feat: more cluster bootstrap work

2025-03-24 16:44:11 +00:00 · 2025-03-24 16:44:11 +00:00 · 6a7c0b6085
commit 6a7c0b6085
parent 10de3a1047
23 changed files with 132 additions and 132 deletions
--- a/5
+++ b/5
@ -6,8 +6,8 @@ ARG ALPINE_VERSION
 ARG KUBE_VERSION=1.31
 ARG SOPS_VERSION="3.9.4"
-ARG VALS_VERSION="0.39.1"
+ARG VALS_VERSION="0.39.4"
-ARG HELM_SECRETS_VERSION="4.6.2"
+ARG HELM_SECRETS_VERSION="4.6.3"
 RUN cd /etc/apk/keys && \
    wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
@ -24,6 +24,7 @@ RUN cd /etc/apk/keys && \
      py3-yaml \
      restic \
      helm \
      apache2-utils \
      ytt@testing \
      etcd-ctl@edge-community \
      cri-tools@kubezero \
--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@ -70,7 +70,6 @@ function get_kubezero_values() {
  fi
 }
 # Overwrite kubezero-values CM with file
 function update_kubezero_cm() {
  kubectl get cm -n kubezero kubezero-values -o=yaml | \
@ -212,7 +211,7 @@ function _helm() {
  if [ $action == "crds" ]; then
    # Pre-crd hook
-    [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-crds.sh)
+    [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && . $WORKDIR/$chart/hooks.d/pre-crds.sh
    crds
@ -224,7 +223,7 @@ function _helm() {
    create_ns $namespace
    # Optional pre hook
-    [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-install.sh)
+    [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && . $WORKDIR/$chart/hooks.d/pre-install.sh
    render
    [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$?
@ -233,7 +232,7 @@ function _helm() {
    [ $action == "apply" -o $rc -ne 0 ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$?
    # Optional post hook
-    [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/post-install.sh)
+    [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && . $WORKDIR/$chart/hooks.d/post-install.sh
  elif [ $action == "delete" ]; then
    render
--- a/charts/kubezero-argo/.helmignore
+++ b/charts/kubezero-argo/.helmignore
@ -25,3 +25,4 @@
 README.md.gotmpl
 dashboards.yaml
 jsonnet
 update.sh
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@ -1,6 +1,6 @@
 # kubezero-argo
-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square)
+![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square)
 KubeZero Argo - Events, Workflow, CD
@ -18,8 +18,8 @@ Kubernetes: `>= 1.30.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.9 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.13 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.13 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.14 |
 | https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
@ -42,6 +42,7 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.configs.params."controller.sync.timeout.seconds" | int | `1800` |  |
 | argo-cd.configs.params."server.enable.gzip" | bool | `true` |  |
 | argo-cd.configs.params."server.insecure" | bool | `true` |  |
 | argo-cd.configs.secret.argocdServerAdminPassword | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword"` |  |
 | argo-cd.configs.secret.createSecret | bool | `false` |  |
 | argo-cd.configs.ssh.extraHosts | string | `"git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="` |  |
 | argo-cd.configs.styles | string | `".sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }\n.sidebar__logo__text-logo { height: 0em; }\n.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }\n"` |  |
@ -53,24 +54,19 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.5"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.7"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
-| argo-cd.kubezero.bootstrap | bool | `false` |  |
+| argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App |
 | argo-cd.kubezero.path | string | `"/"` |  |
-| argo-cd.kubezero.repoUrl | string | `"https://git.my.org/thiscluster"` |  |
+| argo-cd.kubezero.repoUrl | string | `""` |  |
 | argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` |  |
 | argo-cd.kubezero.targetRevision | string | `"HEAD"` |  |
 | argo-cd.notifications.enabled | bool | `false` |  |
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
 | argo-cd.repoServer.clusterRoleRules.enabled | bool | `true` |  |
 | argo-cd.repoServer.clusterRoleRules.rules[0].apiGroups[0] | string | `""` |  |
 | argo-cd.repoServer.clusterRoleRules.rules[0].resources[0] | string | `"secrets"` |  |
 | argo-cd.repoServer.clusterRoleRules.rules[0].verbs[0] | string | `"get"` |  |
 | argo-cd.repoServer.clusterRoleRules.rules[0].verbs[1] | string | `"watch"` |  |
 | argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
--- a/charts/kubezero-argo/hooks.d/pre-install.sh
+++ b/charts/kubezero-argo/hooks.d/pre-install.sh
@ -1,6 +1,25 @@
-#!/bin/sh
+# Bootstrap kubezero-git-sync app only if it doesnt exist yet
 kubectl get application kubezero-git-sync -n argocd || \
  yq -i '.argo-cd.kubezero.bootstrap=true' $WORKDIR/values.yaml
-# Bootstrap kubezero-git-sync app if it doenst exist
+# Ensure we have an adminPassword or migrate existing one
-kubectl get application kubezero-git-sync -n argocd && rc=$? || rc=$?
