diff --git a/admin/dev_apply.sh b/admin/dev_apply.sh index 249d2b6b..19895f63 100755 --- a/admin/dev_apply.sh +++ b/admin/dev_apply.sh @@ -4,10 +4,10 @@ set -x ARTIFACTS=($(echo $1 | tr "," "\n")) -ACTION=$2 +ACTION="${2:-apply}" +ARGOCD="${3:-False}" LOCAL_DEV=1 -ARGOCD="False" #VERSION="latest" KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)" @@ -85,7 +85,7 @@ helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $ # Root KubeZero apply directly and exit if [ ${ARTIFACTS[0]} == "kubezero" ]; then - kubectl replace -f $WORKDIR/kubezero/templates + kubectl replace -f $WORKDIR/kubezero/templates $(field_manager $ARGOCD) exit $? # "catch all" apply all enabled modules @@ -100,7 +100,7 @@ if [ "$ACTION" == "delete" ]; then _helm delete ${ARTIFACTS[idx]} || true done else - if [ "$ACTION" == "" -o "$ACTION" == "crds" ]; then + if [ "$ACTION" == "apply" -o "$ACTION" == "crds" ]; then for t in ${ARTIFACTS[@]}; do _helm crds $t || true done diff --git a/admin/kubezero.sh b/admin/kubezero.sh index f71ae346..4183308c 100755 --- a/admin/kubezero.sh +++ b/admin/kubezero.sh @@ -104,9 +104,9 @@ pre_kubeadm() { # Shared steps after calling kubeadm post_kubeadm() { - # KubeZero resources + # KubeZero resources - will never be applied by ArgoCD for f in ${WORKDIR}/kubeadm/templates/resources/*.yaml; do - kubectl apply -f $f $LOG + kubectl apply -f $f --server-side --force-conflicts $LOG done } @@ -115,9 +115,13 @@ post_kubeadm() { control_plane_upgrade() { CMD=$1 + ARGOCD=$(argo_used) + render_kubeadm upgrade if [[ "$CMD" =~ ^(cluster)$ ]]; then + pre_control_plane_upgrade_cluster + # get current values, argo app over cm get_kubezero_values $ARGOCD @@ -133,7 +137,7 @@ control_plane_upgrade() { kubectl get application kubezero -n argocd -o yaml | \ yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \ > $WORKDIR/new-argocd-app.yaml - kubectl replace -f $WORKDIR/new-argocd-app.yaml + kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD) fi pre_kubeadm @@ -147,13 +151,19 @@ control_plane_upgrade() { # install re-certed kubectl config for root cp ${HOSTFS}/etc/kubernetes/super-admin.conf ${HOSTFS}/root/.kube/config + post_control_plane_upgrade_cluster + echo "Successfully upgraded KubeZero control plane to $KUBE_VERSION using kubeadm." elif [[ "$CMD" =~ ^(final)$ ]]; then + pre_cluster_upgrade_final + # Finally upgrade addons last, with 1.32 we can ONLY call addon phase #_kubeadm upgrade apply phase addon all $KUBE_VERSION _kubeadm upgrade apply $KUBE_VERSION + post_cluster_upgrade_final + echo "Upgraded kubeadm addons." fi @@ -394,17 +404,10 @@ for t in $@; do join) control_plane_node join;; restore) control_plane_node restore;; kubeadm_upgrade) - ARGOCD=$(argo_used) - # call hooks - pre_control_plane_upgrade_cluster control_plane_upgrade cluster - post_control_plane_upgrade_cluster ;; finalize_cluster_upgrade) - ARGOCD=$(argo_used) - pre_cluster_upgrade_final control_plane_upgrade final - post_cluster_upgrade_final ;; apply_*) ARGOCD=$(argo_used) diff --git a/admin/libhelm.sh b/admin/libhelm.sh index 42bc4fc3..5a5aa32b 100644 --- a/admin/libhelm.sh +++ b/admin/libhelm.sh @@ -34,6 +34,15 @@ function argo_used() { } +function field_manager() { + if [ "$1" == "True" ]; then + echo "--field-manager argo-controller" + else + echo "" + fi +} + + # get kubezero-values from ArgoCD if available or use in-cluster CM function get_kubezero_values() { local argo=${1:-"False"} @@ -114,7 +123,7 @@ function argo_app_synced() { function create_ns() { local namespace=$1 if [ "$namespace" != "kube-system" ]; then - kubectl get ns $namespace > /dev/null || kubectl create ns $namespace + kubectl get ns $namespace > /dev/null || kubectl create ns $namespace $(field_manager $ARGOCD) fi } @@ -144,7 +153,7 @@ for manifest in yaml.safe_load_all(sys.stdin): # Only apply if there are actually any crds if [ -s $WORKDIR/crds.yaml ]; then [ -n "$DEBUG" ] && cat $WORKDIR/crds.yaml - kubectl apply -f $WORKDIR/crds.yaml --server-side --force-conflicts + kubectl apply -f $WORKDIR/crds.yaml --server-side --force-conflicts $(field_manager $ARGOCD) fi } @@ -204,7 +213,7 @@ function _helm() { declare -F ${module}-pre && ${module}-pre render - kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts && rc=$? || rc=$? + kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$? # Optional post hook declare -F ${module}-post && ${module}-post diff --git a/charts/kubeadm/TODO b/charts/kubeadm/TODO new file mode 100644 index 00000000..92714093 --- /dev/null +++ b/charts/kubeadm/TODO @@ -0,0 +1,6 @@ +"Use of insecure cipher detected.","v":0,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384"} +"Use of insecure cipher detected.","v":0,"cipher":"TLS_RSA_WITH_AES_128_GCM_SHA256"} + + +"RuntimeConfig from runtime service