feat: first working 1.31.4-alpha control plane

2025-01-13 22:08:24 +00:00 · 2025-01-13 22:08:24 +00:00 · 4377c89182
commit 4377c89182
parent 4c4964d1af
15 changed files with 59 additions and 77 deletions
--- a/7
+++ b/7
@ -1,9 +1,9 @@
-ARG ALPINE_VERSION=3.20
+ARG ALPINE_VERSION=3.21

 FROM docker.io/alpine:${ALPINE_VERSION}

 ARG ALPINE_VERSION
-ARG KUBE_VERSION=1.30.6
+ARG KUBE_VERSION=1.31.4

 ARG SOPS_VERSION="3.9.1"
 ARG VALS_VERSION="0.37.6"
@ -12,7 +12,7 @@ ARG HELM_SECRETS_VERSION="4.6.2"
 RUN cd /etc/apk/keys && \
    wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
    echo "@kubezero https://cdn.zero-downtime.net/alpine/v${ALPINE_VERSION}/kubezero" >> /etc/apk/repositories && \
-    echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+    echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
    echo "@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \
    apk upgrade -U -a --no-cache && \
    apk --no-cache add \
@ -24,6 +24,7 @@ RUN cd /etc/apk/keys && \
      py3-yaml \
      restic \
      helm \
+      ytt@testing \
      etcd-ctl@edge-community \
      cri-tools@kubezero \
      etcdhelper@kubezero \
--- a/admin/kubezero.sh
+++ b/admin/kubezero.sh
@ -69,9 +69,9 @@ render_kubeadm() {
  fi

  # "uncloak" the json patches after they got processed by helm
-  for s in apiserver controller-manager scheduler; do
-    yq eval '.json' ${WORKDIR}/kubeadm/templates/patches/kube-${s}1\+json.yaml > /tmp/_tmp.yaml && \
-      mv /tmp/_tmp.yaml ${WORKDIR}/kubeadm/templates/patches/kube-${s}1\+json.yaml
+  for s in kube-apiserver kube-controller-manager kube-scheduler corednsdeployment; do
+    yq eval '.json' ${WORKDIR}/kubeadm/templates/patches/${s}1\+json.yaml > /tmp/_tmp.yaml && \
+      mv /tmp/_tmp.yaml ${WORKDIR}/kubeadm/templates/patches/${s}1\+json.yaml
  done
 }

@ -117,40 +117,12 @@ post_kubeadm() {
  for f in ${WORKDIR}/kubeadm/templates/resources/*.yaml; do
    kubectl apply -f $f $LOG
  done
-
-  # Patch coreDNS addon, ideally we prevent kubeadm to reset coreDNS to its defaults
-  kubectl patch deployment coredns -n kube-system --patch-file ${WORKDIR}/kubeadm/templates/patches/coredns0.yaml $LOG
 }


 kubeadm_upgrade() {
  # pre upgrade hook

-  ### Remove with 1.31
-  # migrate kubezero CM to kubezero NS
-  # migrate ArgoCD app from values to valuesObject
-  create_ns kubezero
-
-  if [ "$ARGOCD" == "True" ]; then
-    kubectl get app kubezero -n argocd -o yaml > $WORKDIR/kubezero-argo-app.yaml
-    if [ "$(yq '(.spec.source.helm | has "values")' $WORKDIR/kubezero-argo-app.yaml)" == "true" ]; then
-      yq '.spec.source.helm.valuesObject = (.spec.source.helm.values | from_yaml)' \
-        $WORKDIR/kubezero-argo-app.yaml | kubectl apply --server-side --force-conflicts -f -
-
-      kubectl patch app kubezero -n argocd --type json -p='[{"op": "remove", "path": "/spec/source/helm/values"}]'
-      kubectl delete cm kubezero-values -n kube-system > /dev/null || true
-      kubectl create configmap -n kubezero kubezero-values || true
-    fi
-
-  else
-    kubectl get cm kubezero-values -n kubezero > /dev/null || \
-      { kubectl get cm kubezero-values -n kube-system -o yaml | \
-        sed 's/^  namespace: kube-system/  namespace: kubezero/' | \
-        kubectl create -f - && \
-        kubectl delete cm kubezero-values -n kube-system ; }
-  fi
-  ###
-
  # get current values, argo app over cm
  get_kubezero_values $ARGOCD

@ -191,14 +163,6 @@ kubeadm_upgrade() {

  # post upgrade

-  # Update kubezero-values CM
-  kubectl get cm -n kube-system kubelet-config -o=yaml | \
-    yq e '.data.kubelet' | yq e '.containerRuntimeEndpoint = "unix:///run/containerd/containerd.sock"' > $WORKDIR/new-kubelet.cm
-
-  kubectl get cm -n kube-system kubelet-config -o=yaml | \
-    yq e '.data.kubelet |= load_str("/tmp/kubezero/new-kubelet.cm")' | \
-    kubectl apply --server-side --force-conflicts -f -
-
  # Cleanup after kubeadm on the host
  rm -rf ${HOSTFS}/etc/kubernetes/tmp

