From c3e4bfe295bac9887e36eb7da0df05a59f1212d0 Mon Sep 17 00:00:00 2001
From: JoukoVirtanen <jouko@stackrox.com>
Date: Sun, 8 Feb 2026 19:29:59 -0800
Subject: [PATCH 1/4] X-Smart-Branch-Parent: main


From 6390169cc800e241fb5524654b9687e06a710899 Mon Sep 17 00:00:00 2001
From: JoukoVirtanen <jouko@stackrox.com>
Date: Mon, 9 Feb 2026 15:30:02 -0800
Subject: [PATCH 2/4] Setting prometheus parameters in helm args

---
 release/start-secured-cluster/start-secured-cluster.sh | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh
index a242687c..cdadfceb 100755
--- a/release/start-secured-cluster/start-secured-cluster.sh
+++ b/release/start-secured-cluster/start-secured-cluster.sh
@@ -14,19 +14,16 @@ kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
 
 echo "Deploying Monitoring..."
 monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
-yq -i '.resources.requests.memory = "8Gi"' "$monitoring_values_file"
-yq -i '.resources.limits.memory = "8Gi"' "$monitoring_values_file"
 
 helm_args=(
   --set persistence.type="${STORAGE}"
   --set exposure.type="${MONITORING_LOAD_BALANCER}"
+  --set resources.requests.memory="8Gi"
+  --set resources.limits.memory="8Gi"
+  --set-json 'metricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]'
 )
 
 helm dependency update "${COMMON_DIR}/../charts/monitoring"
 envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
 helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
 rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
-
-# Replace the prometheus ConfigMap with one that doesn't scrape as much info from berserker containers
-kubectl -n stackrox delete configmap prometheus
-kubectl create -f "${SCRIPT_DIR}"/prometheus.yaml

From 542b91b014b413912d267467bd3707426b44f66c Mon Sep 17 00:00:00 2001
From: JoukoVirtanen <jouko@stackrox.com>
Date: Thu, 12 Feb 2026 20:47:31 -0800
Subject: [PATCH 3/4] Old acs versions use the old script new acs versions use
 a new script

---
 .../start-secured-cluster-4.11plus.sh         | 29 ++++++++++++++++
 .../start-secured-cluster-pre4.11.sh          | 32 +++++++++++++++++
 .../start-secured-cluster.sh                  | 34 ++++++-------------
 3 files changed, 72 insertions(+), 23 deletions(-)
 create mode 100755 release/start-secured-cluster/start-secured-cluster-4.11plus.sh
 create mode 100755 release/start-secured-cluster/start-secured-cluster-pre4.11.sh