failed","err":"rpc error: code = Unimplemented desc = unknown method RuntimeConfig for service runtime.v1.RuntimeService"} +"CRI implementation should be updated to support RuntimeConfig when KubeletCgroupDriverFromCRI feature gate has been enabled. Falling back to using cgroupDriver from kubelet config." diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index 7461ee42..2adfef1f 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -2,8 +2,8 @@ apiVersion: kubeadm.k8s.io/v1beta4 kind: ClusterConfiguration kubernetesVersion: {{ .Chart.Version }} clusterName: {{ .Values.global.clusterName }} -#featureGates: -# NonGracefulFailover: true +featureGates: + ControlPlaneKubeletLocalMode: true controlPlaneEndpoint: {{ .Values.api.endpoint }} networking: podSubnet: 10.244.0.0/16 diff --git a/charts/kubeadm/templates/_helpers.tpl b/charts/kubeadm/templates/_helpers.tpl index 50aaf7d2..aa22b4b5 100644 --- a/charts/kubeadm/templates/_helpers.tpl +++ b/charts/kubeadm/templates/_helpers.tpl @@ -3,7 +3,7 @@ {{- /* v1.28: PodAndContainerStatsFromCRI still not working */ -}} {{- /* v1.28: UnknownVersionInteroperabilityProxy requires StorageVersionAPI which is still alpha in 1.30 */ -}} {{- define "kubeadm.featuregates" }} -{{- $gates := list "CustomCPUCFSQuotaPeriod" "AuthorizeWithSelectors" "AuthorizeNodeWithSelectors" "ConsistentListFromCache" "VolumeAttributesClass" "WatchList"}} +{{- $gates := list "CustomCPUCFSQuotaPeriod" "AuthorizeWithSelectors" "AuthorizeNodeWithSelectors" "ConsistentListFromCache" "VolumeAttributesClass" "WatchList" }} {{- if eq .return "csv" }} {{- range $key := $gates }} {{- $key }}=true, diff --git a/charts/kubezero-ci/templates/gitea/istio-service.yaml b/charts/kubezero-ci/templates/gitea/istio-service.yaml index 9d92adaf..dd3a406f 100644 --- a/charts/kubezero-ci/templates/gitea/istio-service.yaml +++ b/charts/kubezero-ci/templates/gitea/istio-service.yaml @@ -12,14 +12,12 @@ spec: hosts: - {{ .Values.gitea.istio.url }} http: - {{- if .Values.gitea.istio.authProvider }} - # https://github.com/go-gitea/gitea/issues/13606 + {{- if .Values.gitea.istio.blockApi }} - match: - uri: - regex: ^/user/login.* - redirect: - uri: /user/oauth2/{{ .Values.gitea.istio.authProvider }} - redirectCode: 302 + prefix: /api + directResponse: + status: 401 {{- end }} - route: - destination: diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index a241fb77..7d2f5e60 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -87,6 +87,7 @@ gitea: enabled: false gateway: istio-ingress/private-ingressgateway url: git.example.com + blockApi: false jenkins: diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index 438652ab..d6273964 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.8.13 +version: 0.8.14 appVersion: 1.6.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index d4154685..28e07e52 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -1,6 +1,6 @@ # kubezero-logging -![Version: 0.8.13](https://img.shields.io/badge/Version-0.8.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.8.14](https://img.shields.io/badge/Version-0.8.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) KubeZero Umbrella Chart for complete EFK stack @@ -18,7 +18,7 @@ Kubernetes: `>= 1.26.0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | | https://fluent.github.io/helm-charts | fluent-bit | 0.47.10 | | https://fluent.github.io/helm-charts | fluentd | 0.5.2 | @@ -135,7 +135,7 @@ Kubernetes: `>= 1.26.0` | kibana.istio.enabled | bool | `false` | | | kibana.istio.gateway | string | `"istio-system/ingressgateway"` | | | kibana.istio.url | string | `""` | | -| version | string | `"7.17.3"` | | +| version | string | `"7.17.7"` | | ## Resources: diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 190c98ce..059f565d 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -2,7 +2,7 @@ # fullnameOverride: "" # Version for ElasticSearch and Kibana have to match so we define it at top-level -version: 7.17.3 +version: 7.17.7 elastic_password: "" # super_secret_elastic_password diff --git a/charts/kubezero/templates/addons.yaml b/charts/kubezero/templates/addons.yaml index 6f1d3e6e..fe39b8ef 100644 --- a/charts/kubezero/templates/addons.yaml +++ b/charts/kubezero/templates/addons.yaml @@ -42,6 +42,8 @@ external-dns: - "--aws-zone-type=public" - "--aws-zones-cache-duration=1h" env: + - name: AWS_REGION + value: {{ .Values.global.aws.region }} - name: AWS_ROLE_ARN value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS" - name: AWS_WEB_IDENTITY_TOKEN_FILE diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 9d6cc7b9..e4a46123 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -114,7 +114,7 @@ metrics: logging: enabled: false namespace: logging - targetRevision: 0.8.13 + targetRevision: 0.8.14 argo: enabled: false