+PW=$(get_kubezero_secret argo-cd.adminPassword)
 if [ -z "$PW" ]; then
  # Check for existing password in actual secret
  NEW_PW=$(kubectl get secret argocd-secret -n argocd -o yaml | yq '.data."admin.password"')
-[ $rc != 0 ] && yq -i '.argo-cd.kubezero.bootstrap=true' values.yaml
+  if [ "$NEW_PW" == "null" ];then
    ARGO_PWD=$(date +%s | sha256sum | base64 | head -c 12 ; echo)
    NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0)
    set_kubezero_secret argo-cd.adminPasswordClear $ARGO_PWD
  fi
  set_kubezero_secret argo-cd.adminPassword $NEW_PW
 fi
 # GitSync privateKey
 GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey)
 if [ -z "$GITKEY" ]; then
  set_kubezero_secret argo-cd.sshPrivateKey "Insert ssh Private Key from your git server"
 fi
--- a/charts/kubezero-argo/secrets.yaml
+++ b/charts/kubezero-argo/secrets.yaml
@ -1,22 +0,0 @@
 # KubeZero secrets
 #
 test: supergeheim
 secrets:
  - name: argocd-secret
    optional: false
    data:
      admin.password: test
      admin.passwordMtime: now
      server.secretkey: boohoo
  - name: zero-downtime-gitea
    optional: true
    data:
      name: zero-downtime-gitea
      type: git
      url: ssh://git@git.zero-downtime.net/quark/kube-grandnagus.git
      sshPrivateKey: |
        boohooKey
      metadata:
        labels:
          argocd.argoproj.io/secret-type: repository
--- a/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml
@ -0,0 +1,13 @@
 {{- if index .Values "argo-cd" "enabled" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: argocd-secret
  namespace: argocd
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 type: Opaque
 stringData:
  admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }}
  admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") }}
 {{- end }}
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml
@ -1,9 +1,11 @@
-{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
+{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kubezero-git-sync
  namespace: argocd
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
  annotations:
    argocd.argoproj.io/sync-wave: "-20"
 spec:
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
@ -0,0 +1,16 @@
 {{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: kubezero-git-sync
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 type: Opaque
 stringData:
  name: kubezero-git-sync
  type: git
  url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
  sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
 {{- end }}
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml
@ -1,9 +1,11 @@
-{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
+{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
  name: kubezero
  namespace: argocd
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  clusterResourceWhitelist:
  - group: '*'
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@ -81,10 +81,9 @@ argo-cd:
    secret:
      createSecret: false
      # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0`
-      # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
+      argocdServerAdminPassword: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword
      # argocdServerAdminPassword: "ref+file://secrets.yaml#/test"
      # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
    ssh:
      extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
@ -125,6 +124,7 @@ argo-cd:
      name: kubeconfigs
    # Allow vals to read internal secrets across all namespaces
    # @ignored
    clusterRoleRules:
      enabled: true
      rules:
@ -132,6 +132,27 @@ argo-cd:
          resources: ["secrets"]
          verbs: ["get", "watch", "list"]
    # @ignored
    initContainers:
      - name: create-kubeconfig
        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
        command:
          - /usr/local/bin/sa2kubeconfig.sh
          - /home/argocd/.kube/config
        volumeMounts:
        - mountPath: /home/argocd/.kube
          name: kubeconfigs
        securityContext:
          runAsNonRoot: true
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
          capabilities:
            drop:
            - ALL
  server:
    # Rename former https port to grpc, works with istio + insecure
    service:
@ -163,12 +184,14 @@ argo-cd:
    ipBlocks: []
  kubezero:
-    # only set this once initially to prevent the circular dependency
+    # -- deploy the KubeZero Project and GitSync Root App
    bootstrap: false
-    repoUrl: "https://git.my.org/thiscluster"
+    # valid git+ssh repository url
    repoUrl: ""
    path: "/"
    targetRevision: HEAD
    sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
 argocd-image-updater:
  enabled: false
--- a/charts/kubezero/.helmignore
+++ b/charts/kubezero/.helmignore
@ -21,4 +21,8 @@
 .idea/
 *.tmproj
 .vscode/
-Chart.lock
+
 README.md.gotmpl
 dashboards.yaml
 jsonnet
 update.sh
--- a/charts/kubezero/README.md
+++ b/charts/kubezero/README.md
@ -35,11 +35,10 @@ Kubernetes: `>= 1.31.0-0`
