enable kiwigrid/k8s-sidecar in tests and configure health port (#597)

* ci: enable kiwigrid/k8s-sidecar in tests

Signed-off-by: Tom Hayward <thayward@infoblox.com>

* override kiwigrid/k8s-sidecar health port to avoid conflict and enable probes

Signed-off-by: Tom Hayward <thayward@infoblox.com>

---------

Signed-off-by: Tom Hayward <thayward@infoblox.com>

Author: kd7lxl

CHANGELOG.md

@@ -2,9 +2,11 @@
 
 ## master / unreleased
 
+* [ENHANCEMENT] enable readiness probe on kiwigrid/k8s-sidecar #597
 * [DEPENDENCY] update kiwigrid/k8s-sidecar docker tag to v2.5.0 #568
 * [DEPENDENCY] update memcached docker tag to v1.6.40 #580
 * [DEPENDENCY] update prom/memcached-exporter docker tag to v0.15.5 #581
+* [BUGFIX] override kiwigrid/k8s-sidecar health port to avoid conflict #597
 
 ## 3.1.0 / 2026-02-24
 

README.md

@@ -141,16 +141,23 @@ Kubernetes: `^1.19.0-0`
 | alertmanager.​sidecar.​enabled | bool | `false` | Enable sidecar that collect the configmaps with specified label and stores the included files them into the respective folders |
 | alertmanager.​sidecar.​folder | string | `"/data"` | Folder where the files should be placed. |
 | alertmanager.​sidecar.​folderAnnotation | string | `"k8s-sidecar-target-directory"` | The annotation the sidecar will look for in ConfigMaps and/or Secrets to override the destination folder for files. If the value is a relative path, it will be relative to FOLDER |
+| alertmanager.​sidecar.​healthPort | int | `8081` | The port the kiwigrid/k8s-sidecar listens on for health checks. The image default matches the cortex default listen port (8080), so it must be overridden here. |
 | alertmanager.​sidecar.​image.​repository | string | `"kiwigrid/k8s-sidecar"` |  |
 | alertmanager.​sidecar.​image.​sha | string | `""` |  |
 | alertmanager.​sidecar.​image.​tag | string | `"2.5.0"` |  |
 | alertmanager.​sidecar.​imagePullPolicy | string | `"IfNotPresent"` |  |
 | alertmanager.​sidecar.​label | string | `"cortex_alertmanager"` | Label that should be used for filtering |
 | alertmanager.​sidecar.​labelValue | string | `""` | The value for the label you want to filter your resources on. Don't set a value to filter by any value |
+| alertmanager.​sidecar.​readinessProbe.​httpGet.​path | string | `"/healthz"` |  |
+| alertmanager.​sidecar.​readinessProbe.​httpGet.​port | string | `"sidecar-health"` |  |
+| alertmanager.​sidecar.​readinessProbe.​periodSeconds | int | `5` |  |
 | alertmanager.​sidecar.​resource | string | `"both"` | The resource type that the operator will filter for. Can be configmap, secret or both |
 | alertmanager.​sidecar.​resources | object | `{}` |  |
 | alertmanager.​sidecar.​searchNamespace | string | `""` | The Namespace(s) from which resources will be watched. For multiple namespaces, use a comma-separated string like "default,test". If not set or set to ALL, it will watch all Namespaces. |
 | alertmanager.​sidecar.​skipTlsVerify | bool | `false` | Set to true to skip tls verification for kube api calls |
+| alertmanager.​sidecar.​startupProbe.​httpGet.​path | string | `"/healthz"` |  |
+| alertmanager.​sidecar.​startupProbe.​httpGet.​port | string | `"sidecar-health"` |  |
+| alertmanager.​sidecar.​startupProbe.​periodSeconds | int | `5` |  |
 | alertmanager.​sidecar.​watchMethod | string | `""` | Determines how kopf-k8s-sidecar will run. If WATCH it will run like a normal operator forever. If LIST it will gather the matching configmaps and secrets currently present, write those files to the destination directory and die |
 | alertmanager.​startupProbe.​failureThreshold | int | `10` |  |