diff --git a/release/start-secured-cluster/start-secured-cluster-4.11plus.sh b/release/start-secured-cluster/start-secured-cluster-4.11plus.sh
new file mode 100755
index 00000000..cdadfceb
--- /dev/null
+++ b/release/start-secured-cluster/start-secured-cluster-4.11plus.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+"${STACKROX_DIR}/deploy/k8s/sensor.sh"
+kubectl -n stackrox create secret generic access-rhacs \
+  --from-literal="username=${ROX_ADMIN_USERNAME}" \
+  --from-literal="password=${ROX_ADMIN_PASSWORD}" \
+  --from-literal="central_url=${CLUSTER_API_ENDPOINT}"
+
+# Create the collector-config ConfigMap in order to enable external IPs
+kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
+
+echo "Deploying Monitoring..."
+monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
+
+helm_args=(
+  --set persistence.type="${STORAGE}"
+  --set exposure.type="${MONITORING_LOAD_BALANCER}"
+  --set resources.requests.memory="8Gi"
+  --set resources.limits.memory="8Gi"
+  --set-json 'metricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]'
+)
+
+helm dependency update "${COMMON_DIR}/../charts/monitoring"
+envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
+helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
+rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
diff --git a/release/start-secured-cluster/start-secured-cluster-pre4.11.sh b/release/start-secured-cluster/start-secured-cluster-pre4.11.sh
new file mode 100755
index 00000000..a242687c
--- /dev/null
+++ b/release/start-secured-cluster/start-secured-cluster-pre4.11.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+"${STACKROX_DIR}/deploy/k8s/sensor.sh"
+kubectl -n stackrox create secret generic access-rhacs \
+  --from-literal="username=${ROX_ADMIN_USERNAME}" \
+  --from-literal="password=${ROX_ADMIN_PASSWORD}" \
+  --from-literal="central_url=${CLUSTER_API_ENDPOINT}"
+
+# Create the collector-config ConfigMap in order to enable external IPs
+kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
+
+echo "Deploying Monitoring..."
+monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
+yq -i '.resources.requests.memory = "8Gi"' "$monitoring_values_file"
+yq -i '.resources.limits.memory = "8Gi"' "$monitoring_values_file"
+
+helm_args=(
+  --set persistence.type="${STORAGE}"
+  --set exposure.type="${MONITORING_LOAD_BALANCER}"
+)
+
+helm dependency update "${COMMON_DIR}/../charts/monitoring"
+envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
+helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
+rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
+
+# Replace the prometheus ConfigMap with one that doesn't scrape as much info from berserker containers
+kubectl -n stackrox delete configmap prometheus
+kubectl create -f "${SCRIPT_DIR}"/prometheus.yaml
diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh
index cdadfceb..bee3af63 100755
--- a/release/start-secured-cluster/start-secured-cluster.sh
+++ b/release/start-secured-cluster/start-secured-cluster.sh
@@ -3,27 +3,15 @@ set -eou pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
-"${STACKROX_DIR}/deploy/k8s/sensor.sh"
-kubectl -n stackrox create secret generic access-rhacs \
-  --from-literal="username=${ROX_ADMIN_USERNAME}" \
-  --from-literal="password=${ROX_ADMIN_PASSWORD}" \
-  --from-literal="central_url=${CLUSTER_API_ENDPOINT}"
+# Extract version from MAIN_IMAGE_TAG (e.g., "4.11.0-rc.2" -> "4.11")
+version_major_minor=$(echo "${MAIN_IMAGE_TAG}" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
-# Create the collector-config ConfigMap in order to enable external IPs
-kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
-
-echo "Deploying Monitoring..."
-monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
-
-helm_args=(
-  --set persistence.type="${STORAGE}"
-  --set exposure.type="${MONITORING_LOAD_BALANCER}"
-  --set resources.requests.memory="8Gi"
-  --set resources.limits.memory="8Gi"
-  --set-json 'metricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]'
-)
-
-helm dependency update "${COMMON_DIR}/../charts/monitoring"
-envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
-helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
-rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
+# Compare version to determine which script to use
+# Use bc for floating point comparison
+if (( $(echo "$version_major_minor >= 4.11" | bc -l) )); then
+  echo "Using ACS 4.11+ secured cluster setup (version: ${version_major_minor})"
+  exec "${SCRIPT_DIR}/start-secured-cluster-4.11plus.sh"
+else
+  echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})"
+  exec "${SCRIPT_DIR}/start-secured-cluster-pre4.11.sh"
+fi

From 1031b1de578b23c9a8934df5004d9ff06a18e19a Mon Sep 17 00:00:00 2001
From: JoukoVirtanen <jouko@stackrox.com>
Date: Sun, 1 Mar 2026 17:59:50 -0800
Subject: [PATCH 4/4] Combined scripts. Changed metricRelabelConfigs to
 cadvisorMetricRelabelConfigs

---
 .../start-secured-cluster-4.11plus.sh         | 29 ----------
 .../start-secured-cluster-pre4.11.sh          | 32 -----------
 .../start-secured-cluster.sh                  | 56 +++++++++++++++++--
 3 files changed, 51 insertions(+), 66 deletions(-)
 delete mode 100755 release/start-secured-cluster/start-secured-cluster-4.11plus.sh
 delete mode 100755 release/start-secured-cluster/start-secured-cluster-pre4.11.sh

