fix(base-cluster/monitoring): add missing kube-prometheus-stack image(s/licenses)

[cwrau]

Summary by CodeRabbit

• Documentation

  • Updated and expanded image license references, syncing several images to their current license files.

• Chores

  • Added new container image license entries (Apache-2.0) and refreshed license links for multiple images.
  • Updated trusted registry entries to include additional images and adjusted existing registry policies for consistency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated GitHub metadata to add and re-link container image license entries and to modify trusted registry entries for ghcr.io images (adding jkroepke/kube-webhook-certgen and k8up-io/k8up, and adjusting several registry.k8s.io license links) in .github/image_licenses.yaml and .github/trusted_registries.yaml.

Changes

Cohort / File(s)	Summary
Image license metadata .github/image_licenses.yaml	Added entries for ghcr.io/jkroepke/kube-webhook-certgen and ghcr.io/k8up-io/k8up; updated/re-linked multiple registry.k8s.io/* images to new LICENSE or LICENSE.md URLs; some entries moved or duplicated under different sections.
Trusted registries .github/trusted_registries.yaml	Added jkroepke -> kube-webhook-certgen: ALL_TAGS and k8up-io -> k8up: ALL_TAGS under ghcr.io; removed a prior duplicate k8up-io -> k8up: ALL_TAGS entry.

Sequence Diagram(s)

(omitted — changes are configuration updates without new multi-component control flow)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(base-cluster/license): add license for metrics-server and external-dns #1633 — updates .github/image_licenses.yaml for registry.k8s.io/external-dns and registry.k8s.io/metrics-server license links.
• fix(base-cluster): add missing license info #1761 — adds ghcr.io/k8up-io/k8up license and trusted-registry entries (same image).
• chore(ci): review of licenses #1782 — refines image license metadata and links in .github/image_licenses.yaml.

Suggested labels

base-cluster

Suggested reviewers

• tasches
• marvinWolff

Poem

🐰 A tiny rabbit hops with glee,
New licenses tucked beneath a tree,
Certgen and k8up join the fold,
Trusted, listed, proud and bold —
🥕 Pipelines ready, downloads free.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'kube-prometheus-stack' but the changeset only updates image licenses and trusted registries for kube-webhook-certgen and k8up without clear relation to kube-prometheus-stack components.	Update the title to accurately reflect the actual changes, such as 'fix: update image licenses and trusted registries for kube-webhook-certgen and k8up' or verify the changes align with kube-prometheus-stack requirements.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 16d9c5e and 49f9f67.

📒 Files selected for processing (2)

• .github/image_licenses.yaml
• .github/trusted_registries.yaml

🔇 Additional comments (5)

.github/trusted_registries.yaml (1)

36-39: LGTM - New ghcr.io trusted registry entries are correctly added.

The entries for jkroepke/kube-webhook-certgen and k8up-io/k8up are properly placed in alphabetical order and have corresponding license entries in image_licenses.yaml.

.github/image_licenses.yaml (4)

23-25: LGTM - bitnamilegacy/kubectl license entry maintained.

Entry is correctly positioned in alphabetical order.

---

203-205: LGTM - License link updated to raw GitHub URL.

The license link now points directly to the raw LICENSE.md file.

---

218-223: LGTM - registry.k8s.io license links updated.

Both kubectl and metrics-server license links now use consistent raw.githubusercontent.com URLs pointing to the LICENSE files. Both URLs are accessible and properly formatted.

---

113-118: LGTM - New ghcr.io license entries are correctly added.

Both entries use Apache-2.0 license and link to the raw LICENSE files in their respective repositories. Entries are correctly ordered alphabetically.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @cwrau, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a configuration oversight by adding the necessary license information and registering the kube-webhook-certgen image as a trusted source. This ensures proper compliance and allows the image, likely a component of the kube-prometheus-stack, to be used without issues related to image provenance or licensing, thereby enhancing the robustness of the monitoring setup.

Highlights

• License Information Added: The license details for the ghcr.io/jkroepke/kube-webhook-certgen image have been added to the image_licenses.yaml file, specifying an Apache-2.0 license.
• Trusted Registry Inclusion: The ghcr.io/jkroepke/kube-webhook-certgen image has been added to the list of trusted registries in trusted_registries.yaml, allowing all its tags to be recognized.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly adds the missing image ghcr.io/jkroepke/kube-webhook-certgen to the image license and trusted registries configurations. The changes are functional, and the suggestions to improve maintainability by keeping the configuration files sorted are still valid.

[Copilot]

Pull request overview

This PR claims to add "missing kube-prometheus-stack image(s)/licenses" by adding configuration for the ghcr.io/jkroepke/kube-webhook-certgen image to both the trusted registries and image licenses files. However, there is a significant discrepancy: the codebase currently uses registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5 for kube-prometheus-stack admission webhooks (as documented in Chart.yaml), and there are no configuration changes in this PR that would actually switch to using the jkroepke variant.

Key observations:

• Adds trust configuration for ghcr.io/jkroepke/kube-webhook-certgen
• Adds Apache-2.0 license information for the same image
• No actual usage of this image found in the codebase

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/trusted_registries.yaml	Adds ghcr.io/jkroepke/kube-webhook-certgen to the list of trusted image registries with ALL_TAGS permission
.github/image_licenses.yaml	Adds Apache-2.0 license information for ghcr.io/jkroepke/kube-webhook-certgen with a link to the license file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/trusted_registries.yaml (1)

41-42: Entry placement violates alphabetical ordering.

The new jkroepke entry should be placed before k8up-io (currently at lines 39-40) to maintain alphabetical order within the ghcr.io section, as 'j' comes before 'k'.

📝 Suggested reordering

Move these lines to appear before the k8up-io entry:

  teutonet: ALL_IMAGES
+  jkroepke:
+    kube-webhook-certgen: ALL_TAGS
  k8up-io:
    k8up: ALL_TAGS
-  jkroepke:
-    kube-webhook-certgen: ALL_TAGS

.github/image_licenses.yaml (1)

125-127: Entry placement violates alphabetical ordering.

The new ghcr.io/jkroepke/kube-webhook-certgen entry should be placed before ghcr.io/k8up-io/k8up (currently at lines 122-124) to maintain alphabetical order, as 'jkroepke' comes before 'k8up-io'.

📝 Suggested reordering

Move these lines to appear before the k8up-io entry:

  ghcr.io/teutonet/oci-images/solr-ckan:
    license: MIT
    licenseLink: https://github.com/teutonet/oci-images/blob/main/LICENSE
+  ghcr.io/jkroepke/kube-webhook-certgen:
+    license: Apache-2.0
+    licenseLink: https://raw.githubusercontent.com/jkroepke/kube-webhook-certgen/refs/heads/main/LICENSE
  ghcr.io/k8up-io/k8up:
    license: Apache-2.0
    licenseLink: https://raw.githubusercontent.com/k8up-io/k8up/refs/heads/master/LICENSE
-  ghcr.io/jkroepke/kube-webhook-certgen:
-    license: Apache-2.0
-    licenseLink: https://raw.githubusercontent.com/jkroepke/kube-webhook-certgen/refs/heads/main/LICENSE

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1801d12 and 16d9c5e.

📒 Files selected for processing (2)

• .github/image_licenses.yaml
• .github/trusted_registries.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: wait-for-checks

🔇 Additional comments (1)

.github/image_licenses.yaml (1)

125-127: License link and type verified as correct.

The license link is accessible (HTTP 200) and the repository is correctly identified as Apache-2.0 licensed.