diff --git a/Dockerfile b/Dockerfile index 1f34420f..ff29d12f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,8 +6,8 @@ ARG ALPINE_VERSION ARG KUBE_VERSION=1.31 ARG SOPS_VERSION="3.9.4" -ARG VALS_VERSION="0.39.1" -ARG HELM_SECRETS_VERSION="4.6.2" +ARG VALS_VERSION="0.39.4" +ARG HELM_SECRETS_VERSION="4.6.3" RUN cd /etc/apk/keys && \ wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \ @@ -24,6 +24,7 @@ RUN cd /etc/apk/keys && \ py3-yaml \ restic \ helm \ + apache2-utils \ ytt@testing \ etcd-ctl@edge-community \ cri-tools@kubezero \ diff --git a/admin/libhelm.sh b/admin/libhelm.sh index ae59dc9c..41c33223 100644 --- a/admin/libhelm.sh +++ b/admin/libhelm.sh @@ -70,7 +70,6 @@ function get_kubezero_values() { fi } - # Overwrite kubezero-values CM with file function update_kubezero_cm() { kubectl get cm -n kubezero kubezero-values -o=yaml | \ @@ -212,7 +211,7 @@ function _helm() { if [ $action == "crds" ]; then # Pre-crd hook - [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-crds.sh) + [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && . $WORKDIR/$chart/hooks.d/pre-crds.sh crds @@ -224,7 +223,7 @@ function _helm() { create_ns $namespace # Optional pre hook - [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-install.sh) + [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && . $WORKDIR/$chart/hooks.d/pre-install.sh render [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$? @@ -233,7 +232,7 @@ function _helm() { [ $action == "apply" -o $rc -ne 0 ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$? # Optional post hook - [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/post-install.sh) + [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && . $WORKDIR/$chart/hooks.d/post-install.sh elif [ $action == "delete" ]; then render diff --git a/charts/kubezero-argo/.helmignore b/charts/kubezero-argo/.helmignore index 1e0b4ac7..e673ec92 100644 --- a/charts/kubezero-argo/.helmignore +++ b/charts/kubezero-argo/.helmignore @@ -25,3 +25,4 @@ README.md.gotmpl dashboards.yaml jsonnet +update.sh diff --git a/charts/kubezero-argo/README.md b/charts/kubezero-argo/README.md index eb09ec74..892644a4 100644 --- a/charts/kubezero-argo/README.md +++ b/charts/kubezero-argo/README.md @@ -1,6 +1,6 @@ # kubezero-argo -![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) +![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) KubeZero Argo - Events, Workflow, CD @@ -18,8 +18,8 @@ Kubernetes: `>= 1.30.0-0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 7.8.9 | -| https://argoproj.github.io/argo-helm | argo-events | 2.4.13 | +| https://argoproj.github.io/argo-helm | argo-cd | 7.8.13 | +| https://argoproj.github.io/argo-helm | argo-events | 2.4.14 | | https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | @@ -42,6 +42,7 @@ Kubernetes: `>= 1.30.0-0` | argo-cd.configs.params."controller.sync.timeout.seconds" | int | `1800` | | | argo-cd.configs.params."server.enable.gzip" | bool | `true` | | | argo-cd.configs.params."server.insecure" | bool | `true` | | +| argo-cd.configs.secret.argocdServerAdminPassword | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword"` | | | argo-cd.configs.secret.createSecret | bool | `false` | | | argo-cd.configs.ssh.extraHosts | string | `"git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="` | | | argo-cd.configs.styles | string | `".sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }\n.sidebar__logo__text-logo { height: 0em; }\n.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }\n"` | | @@ -53,24 +54,19 @@ Kubernetes: `>= 1.30.0-0` | argo-cd.dex.enabled | bool | `false` | | | argo-cd.enabled | bool | `false` | | | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | | -| argo-cd.global.image.tag | string | `"v2.14.5"` | | +| argo-cd.global.image.tag | string | `"v2.14.7"` | | | argo-cd.global.logging.format | string | `"json"` | | | argo-cd.global.networkPolicy.create | bool | `true` | | | argo-cd.istio.enabled | bool | `false` | | | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` | | | argo-cd.istio.ipBlocks | list | `[]` | | -| argo-cd.kubezero.bootstrap | bool | `false` | | +| argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App | | argo-cd.kubezero.path | string | `"/"` | | -| argo-cd.kubezero.repoUrl | string | `"https://git.my.org/thiscluster"` | | +| argo-cd.kubezero.repoUrl | string | `""` | | +| argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` | | | argo-cd.kubezero.targetRevision | string | `"HEAD"` | | | argo-cd.notifications.enabled | bool | `false` | | | argo-cd.redisSecretInit.enabled | bool | `false` | | -| argo-cd.repoServer.clusterRoleRules.enabled | bool | `true` | | -| argo-cd.repoServer.clusterRoleRules.rules[0].apiGroups[0] | string | `""` | | -| argo-cd.repoServer.clusterRoleRules.rules[0].resources[0] | string | `"secrets"` | | -| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[0] | string | `"get"` | | -| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[1] | string | `"watch"` | | -| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` | | diff --git a/charts/kubezero-argo/hooks.d/pre-install.sh b/charts/kubezero-argo/hooks.d/pre-install.sh index 6d8091d0..a2ca71ca 100644 --- a/charts/kubezero-argo/hooks.d/pre-install.sh +++ b/charts/kubezero-argo/hooks.d/pre-install.sh @@ -1,6 +1,25 @@ -#!/bin/sh +# Bootstrap kubezero-git-sync app only if it doesnt exist yet +kubectl get application kubezero-git-sync -n argocd || \ + yq -i '.argo-cd.kubezero.bootstrap=true' $WORKDIR/values.yaml -# Bootstrap kubezero-git-sync app if it doenst exist -kubectl get application kubezero-git-sync -n argocd && rc=$? || rc=$? +# Ensure we have an adminPassword or migrate existing one +PW=$(get_kubezero_secret argo-cd.adminPassword) +if [ -z "$PW" ]; then + # Check for existing password in actual secret + NEW_PW=$(kubectl get secret argocd-secret -n argocd -o yaml | yq '.data."admin.password"') -[ $rc != 0 ] && yq -i '.argo-cd.kubezero.bootstrap=true' values.yaml + if [ "$NEW_PW" == "null" ];then + ARGO_PWD=$(date +%s | sha256sum | base64 | head -c 12 ; echo) + NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0) + + set_kubezero_secret argo-cd.adminPasswordClear $ARGO_PWD + fi + + set_kubezero_secret argo-cd.adminPassword $NEW_PW +fi + +# GitSync privateKey +GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey) +if [ -z "$GITKEY" ]; then + set_kubezero_secret argo-cd.sshPrivateKey "Insert ssh Private Key from your git server" +fi diff --git a/charts/kubezero-argo/secrets.yaml b/charts/kubezero-argo/secrets.yaml deleted file mode 100644 index 50fd1f14..00000000 --- a/charts/kubezero-argo/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# KubeZero secrets -# -test: supergeheim -secrets: - - name: argocd-secret - optional: false - data: - admin.password: test - admin.passwordMtime: now - server.secretkey: boohoo - - name: zero-downtime-gitea - optional: true - data: - name: zero-downtime-gitea - type: git - url: ssh://git@git.zero-downtime.net/quark/kube-grandnagus.git - sshPrivateKey: | - boohooKey - metadata: - labels: - argocd.argoproj.io/secret-type: repository - diff --git a/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml b/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml new file mode 100644 index 00000000..7ff264f0 --- /dev/null +++ b/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml @@ -0,0 +1,13 @@ +{{- if index .Values "argo-cd" "enabled" }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-secret + namespace: argocd + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +type: Opaque +stringData: + admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }} + admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") }} +{{- end }} diff --git a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml index 67d1f552..5600c1ad 100644 --- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml +++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml @@ -1,9 +1,11 @@ -{{- if index .Values "argo-cd" "kubezero" "bootstrap" }} +{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: kubezero-git-sync namespace: argocd + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} annotations: argocd.argoproj.io/sync-wave: "-20" spec: diff --git a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml new file mode 100644 index 00000000..5939d617 --- /dev/null +++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml @@ -0,0 +1,16 @@ +{{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }} +apiVersion: v1 +kind: Secret +metadata: + name: kubezero-git-sync + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository + {{- include "kubezero-lib.labels" . | nindent 4 }} +type: Opaque +stringData: + name: kubezero-git-sync + type: git + url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }} + sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }} +{{- end }} diff --git a/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml b/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml index 3af1a3fc..3d31b0f2 100644 --- a/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml +++ b/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml @@ -1,9 +1,11 @@ -{{- if index .Values "argo-cd" "kubezero" "bootstrap" }} +{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }} apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: kubezero namespace: argocd + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: clusterResourceWhitelist: - group: '*' diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml index 9e99bc15..9379cb01 100644 --- a/charts/kubezero-argo/values.yaml +++ b/charts/kubezero-argo/values.yaml @@ -81,10 +81,9 @@ argo-cd: secret: createSecret: false + # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0` - # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG" - # argocdServerAdminPassword: "ref+file://secrets.yaml#/test" - # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST" + argocdServerAdminPassword: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword ssh: extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ==" @@ -125,6 +124,7 @@ argo-cd: name: kubeconfigs # Allow vals to read internal secrets across all namespaces + # @ignored clusterRoleRules: enabled: true rules: @@ -132,6 +132,27 @@ argo-cd: resources: ["secrets"] verbs: ["get", "watch", "list"] + # @ignored + initContainers: + - name: create-kubeconfig + image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}' + imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}' + command: + - /usr/local/bin/sa2kubeconfig.sh + - /home/argocd/.kube/config + volumeMounts: + - mountPath: /home/argocd/.kube + name: kubeconfigs + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + server: # Rename former https port to grpc, works with istio + insecure service: @@ -163,12 +184,14 @@ argo-cd: ipBlocks: [] kubezero: - # only set this once initially to prevent the circular dependency + # -- deploy the KubeZero Project and GitSync Root App bootstrap: false - repoUrl: "https://git.my.org/thiscluster" + # valid git+ssh repository url + repoUrl: "" path: "/" targetRevision: HEAD + sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey argocd-image-updater: enabled: false diff --git a/charts/kubezero/.helmignore b/charts/kubezero/.helmignore index 4a84d834..e673ec92 100644 --- a/charts/kubezero/.helmignore +++ b/charts/kubezero/.helmignore @@ -21,4 +21,8 @@ .idea/ *.tmproj .vscode/ -Chart.lock + +README.md.gotmpl +dashboards.yaml +jsonnet +update.sh diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index e35acb4f..865b37f0 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -35,11 +35,10 @@ Kubernetes: `>= 1.31.0-0` | addons.targetRevision | string | `"0.8.13"` | | | argo.argo-cd.enabled | bool | `false` | | | argo.argo-cd.istio.enabled | bool | `false` | | -| argo.argocd-apps.enabled | bool | `false` | | | argo.argocd-image-updater.enabled | bool | `false` | | | argo.enabled | bool | `false` | | | argo.namespace | string | `"argocd"` | | -| argo.targetRevision | string | `"0.2.9"` | | +| argo.targetRevision | string | `"0.3.1"` | | | cert-manager.enabled | bool | `false` | | | cert-manager.namespace | string | `"cert-manager"` | | | cert-manager.targetRevision | string | `"0.9.12"` | | diff --git a/charts/kubezero/docs/applicationSet.yaml b/charts/kubezero/docs/applicationSet.yaml deleted file mode 100644 index 49b20499..00000000 --- a/charts/kubezero/docs/applicationSet.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: ApplicationSet -metadata: - name: kubezero - namespace: argocd - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - generators: - - git: - repoURL: {{ .Values.kubezero.applicationSet.repoURL }} - revision: {{ .Values.kubezero.applicationSet.revision }} - files: - {{- toYaml .Values.kubezero.applicationSet.files | nindent 6 }} - template: - metadata: - name: kubezero - spec: - project: kubezero - source: - repoURL: https://cdn.zero-downtime.net/charts - chart: kubezero - targetRevision: '{{ "{{" }} kubezero.version {{ "}}" }}' - helm: - parameters: - # We use this to detect if we are called from ArgoCD - - name: argocdAppName - value: $ARGOCD_APP_NAME - # This breaks the recursion, otherwise we install another kubezero project and app - # To be removed once we applicationSet is working and AppProject is moved back to ArgoCD chart - - name: installKubeZero - value: "false" - valueFiles: - - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/kubezero.yaml' - - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/values.yaml' - - destination: - server: https://kubernetes.default.svc - namespace: argocd - syncPolicy: - automated: - prune: true diff --git a/charts/kubezero/scripts/argocd_password.py