diff --git a/release/start-secured-cluster/start-secured-cluster-4.11plus.sh b/release/start-secured-cluster/start-secured-cluster-4.11plus.sh
deleted file mode 100755
index cdadfceb..00000000
--- a/release/start-secured-cluster/start-secured-cluster-4.11plus.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/env bash
-set -eou pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-
-"${STACKROX_DIR}/deploy/k8s/sensor.sh"
-kubectl -n stackrox create secret generic access-rhacs \
-  --from-literal="username=${ROX_ADMIN_USERNAME}" \
-  --from-literal="password=${ROX_ADMIN_PASSWORD}" \
-  --from-literal="central_url=${CLUSTER_API_ENDPOINT}"
-
-# Create the collector-config ConfigMap in order to enable external IPs
-kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
-
-echo "Deploying Monitoring..."
-monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
-
-helm_args=(
-  --set persistence.type="${STORAGE}"
-  --set exposure.type="${MONITORING_LOAD_BALANCER}"
-  --set resources.requests.memory="8Gi"
-  --set resources.limits.memory="8Gi"
-  --set-json 'metricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]'
-)
-
-helm dependency update "${COMMON_DIR}/../charts/monitoring"
-envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
-helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
-rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
diff --git a/release/start-secured-cluster/start-secured-cluster-pre4.11.sh b/release/start-secured-cluster/start-secured-cluster-pre4.11.sh
deleted file mode 100755
index a242687c..00000000
--- a/release/start-secured-cluster/start-secured-cluster-pre4.11.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-set -eou pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-
-"${STACKROX_DIR}/deploy/k8s/sensor.sh"
-kubectl -n stackrox create secret generic access-rhacs \
-  --from-literal="username=${ROX_ADMIN_USERNAME}" \
-  --from-literal="password=${ROX_ADMIN_PASSWORD}" \
-  --from-literal="central_url=${CLUSTER_API_ENDPOINT}"
-
-# Create the collector-config ConfigMap in order to enable external IPs
-kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
-
-echo "Deploying Monitoring..."
-monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
-yq -i '.resources.requests.memory = "8Gi"' "$monitoring_values_file"
-yq -i '.resources.limits.memory = "8Gi"' "$monitoring_values_file"
-
-helm_args=(
-  --set persistence.type="${STORAGE}"
-  --set exposure.type="${MONITORING_LOAD_BALANCER}"
-)
-
-helm dependency update "${COMMON_DIR}/../charts/monitoring"
-envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
-helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
-rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
-
-# Replace the prometheus ConfigMap with one that doesn't scrape as much info from berserker containers
-kubectl -n stackrox delete configmap prometheus
-kubectl create -f "${SCRIPT_DIR}"/prometheus.yaml
diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh
index bee3af63..935b0a61 100755
--- a/release/start-secured-cluster/start-secured-cluster.sh
+++ b/release/start-secured-cluster/start-secured-cluster.sh
@@ -6,12 +6,58 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 # Extract version from MAIN_IMAGE_TAG (e.g., "4.11.0-rc.2" -> "4.11")
 version_major_minor=$(echo "${MAIN_IMAGE_TAG}" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
-# Compare version to determine which script to use
-# Use bc for floating point comparison
-if (( $(echo "$version_major_minor >= 4.11" | bc -l) )); then
+# Parse major and minor version numbers
+version_major=$(echo "${version_major_minor}" | cut -d. -f1)
+version_minor=$(echo "${version_major_minor}" | cut -d. -f2)
+
+# Determine if version is 4.11 or later (compare as integers, not floats)
+is_4_11_plus=false
+if [[ "$version_major" -gt 4 ]] || [[ "$version_major" -eq 4 && "$version_minor" -ge 11 ]]; then
   echo "Using ACS 4.11+ secured cluster setup (version: ${version_major_minor})"
-  exec "${SCRIPT_DIR}/start-secured-cluster-4.11plus.sh"
+  is_4_11_plus=true
 else
   echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})"
-  exec "${SCRIPT_DIR}/start-secured-cluster-pre4.11.sh"
+fi
+
+"${STACKROX_DIR}/deploy/k8s/sensor.sh"
+kubectl -n stackrox create secret generic access-rhacs \
+  --from-literal="username=${ROX_ADMIN_USERNAME}" \
+  --from-literal="password=${ROX_ADMIN_PASSWORD}" \
+  --from-literal="central_url=${CLUSTER_API_ENDPOINT}"
+
+# Create the collector-config ConfigMap in order to enable external IPs
+kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
+
+echo "Deploying Monitoring..."
+monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"
+
+# Build base helm arguments
+helm_args=(
+  --set persistence.type="${STORAGE}"
+  --set exposure.type="${MONITORING_LOAD_BALANCER}"
+)
+
+# Handle memory configuration based on version
+if [[ "$is_4_11_plus" == false ]]; then
+  # Pre-4.11: Use yq to modify values file
+  yq -i '.resources.requests.memory = "8Gi"' "$monitoring_values_file"
+  yq -i '.resources.limits.memory = "8Gi"' "$monitoring_values_file"
+else
+  # 4.11+: Add memory settings and metric relabel configs to helm args
+  helm_args+=(
+    --set resources.requests.memory="8Gi"
+    --set resources.limits.memory="8Gi"
+    --set-json 'cadvisorMetricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]'
+  )
+fi
+
+helm dependency update "${COMMON_DIR}/../charts/monitoring"
+envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
+helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}"
+rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml"
+
+# Pre-4.11 only: Replace prometheus ConfigMap
+if [[ "$is_4_11_plus" == false ]]; then
+  kubectl -n stackrox delete configmap prometheus
+  kubectl create -f "${SCRIPT_DIR}"/prometheus.yaml
 fi