Conversation
evan-cz
changed the base branch from
develop
to
dependabot/docker/docker/golang-1.25.6-alpine
Base automatically changed from
dependabot/docker/docker/golang-1.25.6-alpine
to
develop
February 3, 2026 18:09
evan-cz
force-pushed
the
CP-37371
branch
5 times, most recently
from
1e0648c to
1ab04a5
Compare
evan-cz
changed the title
evan-cz
commented
Mar 4, 2026
| # Disabled: marocchino/validate-dependabot@v3 fails due to a schemastore.org | ||
| # schema change (base.json#/definitions/timezone reference can't be resolved). | ||
| # See https://json.schemastore.org/dependabot-2.0.json | ||
| if: github.event_name == 'disabled' |
Contributor
Author
There was a problem hiding this comment.
Not really part of this, but the action is failing and this uncorks CI
Prometheus 3.10.0 introduced an official distroless image variant that
eliminates shells, package managers, and other utilities from the container.
This significantly reduces the attack surface of the Prometheus container,
addressing security concerns around the nodes/proxy RBAC permission
(see docs/wiki/The-nodes-proxy-Problem.md).
Functional Change:
Before: The Helm chart defaulted to the standard Prometheus image
(busybox-based, includes shell and utilities) at version v3.7.3. The
Prometheus image tag was resolved by the `cloudzero-agent.prometheusImageTag`
helper with an inline fallback chain duplicated across templates.
After: The Helm chart defaults to the distroless Prometheus image at
version v3.10.0. The image tag is resolved by a new
`cloudzero-agent.Values.components.prometheus.image.tag` helper that
appends "-distroless" to Chart.AppVersion when no explicit tag is set.
The deprecated server.image.tag compat override is handled by
generateImage's compat layer, not the helper itself.
Solution:
1. Bumped Chart.AppVersion from v3.7.3 to v3.10.0 in helm/Chart.yaml
2. Added `cloudzero-agent.Values.components.prometheus.image.tag` helper
in helm/templates/_helpers.tpl that resolves
components.prometheus.image.tag with a fallback to
`{Chart.AppVersion}-distroless`
3. Removed the old `cloudzero-agent.prometheusImageTag` helper and updated
all call sites (agent-deploy.yaml, agent-daemonset.yaml,
prometheusAgentFlag) to use the new helper
4. Removed outdated inline comments about version-specific distroless
logic from agent-deploy.yaml and agent-daemonset.yaml
5. Regenerated Helm template test snapshots (alloy.yaml, cert-manager.yaml,
federated.yaml, istio.yaml, manifest.yaml) to reflect the new default
image tag
Validation:
- Helm template snapshots regenerated and verified
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prometheus 3.10.0 introduced an official distroless image variant that eliminates shells, package managers, and other utilities from the container. This significantly reduces the attack surface of the Prometheus container, addressing security concerns around the nodes/proxy RBAC permission (see docs/wiki/The-nodes-proxy-Problem.md).
Functional Change:
Before: The Helm chart defaulted to the standard Prometheus image (busybox-based, includes shell and utilities) at version v3.7.3. The Prometheus image tag was resolved by the
cloudzero-agent.prometheusImageTaghelper with an inline fallback chain duplicated across templates.After: The Helm chart defaults to the distroless Prometheus image at version v3.10.0. The image tag is resolved by a new
cloudzero-agent.Values.components.prometheus.image.taghelper that appends "-distroless" to Chart.AppVersion when no explicit tag is set. The deprecated server.image.tag compat override is handled by generateImage's compat layer, not the helper itself.Solution:
Bumped Chart.AppVersion from v3.7.3 to v3.10.0 in helm/Chart.yaml
Added
cloudzero-agent.Values.components.prometheus.image.taghelper in helm/templates/_helpers.tpl that resolves components.prometheus.image.tag with a fallback to{Chart.AppVersion}-distrolessRemoved the old
cloudzero-agent.prometheusImageTaghelper and updated all call sites (agent-deploy.yaml, agent-daemonset.yaml, prometheusAgentFlag) to use the new helperRemoved outdated inline comments about version-specific distroless logic from agent-deploy.yaml and agent-daemonset.yaml
Regenerated Helm template test snapshots (alloy.yaml, cert-manager.yaml, federated.yaml, istio.yaml, manifest.yaml) to reflect the new default image tag
Validation: