From 17ba64f1ee94b350dd1a0d219f58840167f96866 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 6 Dec 2022 15:56:25 +0000 Subject: [PATCH] feat: latest aws-nth and auth, latest 1.24 upgrad flow --- README.md | 4 +- admin/migrate_argo_values.py | 12 +++++ admin/upgrade_cluster.sh | 5 ++ .../51-aws-iam-authenticator-deployment.yaml | 2 +- charts/kubezero-addons/Chart.yaml | 4 +- charts/kubezero-addons/README.md | 17 ++---- .../aws-node-termination-handler/Chart.yaml | 4 +- .../aws-node-termination-handler/README.md | 1 + .../templates/daemonset.linux.yaml | 2 + .../templates/daemonset.windows.yaml | 2 + .../templates/deployment.yaml | 2 + .../aws-node-termination-handler/values.yaml | 3 ++ charts/kubezero-addons/values.yaml | 25 +-------- charts/kubezero-argocd/README.md | 10 +++- charts/kubezero-ci/README.md | 16 +++--- charts/kubezero-mq/README.md | 21 ++++++-- charts/kubezero/README.md | 5 +- charts/kubezero/templates/addons.yaml | 12 +++++ charts/kubezero/templates/argocd.yaml | 53 +++++++++++++++---- charts/kubezero/values.yaml | 6 ++- 20 files changed, 134 insertions(+), 72 deletions(-) diff --git a/README.md b/README.md index eec313dc..46a7947d 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ gantt beta :124b, 2022-11-14, 2022-12-31 release :after 124b, 2023-06-01 section 1.25 - beta :125b, 2023-02-01, 2023-02-28 + beta :125b, 2023-03-01, 2023-03-31 release :after 125b, 2023-08-01 ``` @@ -44,7 +44,7 @@ gantt # Components ## OS -- all nodes are based on Alpine V3.15 +- all nodes are based on Alpine V3.16 - 2 GB encrypted root filesystem - no 3rd party dependencies at boot ( other than container registries ) - minimal attack surface diff --git a/admin/migrate_argo_values.py b/admin/migrate_argo_values.py index 71a50efb..b049b0bd 100755 --- a/admin/migrate_argo_values.py +++ b/admin/migrate_argo_values.py @@ -17,6 +17,18 @@ def migrate(values): deleteKey(values["network"], "calico") deleteKey(values["network"], "multus") + # ArgoCD helm changes + if "argocd" in values: + if "server" in values["argocd"]: + if not "configs" in values["argocd"]: + values["argocd"]["configs"] = {} + if not "cm" in values["argocd"]["configs"]: + values["argocd"]["configs"]["cm"] = {} + values["argocd"]["configs"]["cm"]["url"] = values["argocd"]["server"]["config"][ + "url" + ] + deleteKey(values["argocd"], "server") + return values diff --git a/admin/upgrade_cluster.sh b/admin/upgrade_cluster.sh index 3219753f..7e9b825d 100755 --- a/admin/upgrade_cluster.sh +++ b/admin/upgrade_cluster.sh @@ -164,6 +164,11 @@ waitSystemPodsRunning echo "Applying remaining KubeZero modules..." +# delete argocd deployments as various immutable things changed, also redis restart fails otherwise +kubectl delete deployment argocd-redis -n argocd || true +kubectl delete deployment argocd-repo-server -n argocd || true +kubectl delete statefulset argocd-application-controller -n argocd || true + control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_argocd" # Final step is to commit the new argocd kubezero app diff --git a/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml b/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml index 600fd345..5145b7ac 100644 --- a/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml +++ b/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml @@ -117,7 +117,7 @@ spec: containers: - name: aws-iam-authenticator - image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.5.9 + image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.5.11 args: - server - --backend-mode=CRD,MountedFile diff --git a/charts/kubezero-addons/Chart.yaml b/charts/kubezero-addons/Chart.yaml index e612f1be..4ad2e91b 100644 --- a/charts/kubezero-addons/Chart.yaml +++ b/charts/kubezero-addons/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-addons description: KubeZero umbrella chart for various optional cluster addons type: application -version: 0.7.0 +version: 0.7.1 appVersion: v1.24 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -18,7 +18,7 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: aws-node-termination-handler - version: 0.19.3 + version: 0.20.0 # repository: https://aws.github.io/eks-charts condition: aws-node-termination-handler.enabled - name: external-dns diff --git a/charts/kubezero-addons/README.md b/charts/kubezero-addons/README.md index b648b83a..2c56d653 100644 --- a/charts/kubezero-addons/README.md +++ b/charts/kubezero-addons/README.md @@ -1,6 +1,6 @@ # kubezero-addons -![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.24](https://img.shields.io/badge/AppVersion-v1.24-informational?style=flat-square) +![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.24](https://img.shields.io/badge/AppVersion-v1.24-informational?style=flat-square) KubeZero umbrella chart for various optional cluster addons @@ -18,7 +18,7 @@ Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| | aws-node-termination-handler | 0.19.3 | +| | aws-node-termination-handler | 0.20.0 | | https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.11.0 | | https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.21.0 | | https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.12.3 | @@ -54,6 +54,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | aws-node-termination-handler.fullnameOverride | string | `"aws-node-termination-handler"` | | | aws-node-termination-handler.ignoreDaemonSets | bool | `true` | | | aws-node-termination-handler.jsonLogging | bool | `true` | | +| aws-node-termination-handler.logFormatVersion | int | `2` | | | aws-node-termination-handler.managedTag | string | `"aws-node-termination-handler/managed"` | "aws-node-termination-handler/${ClusterName}" | | aws-node-termination-handler.metadataTries | int | `0` | | | aws-node-termination-handler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | @@ -90,18 +91,6 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | clusterBackup.password | string | `""` | /etc/cloudbender/clusterBackup.passphrase | | clusterBackup.repository | string | `""` | s3:https://s3.amazonaws.com/${CFN[ConfigBucket]}/k8s/${CLUSTERNAME}/clusterBackup | | external-dns.enabled | bool | `false` | | -| external-dns.env[0] | object | `{"name":"AWS_ROLE_ARN","value":""}` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.externalDNS" | -| external-dns.env[1].name | string | `"AWS_WEB_IDENTITY_TOKEN_FILE"` | | -| external-dns.env[1].value | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/token"` | | -| external-dns.env[2].name | string | `"AWS_STS_REGIONAL_ENDPOINTS"` | | -| external-dns.env[2].value | string | `"regional"` | | -| external-dns.extraVolumeMounts[0].mountPath | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/"` | | -| external-dns.extraVolumeMounts[0].name | string | `"aws-token"` | | -| external-dns.extraVolumeMounts[0].readOnly | bool | `true` | | -| external-dns.extraVolumes[0].name | string | `"aws-token"` | | -| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.audience | string | `"sts.amazonaws.com"` | | -| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.expirationSeconds | int | `86400` | | -| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.path | string | `"token"` | | | external-dns.interval | string | `"3m"` | | | external-dns.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | external-dns.provider | string | `"inmemory"` | | diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml index a4f67d2f..ee7e7cf2 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.17.3 +appVersion: 1.18.0 description: A Helm chart for the AWS Node Termination Handler. home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png @@ -22,4 +22,4 @@ sources: - https://github.com/aws/aws-node-termination-handler/ - https://github.com/aws/eks-charts/ type: application -version: 0.19.3 +version: 0.20.0 diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/README.md b/charts/kubezero-addons/charts/aws-node-termination-handler/README.md index 5d8825af..4b9c8843 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/README.md +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/README.md @@ -70,6 +70,7 @@ The configuration in this table applies to all AWS Node Termination Handler mode | `extraEnv` | Additional environment variables for the _aws-node-termination-handler_ container. | `[]` | | `probes` | The Kubernetes liveness probe configuration. | _See values.yaml_ | | `logLevel` | Sets the log level (`info`,`debug`, or `error`) | `info` | +| `logFormatVersion` | Sets the log format version. Available versions: 1, 2. Version 1 refers to the format that has been used through v1.17.3. Version 2 offers more detail for the "event kind" and "reason", especially when operating in Queue Processor mode. | `1` | | `jsonLogging` | If `true`, use JSON-formatted logs instead of human readable logs. | `false` | | `enablePrometheusServer` | If `true`, start an http server exposing `/metrics` endpoint for _Prometheus_. | `false` | | `prometheusServerPort` | Replaces the default HTTP port for exposing _Prometheus_ metrics. | `9092` | diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml index b6568ad6..95e4b50f 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml @@ -81,6 +81,8 @@ spec: value: {{ .Values.logLevel | quote }} - name: JSON_LOGGING value: {{ .Values.jsonLogging | quote }} + - name: LOG_FORMAT_VERSION + value: {{ .Values.logFormatVersion | quote }} - name: ENABLE_PROMETHEUS_SERVER value: {{ .Values.enablePrometheusServer | quote }} - name: PROMETHEUS_SERVER_PORT diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml index 6a9118fe..8a9db7bf 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml @@ -81,6 +81,8 @@ spec: value: {{ .Values.logLevel | quote }} - name: JSON_LOGGING value: {{ .Values.jsonLogging | quote }} + - name: LOG_FORMAT_VERSION + value: {{ .Values.logFormatVersion | quote }} - name: ENABLE_PROMETHEUS_SERVER value: {{ .Values.enablePrometheusServer | quote }} - name: PROMETHEUS_SERVER_PORT diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml index 9259e7b8..33f31bb0 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml @@ -78,6 +78,8 @@ spec: value: {{ .Values.logLevel | quote }} - name: JSON_LOGGING value: {{ .Values.jsonLogging | quote }} + - name: LOG_FORMAT_VERSION + value: {{ .Values.logFormatVersion | quote }} - name: ENABLE_PROMETHEUS_SERVER value: {{ .Values.enablePrometheusServer | quote }} - name: PROMETHEUS_SERVER_PORT diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml index 2fbdf2d3..c965358e 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml @@ -66,6 +66,9 @@ probes: # Set the log level logLevel: info +# Set the log format version +logFormatVersion: 1 + # Log messages in JSON format jsonLogging: false diff --git a/charts/kubezero-addons/values.yaml b/charts/kubezero-addons/values.yaml index 79f883ac..175d1388 100644 --- a/charts/kubezero-addons/values.yaml +++ b/charts/kubezero-addons/values.yaml @@ -29,9 +29,6 @@ aws-node-termination-handler: fullnameOverride: "aws-node-termination-handler" - #image: - # tag: v1.14.1 - # -- "aws-node-termination-handler/${ClusterName}" managedTag: "aws-node-termination-handler/managed" @@ -63,6 +60,7 @@ aws-node-termination-handler: create: false jsonLogging: true + logFormatVersion: 2 tolerations: - key: node-role.kubernetes.io/master @@ -185,24 +183,3 @@ external-dns: #- istio-gateway provider: inmemory - - extraVolumes: - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" - extraVolumeMounts: - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true - env: - # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.externalDNS" - - name: AWS_ROLE_ARN - value: "" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" diff --git a/charts/kubezero-argocd/README.md b/charts/kubezero-argocd/README.md index b833d225..b17bba9d 100644 --- a/charts/kubezero-argocd/README.md +++ b/charts/kubezero-argocd/README.md @@ -2,7 +2,7 @@ ![Version: 0.11.1](https://img.shields.io/badge/Version-0.11.1-informational?style=flat-square) -KubeZero ArgoCD integration, config and branding as well as ArgoCD image-updater +KubeZero ArgoCD - config, branding, image-updater (optional) **Homepage:** @@ -56,7 +56,15 @@ Kubernetes: `>= 1.24.0` | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | | argocd-apps.applications | list | `[]` | | | argocd-apps.projects | list | `[]` | | +| argocd-image-updater.authScripts.enabled | bool | `true` | | +| argocd-image-updater.authScripts.scripts."ecr-login.sh" | string | `"#!/bin/sh\naws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d\n"` | | +| argocd-image-updater.authScripts.scripts."ecr-public-login.sh" | string | `"#!/bin/sh\naws ecr-public --region us-east-1 get-authorization-token --output text --query 'authorizationData.authorizationToken' | base64 -d\n"` | | +| argocd-image-updater.config.argocd.plaintext | bool | `true` | | | argocd-image-updater.enabled | bool | `false` | | +| argocd-image-updater.fullnameOverride | string | `"argocd-image-updater"` | | +| argocd-image-updater.metrics.enabled | bool | `false` | | +| argocd-image-updater.metrics.serviceMonitor.enabled | bool | `true` | | +| argocd-image-updater.sshConfig.config | string | `"Host *\n PubkeyAcceptedAlgorithms +ssh-rsa\n HostkeyAlgorithms +ssh-rsa\n"` | | | istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | | istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | | istio.ipBlocks | list | `[]` | | diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 13d8c255..7d410e16 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.5.17](https://img.shields.io/badge/Version-0.5.