 | alertmanager.​startupProbe.​httpGet.​path | string | `"/ready"` |  |
@@ -827,16 +834,23 @@ Kubernetes: `^1.19.0-0`
 | ruler.​sidecar.​enabled | bool | `false` | Enable sidecar that collect the configmaps with specified label and stores the included files them into the respective folders |
 | ruler.​sidecar.​folder | string | `"/data/rules"` | Folder where the files should be placed. |
 | ruler.​sidecar.​folderAnnotation | string | `"k8s-sidecar-target-directory"` | The annotation the sidecar will look for in ConfigMaps and/or Secrets to override the destination folder for files. If the value is a relative path, it will be relative to FOLDER |
+| ruler.​sidecar.​healthPort | int | `8081` | The port the kiwigrid/k8s-sidecar listens on for health checks. The image default matches the cortex default listen port (8080), so it must be overridden here. |
 | ruler.​sidecar.​image.​repository | string | `"kiwigrid/k8s-sidecar"` |  |
 | ruler.​sidecar.​image.​sha | string | `""` |  |
 | ruler.​sidecar.​image.​tag | string | `"2.5.0"` |  |
 | ruler.​sidecar.​imagePullPolicy | string | `"IfNotPresent"` |  |
 | ruler.​sidecar.​label | string | `"cortex_rules"` | label that the configmaps with rules are marked with |
 | ruler.​sidecar.​labelValue | string | `""` | The value for the label you want to filter your resources on. Don't set a value to filter by any value |
+| ruler.​sidecar.​readinessProbe.​httpGet.​path | string | `"/healthz"` |  |
+| ruler.​sidecar.​readinessProbe.​httpGet.​port | string | `"sidecar-health"` |  |
+| ruler.​sidecar.​readinessProbe.​periodSeconds | int | `5` |  |
 | ruler.​sidecar.​resource | string | `"both"` | The resource type that the operator will filter for. Can be configmap, secret or both |
 | ruler.​sidecar.​resources | object | `{}` |  |
 | ruler.​sidecar.​searchNamespace | string | `""` | The Namespace(s) from which resources will be watched. For multiple namespaces, use a comma-separated string like "default,test". If not set or set to ALL, it will watch all Namespaces. |
 | ruler.​sidecar.​skipTlsVerify | bool | `false` | Set to true to skip tls verification for kube api calls |
+| ruler.​sidecar.​startupProbe.​httpGet.​path | string | `"/healthz"` |  |
+| ruler.​sidecar.​startupProbe.​httpGet.​port | string | `"sidecar-health"` |  |
+| ruler.​sidecar.​startupProbe.​periodSeconds | int | `5` |  |
 | ruler.​sidecar.​watchMethod | string | `""` | Determines how kopf-k8s-sidecar will run. If WATCH it will run like a normal operator forever. If LIST it will gather the matching configmaps and secrets currently present, write those files to the destination directory and die |
 | ruler.​startupProbe.​failureThreshold | int | `10` |  |
 | ruler.​startupProbe.​httpGet.​path | string | `"/ready"` |  |

ci/test-configmap-values.yaml

@@ -127,6 +127,8 @@ alertmanager:
   extraVolumeMounts:
     - name: tmp-test
       mountPath: /tmp-test
+  sidecar:
+    enabled: true
 ruler:
   replicas: 1
   enabled: true
@@ -136,6 +138,8 @@ ruler:
   extraVolumeMounts:
     - name: tmp-test
       mountPath: /tmp-test
+  sidecar:
+    enabled: true
 store_gateway:
   startupProbe: null
   replicas: 1

ci/test-deployment-values.yaml

@@ -134,6 +134,8 @@ alertmanager:
   extraVolumeMounts:
     - name: tmp-test
       mountPath: /tmp-test
+  sidecar:
+    enabled: true
 ruler:
   replicas: 1
   enabled: true
@@ -143,6 +145,8 @@ ruler:
   extraVolumeMounts:
     - name: tmp-test
       mountPath: /tmp-test
+  sidecar:
+    enabled: true
 store_gateway:
   startupProbe: null
   replicas: 1

