r0bj@users.noreply.github.com>
Date: Thu, 23 Jan 2025 19:07:46 -0800
Subject: [PATCH 2/3] fix telemetry port

Signed-off-by: r0bj <r0bj@users.noreply.github.com>
---
 charts/kube-state-metrics/templates/deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/kube-state-metrics/templates/deployment.yaml b/charts/kube-state-metrics/templates/deployment.yaml
index e647a80c9568..fa78f46546d4 100644
--- a/charts/kube-state-metrics/templates/deployment.yaml
+++ b/charts/kube-state-metrics/templates/deployment.yaml
@@ -222,7 +222,7 @@ spec:
             {{- end }}
             path: /readyz
             {{- if .Values.kubeRBACProxy.enabled }}
-            port: {{ .Values.service.port | default 8081 }}
+            port: {{ .Values.selfMonitor.telemetryPort | default 8081 }}
             scheme: HTTPS
             {{- else }}
             port: {{ $telemetryPort }}

From 4118f785807c7732f1777e94969d91c782cc91dd Mon Sep 17 00:00:00 2001
From: r0bj <r0bj@users.noreply.github.com>
Date: Mon, 27 Jan 2025 12:09:24 -0800
Subject: [PATCH 3/3] remove kube-rbac-proxy additional options

Signed-off-by: r0bj <r0bj@users.noreply.github.com>
---
 charts/kube-state-metrics/templates/deployment.yaml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/charts/kube-state-metrics/templates/deployment.yaml b/charts/kube-state-metrics/templates/deployment.yaml
index fa78f46546d4..af3a5ae8d122 100644
--- a/charts/kube-state-metrics/templates/deployment.yaml
+++ b/charts/kube-state-metrics/templates/deployment.yaml
@@ -248,9 +248,6 @@ spec:
         - --upstream=http://127.0.0.1:{{ $servicePort }}/
         - --proxy-endpoints-port=8888
         - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
-        {{- if .Values.kubeRBACProxy.enabled }}
-        - --ignore-paths=/livez
-        {{-  end  }}
         volumeMounts:
           - name: kube-rbac-proxy-config
             mountPath: /etc/kube-rbac-proxy-config
@@ -289,9 +286,6 @@ spec:
         - --upstream=http://127.0.0.1:{{ $telemetryPort }}/
         - --proxy-endpoints-port=8889
         - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
-        {{- if .Values.kubeRBACProxy.enabled }}
-        - --ignore-paths=/readyz
-        {{-  end  }}
         volumeMounts:
           - name: kube-rbac-proxy-config
             mountPath: /etc/kube-rbac-proxy-config