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.5.20](https://img.shields.io/badge/Version-0.5.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -20,8 +20,8 @@ Kubernetes: `>= 1.20.0` |------------|------|---------| | https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.17 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://charts.jenkins.io | jenkins | 4.2.10 | -| https://dl.gitea.io/charts/ | gitea | 5.0.9 | +| https://charts.jenkins.io | jenkins | 4.2.13 | +| https://dl.gitea.io/charts/ | gitea | 6.0.3 | | https://gocd.github.io/helm-chart | gocd | 1.40.8 | # Jenkins @@ -54,7 +54,7 @@ Kubernetes: `>= 1.20.0` | gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` | | | gitea.image.rootless | bool | `true` | | -| gitea.image.tag | string | `"1.17.1"` | | +| gitea.image.tag | string | `"1.17.3"` | | | gitea.istio.enabled | bool | `false` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.url | string | `"git.example.com"` | | @@ -85,7 +85,7 @@ Kubernetes: `>= 1.20.0` | jenkins.agent.resources.requests.cpu | string | `"512m"` | | | jenkins.agent.resources.requests.memory | string | `"1024Mi"` | | | jenkins.agent.showRawYaml | bool | `false` | | -| jenkins.agent.tag | string | `"v0.4.0"` | | +| jenkins.agent.tag | string | `"v0.4.1"` | | | jenkins.agent.yamlMergeStrategy | string | `"merge"` | | | jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n limits:\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | | jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | @@ -97,9 +97,9 @@ Kubernetes: `>= 1.20.0` | jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | | | jenkins.controller.installPlugins[0] | string | `"kubernetes:3734.v562b_b_a_627ea_c"` | | | jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | | -| jenkins.controller.installPlugins[2] | string | `"git:4.13.0"` | | +| jenkins.controller.installPlugins[2] | string | `"git:4.14.1"` | | | jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1569.vb_72405b_80249"` | | -| jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` | | +| jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:155.v795fb_8702324"` | | | jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.11"` | | | jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.31"` | | | jenkins.controller.installPlugins[7] | string | `"build-discarder:139.v05696a_7fe240"` | | @@ -129,7 +129,7 @@ Kubernetes: `>= 1.20.0` | jenkins.serviceAccountAgent.create | bool | `true` | | | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | | trivy.enabled | bool | `false` | | +| trivy.image.tag | string | `"0.34.0"` | | | trivy.persistence.enabled | bool | `true` | | | trivy.persistence.size | string | `"1Gi"` | | | trivy.rbac.create | bool | `false` | | -| trivy.rbac.pspEnabled | bool | `false` | | diff --git a/charts/kubezero-mq/README.md b/charts/kubezero-mq/README.md index 3f0b17c7..394d0428 100644 --- a/charts/kubezero-mq/README.md +++ b/charts/kubezero-mq/README.md @@ -1,6 +1,6 @@ # kubezero-mq -![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for MQ systems like NATS, RabbitMQ @@ -20,7 +20,8 @@ Kubernetes: `>= 1.20.0` |------------|------|---------| | | nats | 0.8.4 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://charts.bitnami.com/bitnami | rabbitmq | 11.1.1 | +| https://charts.bitnami.com/bitnami | rabbitmq | 11.1.5 | +| https://charts.bitnami.com/bitnami | rabbitmq-cluster-operator | 3.1.4 | ## Values @@ -34,20 +35,30 @@ Kubernetes: `>= 1.20.0` | nats.nats.advertise | bool | `false` | | | nats.nats.jetstream.enabled | bool | `true` | | | nats.natsbox.enabled | bool | `false` | | +| rabbitmq-cluster-operator.clusterOperator.metrics.enabled | bool | `false` | | +| rabbitmq-cluster-operator.clusterOperator.metrics.serviceMonitor.enabled | bool | `true` | | +| rabbitmq-cluster-operator.enabled | bool | `false` | | +| rabbitmq-cluster-operator.msgTopologyOperator.metrics.enabled | bool | `false` | | +| rabbitmq-cluster-operator.msgTopologyOperator.metrics.serviceMonitor.enabled | bool | `true` | | +| rabbitmq-cluster-operator.rabbitmqImage.tag | string | `"3.11.4-debian-11-r0"` | | +| rabbitmq-cluster-operator.useCertManager | bool | `true` | | | rabbitmq.auth.existingErlangSecret | string | `"rabbitmq"` | | | rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq"` | | | rabbitmq.auth.tls.enabled | bool | `false` | | | rabbitmq.auth.tls.existingSecret | string | `"rabbitmq-server-certificate"` | | | rabbitmq.auth.tls.existingSecretFullChain | bool | `true` | | | rabbitmq.auth.tls.failIfNoPeerCert | bool | `false` | | -| rabbitmq.clustering.forceBoot | bool | `true` | | +| rabbitmq.clustering.enabled | bool | `false` | | +| rabbitmq.clustering.forceBoot | bool | `false` | | | rabbitmq.enabled | bool | `false` | | | rabbitmq.hosts | list | `[]` | hostnames of rabbitmq services, used for Istio and TLS | | rabbitmq.istio.enabled | bool | `false` | | | rabbitmq.