--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@ -46,6 +46,16 @@ function get_kubezero_values() {
 }


+# Update kubezero-values CM
+function update_kubezero_cm() {
+  kubectl get application kubezero -n argocd -o yaml | yq .spec.source.helm.valuesObject > ${WORKDIR}/kubezero-values.yaml
+
+  kubectl get cm -n kubezero kubezero-values -o=yaml | \
+    yq e '.data."values.yaml" |= load_str("/tmp/kubezero/kubezero-values.yaml")' | \
+    kubectl apply --server-side --force-conflicts -f -
+}
+
+
 function disable_argo() {
  cat > _argoapp_patch.yaml <<EOF
 spec:
--- a/admin/upgrade_cluster.sh
+++ b/admin/upgrade_cluster.sh
@ -2,7 +2,7 @@
 set -eE
 set -o pipefail

-KUBE_VERSION=v1.30
+KUBE_VERSION=v1.31

 ARGO_APP=${1:-/tmp/new-kubezero-argoapp.yaml}

@ -19,11 +19,6 @@ echo "Checking that all pods in kube-system are running ..."

 [ "$ARGOCD" == "True" ] && disable_argo

-# 1.30 fix for the missing kubeadm socket annotations
-for c in $(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" | grep v1.29 | awk {'print $1}'); do
-  kubectl annotate node $c 'kubeadm.alpha.kubernetes.io/cri-socket=unix:///var/run/crio/crio.sock'
-done
-
 control_plane_upgrade kubeadm_upgrade

 echo "Control plane upgraded, <Return> to continue"
@ -33,8 +28,7 @@ read -r
 # shellcheck disable=SC2015
 #[ "$ARGOCD" == "True" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero

-### v1.30
-kubectl delete runtimeclass crio || true
+### v1.31

 # upgrade modules
 #
@ -43,9 +37,8 @@ kubectl delete runtimeclass crio || true

 control_plane_upgrade "apply_network, apply_addons, apply_storage, apply_operators"

-# Disabled during 1.30 due to nvidia runtime deadlock
-#echo "Checking that all pods in kube-system are running ..."
-#waitSystemPodsRunning
+echo "Checking that all pods in kube-system are running ..."
+waitSystemPodsRunning

 echo "Applying remaining KubeZero modules..."

--- a/charts/kubeadm/Chart.yaml
+++ b/charts/kubeadm/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm cluster config
 type: application
-version: 1.30.6
+version: 1.31.4
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
--- a/charts/kubeadm/templates/_helpers.tpl
+++ b/charts/kubeadm/templates/_helpers.tpl
@ -3,7 +3,7 @@
 {{- /* v1.28: PodAndContainerStatsFromCRI still not working */ -}}
 {{- /* v1.28: UnknownVersionInteroperabilityProxy requires StorageVersionAPI which is still alpha in 1.30 */ -}}
 {{- define "kubeadm.featuregates" }}
-{{- $gates := list "CustomCPUCFSQuotaPeriod" }}
+{{- $gates := list "CustomCPUCFSQuotaPeriod" "AuthorizeWithSelectors" "AuthorizeNodeWithSelectors" "ConsistentListFromCache" "VolumeAttributesClass"}}
 {{- if eq .return "csv" }}
 {{- range $key := $gates }}
 {{- $key }}=true,
--- a/charts/kubeadm/templates/patches/corednsdeployment0.yaml
+++ b/charts/kubeadm/templates/patches/corednsdeployment0.yaml
@ -1,5 +1,4 @@
 spec:
-  replicas: {{ ternary 3 1 .Values.global.highAvailable }}
  template:
    spec:
      containers:
--- a/charts/kubeadm/templates/patches/corednsdeployment1+json.yaml
+++ b/charts/kubeadm/templates/patches/corednsdeployment1+json.yaml
@ -0,0 +1,4 @@
+json:
+  - op: replace
+    path: /spec/replicas
+    value: {{ ternary 3 1 .Values.global.highAvailable }}
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@ -1,6 +1,6 @@
 # kubezero-argo

-![Version: 0.2.6](https://img.shields.io/badge/Version-0.2.6-informational?style=flat-square)
+![Version: 0.2.7](https://img.shields.io/badge/Version-0.2.7-informational?style=flat-square)

 KubeZero Argo - Events, Workflow, CD

@ -18,8 +18,8 @@ Kubernetes: `>= 1.26.0-0`

 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.7.2 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.8 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.7.7 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.9 |
 | https://argoproj.github.io/argo-helm | argocd-apps | 2.0.2 |
 | https://argoproj.github.io/argo-helm | argocd-image-updater | 0.11.2 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
@ -28,12 +28,13 @@ Kubernetes: `>= 1.26.0-0`