b/charts/kubezero/hooks.d/argocd_password.py similarity index 100% rename from charts/kubezero/scripts/argocd_password.py rename to charts/kubezero/hooks.d/argocd_password.py diff --git a/charts/kubezero/hooks.d/pre-install.sh b/charts/kubezero/hooks.d/pre-install.sh new file mode 100644 index 00000000..050c5538 --- /dev/null +++ b/charts/kubezero/hooks.d/pre-install.sh @@ -0,0 +1,8 @@ +# ensure we have a basic kubezero secret for cluster bootstrap and defaults +kubectl get secret kubezero-secrets -n kubezero && rc=$? || rc=$? + +if [ $rc != 0 ]; then + kubectl create secret generic kubezero-secrets -n kubezero \ + --from-literal=argo-cd.adminPassword="geheim" \ + --from-literal=argo-cd.kubezero.sshPrivateKey="--GEHEIM---" +fi diff --git a/charts/kubezero/scripts/remove_argo_ns.sh b/charts/kubezero/scripts/remove_argo_ns.sh deleted file mode 100755 index 4b97297d..00000000 --- a/charts/kubezero/scripts/remove_argo_ns.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -ns=$(kubectl get ns -l argocd.argoproj.io/instance | grep -v NAME | awk '{print $1}') - -for n in $ns; do - kubectl label --overwrite namespace $n 'argocd.argoproj.io/instance-' -done diff --git a/charts/kubezero/scripts/remove_old_eck.sh b/charts/kubezero/scripts/remove_old_eck.sh deleted file mode 100755 index 1aa606fb..00000000 --- a/charts/kubezero/scripts/remove_old_eck.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. - -# Script to migrate an existing ECK 1.2.1 installation to Helm. - -set -euo pipefail - -RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"elastic-system"} - -echo "Uninstalling ECK" -kubectl delete -n "${RELEASE_NAMESPACE}" \ - serviceaccount/elastic-operator \ - secret/elastic-webhook-server-cert \ - clusterrole.rbac.authorization.k8s.io/elastic-operator \ - clusterrole.rbac.authorization.k8s.io/elastic-operator-view \ - clusterrole.rbac.authorization.k8s.io/elastic-operator-edit \ - clusterrolebinding.rbac.authorization.k8s.io/elastic-operator \ - rolebinding.rbac.authorization.k8s.io/elastic-operator \ - service/elastic-webhook-server \ - statefulset.apps/elastic-operator \ - validatingwebhookconfiguration.admissionregistration.k8s.io/elastic-webhook.k8s.elastic.co - diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 13506715..266eacda 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -115,7 +115,7 @@ logging: argo: enabled: false namespace: argocd - targetRevision: 0.3.0 + targetRevision: 0.3.1 argo-cd: enabled: false istio: diff --git a/docs/hooks.md b/docs/hooks.md new file mode 100644 index 00000000..c725d5b4 --- /dev/null +++ b/docs/hooks.md @@ -0,0 +1,11 @@ +# KubeZero Helm hooks + +## Abstract +Scripts within the `hooks.d` folder of each chart are executed at the respective times when the charts are applied via libhelm. + +*These hooks do NOT work via ArgoCD* + +## Flow +- hooks are execute as part of the libhelm tasks like `apply` +- are running with the current kubectl context +- executed at root working directory, eg. set a value for helm the scripts can edit the `./values.yaml` file. diff --git a/docs/v1.31.md b/docs/v1.31.md index 6ea0e12f..0658f55b 100644 --- a/docs/v1.31.md +++ b/docs/v1.31.md @@ -3,6 +3,7 @@ ## What's new - Major themes - all KubeZero and support AMIs based on [Alpine 3.21](https://alpinelinux.org/posts/Alpine-3.21.0-released.html) - network policies for ArgoCD +- Nvidia worker nodes are labeled with detected GPU product code - Prometheus upgraded to V3, reducing CPU and memory requirements, see [upstream blog](https://prometheus.io/blog/2024/11/14/prometheus-3-0/) ## Features and fixes @@ -10,10 +11,10 @@ ## Version upgrades - cilium 1.16.6 -- istio 1.24.2 -- ArgoCD 2.14.3 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd) +- istio 1.24.3 +- ArgoCD 2.14.5 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd) - Prometheus 3.1.0 / Grafana 11.5.1 -- Nvidia container toolkit 1.17, drivers 565.57.01, Cuda 12.7 +- Nvidia container toolkit 1.17.4, drivers 570.86.15, Cuda 12.8 ## Resources - [Kubernetes v1.31 upstream release blog](https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/) diff --git a/scripts/lib-update.sh b/scripts/lib-update.sh index a93cc378..59cf67f5 100755 --- a/scripts/lib-update.sh +++ b/scripts/lib-update.sh @@ -18,7 +18,7 @@ update_jsonnet() { update_helm() { #helm repo update - helm dep update + helm dep build } # AWS public ECR diff --git a/charts/kubezero/scripts/patch_vs.sh b/scripts/patch_virtualservices.sh similarity index 100% rename from charts/kubezero/scripts/patch_vs.sh rename to scripts/patch_virtualservices.sh