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | +| rabbitmq.istio.mqtts | bool | `false` | | | rabbitmq.metrics.enabled | bool | `false` | | -| rabbitmq.metrics.serviceMonitor.enabled | bool | `false` | | -| rabbitmq.pdb.create | bool | `true` | | +| rabbitmq.metrics.serviceMonitor.enabled | bool | `true` | | +| rabbitmq.pdb.create | bool | `false` | | +| rabbitmq.persistence.size | string | `"2Gi"` | | | rabbitmq.podAntiAffinityPreset | string | `""` | | | rabbitmq.replicaCount | int | `1` | | | rabbitmq.resources.requests.cpu | string | `"100m"` | | diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index ab209153..e3382bb4 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -30,11 +30,12 @@ Kubernetes: `>= 1.24.0` | addons.enabled | bool | `true` | | | addons.external-dns.enabled | bool | `false` | | | addons.forseti.enabled | bool | `false` | | -| addons.targetRevision | string | `"0.7.0"` | | +| addons.targetRevision | string | `"0.7.1"` | | +| argocd.argocd-image-updater.enabled | bool | `false` | | | argocd.enabled | bool | `false` | | | argocd.istio.enabled | bool | `false` | | | argocd.namespace | string | `"argocd"` | | -| argocd.targetRevision | string | `"0.10.2"` | | +| argocd.targetRevision | string | `"0.11.1"` | | | cert-manager.enabled | bool | `false` | | | cert-manager.namespace | string | `"cert-manager"` | | | cert-manager.targetRevision | string | `"0.9.3"` | | diff --git a/charts/kubezero/templates/addons.yaml b/charts/kubezero/templates/addons.yaml index c2ac5b2f..62b14d74 100644 --- a/charts/kubezero/templates/addons.yaml +++ b/charts/kubezero/templates/addons.yaml @@ -77,6 +77,18 @@ external-dns: value: "regional" - name: METADATA_TRIES value: "0" + extraVolumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + extraVolumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true {{- end }} cluster-autoscaler: diff --git a/charts/kubezero/templates/argocd.yaml b/charts/kubezero/templates/argocd.yaml index 797f33d3..705fb9ec 100644 --- a/charts/kubezero/templates/argocd.yaml +++ b/charts/kubezero/templates/argocd.yaml @@ -1,6 +1,11 @@ {{- define "argocd-values" }} argo-cd: + {{- with index .Values "argocd" "configs" }} + configs: + {{- toYaml . | nindent 4 }} + {{- end }} + controller: metrics: enabled: {{ .Values.metrics.enabled }} @@ -10,10 +15,9 @@ argo-cd: server: metrics: enabled: {{ .Values.metrics.enabled }} - {{- with index .Values "argocd" "server" }} - {{- toYaml . | nindent 4 }} - {{- end }} - additionalProjects: + +argocd-apps: + projects: - name: kubezero namespace: argocd description: KubeZero - ZeroDownTime Kubernetes Platform @@ -28,7 +32,7 @@ argo-cd: clusterResourceWhitelist: - group: '*' kind: '*' - additionalApplications: + applications: - name: kubezero-git-sync namespace: argocd project: kubezero @@ -47,13 +51,44 @@ argo-cd: {{- with .Values.kubezero.syncPolicy }} syncPolicy: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} - {{- with index .Values "argocd" "configs" }} - configs: - {{- toYaml . | nindent 4 }} +argocd-image-updater: + enabled: {{ default "false" (index .Values "argocd" "argocd-image-updater" "enabled") }} + + {{- with omit (index .Values "argocd" "argocd-image-updater") "enabled" }} + {{- toYaml . | nindent 2 }} {{- end }} + {{- if .Values.global.aws }} + extraEnv: + - name: AWS_ROLE_ARN + value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: "regional" + - name: METADATA_TRIES + value: "0" + - name: AWS_REGION + value: {{ .Values.global.aws.region }} + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true + {{- end }} + + metrics: + enabled: {{ .Values.metrics.enabled }} + {{- if and ( index .Values "argocd" "istio" "enabled" ) .Values.istio.enabled }} istio: {{- with index .Values "argocd" "istio" }} diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index a10f0081..bb31830e 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -10,7 +10,7 @@ global: addons: enabled: true - targetRevision: 0.7.0 + targetRevision: 0.7.1 external-dns: enabled: false forseti: @@ -79,6 +79,8 @@ logging: argocd: enabled: false namespace: argocd - targetRevision: 0.10.2 + targetRevision: 0.11.1 + argocd-image-updater: + enabled: false istio: enabled: false