ci/test-sts-values.yaml

@@ -125,6 +125,8 @@ alertmanager:
   extraVolumeMounts:
     - name: tmp-test
       mountPath: /tmp-test
+  sidecar:
+    enabled: true
 ruler:
   replicas: 1
   enabled: true
@@ -134,6 +136,8 @@ ruler:
   extraVolumeMounts:
     - name: tmp-test
       mountPath: /tmp-test
+  sidecar:
+    enabled: true
 store_gateway:
   startupProbe: null
   replicas: 1

templates/alertmanager/alertmanager-dep.yaml

@@ -88,6 +88,22 @@ spec:
             - name: FOLDER_ANNOTATION
               value: "{{ .Values.alertmanager.sidecar.folderAnnotation }}"
             {{- end }}
+          {{- with .Values.alertmanager.sidecar.healthPort }}
+            - name: HEALTH_PORT
+              value: "{{ . }}"
+          ports:
+            - name: sidecar-health
+              containerPort: {{ . }}
+              protocol: TCP
+          {{- end }}
+          {{- with .Values.alertmanager.sidecar.startupProbe }}
+          startupProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.alertmanager.sidecar.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.alertmanager.sidecar.resources | nindent 12 }}
           {{- if .Values.alertmanager.sidecar.containerSecurityContext.enabled }}

templates/alertmanager/alertmanager-statefulset.yaml

@@ -145,6 +145,22 @@ spec:
             - name: FOLDER_ANNOTATION
               value: "{{ .Values.alertmanager.sidecar.folderAnnotation }}"
             {{- end }}
+          {{- with .Values.alertmanager.sidecar.healthPort }}
+            - name: HEALTH_PORT
+              value: "{{ . }}"
+          ports:
+            - name: sidecar-health
+              containerPort: {{ . }}
+              protocol: TCP
+          {{- end }}
+          {{- with .Values.alertmanager.sidecar.startupProbe }}
+          startupProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.alertmanager.sidecar.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.alertmanager.sidecar.resources | nindent 12 }}
           {{- if .Values.alertmanager.sidecar.containerSecurityContext.enabled }}

templates/ruler/ruler-dep.yaml

@@ -90,6 +90,22 @@ spec:
             - name: FOLDER_ANNOTATION
               value: "{{ .Values.ruler.sidecar.folderAnnotation }}"
             {{- end }}
+          {{- with .Values.ruler.sidecar.healthPort }}
+            - name: HEALTH_PORT
+              value: "{{ . }}"
+          ports:
+            - name: sidecar-health
+              containerPort: {{ . }}
+              protocol: TCP
+          {{- end }}
+          {{- with .Values.ruler.sidecar.startupProbe }}
+          startupProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.ruler.sidecar.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.ruler.sidecar.resources | nindent 12 }}
           {{- if .Values.ruler.containerSecurityContext.enabled }}

values.yaml

@@ -317,6 +317,18 @@ alertmanager:
     containerSecurityContext:
       enabled: true
       readOnlyRootFilesystem: true
+    # -- The port the kiwigrid/k8s-sidecar listens on for health checks. The image default matches the cortex default listen port (8080), so it must be overridden here.
+    healthPort: 8081
+    startupProbe:
+      httpGet:
+        path: /healthz
+        port: sidecar-health
+      periodSeconds: 5
+    readinessProbe:
+      httpGet:
+        path: /healthz
+        port: sidecar-health
+      periodSeconds: 5
 
 distributor:
   enabled: true
@@ -734,6 +746,18 @@ ruler:
     containerSecurityContext:
       enabled: true
       readOnlyRootFilesystem: true
+    # -- The port the kiwigrid/k8s-sidecar listens on for health checks. The image default matches the cortex default listen port (8080), so it must be overridden here.
+    healthPort: 8081
+    startupProbe:
+      httpGet:
+        path: /healthz
+        port: sidecar-health
+      periodSeconds: 5
+    readinessProbe:
+      httpGet:
+        path: /healthz
+        port: sidecar-health
+      periodSeconds: 5
 
 querier:
   enabled: true