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| argo-cd.configs.cm."application.resourceTrackingMethod" | string | `"annotation"` |  |
 | argo-cd.configs.cm."resource.customizations" | string | `"cert-manager.io/Certificate:\n  # Lua script for customizing the health status assessment\n  health.lua: |\n    hs = {}\n    if obj.status ~= nil then\n      if obj.status.conditions ~= nil then\n        for i, condition in ipairs(obj.status.conditions) do\n          if condition.type == \"Ready\" and condition.status == \"False\" then\n            hs.status = \"Degraded\"\n            hs.message = condition.message\n            return hs\n          end\n          if condition.type == \"Ready\" and condition.status == \"True\" then\n            hs.status = \"Healthy\"\n            hs.message = condition.message\n            return hs\n          end\n        end\n      end\n    end\n    hs.status = \"Progressing\"\n    hs.message = \"Waiting for certificate\"\n    return hs\n"` |  |
 | argo-cd.configs.cm."timeout.reconciliation" | string | `"300s"` |  |
-| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.30 - Release notes"` |  |
+| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.31 - Release notes"` |  |
 | argo-cd.configs.cm."ui.bannerpermanent" | string | `"true"` |  |
 | argo-cd.configs.cm."ui.bannerposition" | string | `"bottom"` |  |
-| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.30"` |  |
+| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.31"` |  |
 | argo-cd.configs.cm.url | string | `"https://argocd.example.com"` |  |
 | argo-cd.configs.params."controller.diff.server.side" | string | `"true"` |  |
 | argo-cd.configs.params."controller.operation.processors" | string | `"5"` |  |
@ -51,8 +52,9 @@ Kubernetes: `>= 1.26.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.12.4"` |  |
+| argo-cd.global.image.tag | string | `"v2.13.1"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
+| argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@ -66,6 +66,10 @@ argo-cd:

      timeout.reconciliation: 300s

+      application.resourceTrackingMethod: annotation
+      installationID: "KubeZero-ArgoCD"
+      application.instanceLabelKey: Null
+
      resource.customizations: |
        cert-manager.io/Certificate:
          # Lua script for customizing the health status assessment
--- a/charts/kubezero-network/README.md
+++ b/charts/kubezero-network/README.md
@ -1,6 +1,6 @@
 # kubezero-network

-![Version: 0.5.5](https://img.shields.io/badge/Version-0.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 KubeZero umbrella chart for all things network

@ -20,8 +20,8 @@ Kubernetes: `>= 1.26.0`
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 | https://haproxytech.github.io/helm-charts | haproxy | 1.23.0 |
-| https://helm.cilium.io/ | cilium | 1.16.3 |
-| https://metallb.github.io/metallb | metallb | 0.14.8 |
+| https://helm.cilium.io/ | cilium | 1.16.5 |
+| https://metallb.github.io/metallb | metallb | 0.14.9 |

 ## Values

--- a/charts/kubezero-network/templates/cilium-grafana-dashboards.yaml
+++ b/charts/kubezero-network/templates/cilium-grafana-dashboards.yaml
--- a/charts/kubezero-operators/values.yaml
+++ b/charts/kubezero-operators/values.yaml
@ -29,18 +29,22 @@ cloudnative-pg:
 strimzi-kafka-operator:
  enabled: false

-  revisionHistoryLimit: 3
+  revisionHistoryLimit: 2
  watchAnyNamespace: true

  leaderElection:
    enable: false

-  resources:
-    requests:
-      cpu: 20m
-      memory: 256Mi
-    limits:
-      memory: 384Mi
+# extraEnvs:
+#   - name: JAVA_OPTS
+#     value: "-XX:MaxRAMPercentage=75 -XX:+UseParallelGC -XX:ActiveProcessorCount=2"
+
+# resources:
+#   requests:
+#     cpu: 10m
+#     memory: 256Mi
+#   limits:
+#     memory: 256Mi

  monitoring:
    podMonitorEnabled: false
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -36,7 +36,7 @@ addons:
 network:
  enabled: true
  retain: true
-  targetRevision: 0.5.5
+  targetRevision: 0.5.6
  cilium:
    cluster: {}

--- a/docs/v1.31.md
+++ b/docs/v1.31.md
@ -1,15 +1,16 @@
 # ![k8s-v1.31](images/k8s-1.31.png)  KubeZero 1.31 - Elli

 ## What's new - Major themes
- all KubeZero and support AMIs based on Alpine 3.21
+- all KubeZero and support AMIs based on [Alpine 3.21](https://alpinelinux.org/posts/Alpine-3.21.0-released.html)
+- network policies for ArgoCD

 ## Features and fixes
+- ArgoCD now tracks ownership by annotations rather than labels

 ## Version upgrades
-<WIP>
 - cilium 1.16.3
 - istio 1.22.3
- ArgoCD 2.13.0 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
+- ArgoCD 2.13.1 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
 - Prometheus 2.55.1 / Grafana 11.3.0
 - Nvidia container toolkit 1.17, drivers  565.57.01, Cuda 12.7