 | addons.targetRevision | string | `"0.8.13"` |  |
 | argo.argo-cd.enabled | bool | `false` |  |
 | argo.argo-cd.istio.enabled | bool | `false` |  |
 | argo.argocd-apps.enabled | bool | `false` |  |
 | argo.argocd-image-updater.enabled | bool | `false` |  |
 | argo.enabled | bool | `false` |  |
 | argo.namespace | string | `"argocd"` |  |
-| argo.targetRevision | string | `"0.2.9"` |  |
+| argo.targetRevision | string | `"0.3.1"` |  |
 | cert-manager.enabled | bool | `false` |  |
 | cert-manager.namespace | string | `"cert-manager"` |  |
 | cert-manager.targetRevision | string | `"0.9.12"` |  |
--- a/charts/kubezero/docs/applicationSet.yaml
+++ b/charts/kubezero/docs/applicationSet.yaml
@ -1,41 +0,0 @@
 kind: ApplicationSet
 metadata:
  name: kubezero
  namespace: argocd
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  generators:
  - git:
      repoURL: {{ .Values.kubezero.applicationSet.repoURL }}
      revision: {{ .Values.kubezero.applicationSet.revision }}
      files:
      {{- toYaml .Values.kubezero.applicationSet.files | nindent 6 }}
  template:
    metadata:
      name: kubezero
    spec:
      project: kubezero
      source:
        repoURL: https://cdn.zero-downtime.net/charts
        chart: kubezero
        targetRevision: '{{ "{{" }} kubezero.version {{ "}}" }}'
        helm:
          parameters:
          # We use this to detect if we are called from ArgoCD
          - name: argocdAppName
            value: $ARGOCD_APP_NAME
          # This breaks the recursion, otherwise we install another kubezero project and app
          # To be removed once we applicationSet is working and AppProject is moved back to ArgoCD chart
          - name: installKubeZero
            value: "false"
          valueFiles:
          - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/kubezero.yaml'
          - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/values.yaml'
      destination:
        server: https://kubernetes.default.svc
        namespace: argocd
      syncPolicy:
        automated:
          prune: true
--- a/charts/kubezero/hooks.d/argocd_password.py
+++ b/charts/kubezero/hooks.d/argocd_password.py
--- a/charts/kubezero/hooks.d/pre-install.sh
+++ b/charts/kubezero/hooks.d/pre-install.sh
@ -0,0 +1,8 @@
 # ensure we have a basic kubezero secret for cluster bootstrap and defaults
 kubectl get secret kubezero-secrets -n kubezero && rc=$? || rc=$?
 if [ $rc != 0 ]; then
  kubectl create secret generic kubezero-secrets -n kubezero \
    --from-literal=argo-cd.adminPassword="geheim" \
    --from-literal=argo-cd.kubezero.sshPrivateKey="--GEHEIM---"
 fi
--- a/charts/kubezero/scripts/remove_argo_ns.sh
+++ b/charts/kubezero/scripts/remove_argo_ns.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 ns=$(kubectl get ns -l argocd.argoproj.io/instance | grep -v NAME | awk '{print $1}')
 for n in $ns; do
  kubectl label --overwrite namespace $n 'argocd.argoproj.io/instance-'
 done
--- a/charts/kubezero/scripts/remove_old_eck.sh
+++ b/charts/kubezero/scripts/remove_old_eck.sh
@ -1,25 +0,0 @@
 #!/usr/bin/env bash
 # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 # or more contributor license agreements. Licensed under the Elastic License;
 # you may not use this file except in compliance with the Elastic License.
 # Script to migrate an existing ECK 1.2.1 installation to Helm. 
 set -euo pipefail
 RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"elastic-system"}
 echo "Uninstalling ECK"
 kubectl delete -n "${RELEASE_NAMESPACE}" \
    serviceaccount/elastic-operator \
    secret/elastic-webhook-server-cert \
    clusterrole.rbac.authorization.k8s.io/elastic-operator \
    clusterrole.rbac.authorization.k8s.io/elastic-operator-view \
    clusterrole.rbac.authorization.k8s.io/elastic-operator-edit \
    clusterrolebinding.rbac.authorization.k8s.io/elastic-operator \
    rolebinding.rbac.authorization.k8s.io/elastic-operator \
    service/elastic-webhook-server \
    statefulset.apps/elastic-operator \
    validatingwebhookconfiguration.admissionregistration.k8s.io/elastic-webhook.k8s.elastic.co
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -115,7 +115,7 @@ logging:
 argo:
  enabled: false
  namespace: argocd
-  targetRevision: 0.3.0
+  targetRevision: 0.3.1
  argo-cd:
    enabled: false
    istio:
--- a/docs/hooks.md
+++ b/docs/hooks.md
@ -0,0 +1,11 @@
 # KubeZero Helm hooks
 ## Abstract
 Scripts within the `hooks.d` folder of each chart are executed at the respective times when the charts are applied via libhelm.
 *These hooks do NOT work via ArgoCD*
 ## Flow
 - hooks are execute as part of the libhelm tasks like `apply`
 - are running with the current kubectl context
 - executed at root working directory, eg. set a value for helm the scripts can edit the `./values.yaml` file.
--- a/docs/v1.31.md
+++ b/docs/v1.31.md
@ -3,6 +3,7 @@
 ## What's new - Major themes
 - all KubeZero and support AMIs based on [Alpine 3.21](https://alpinelinux.org/posts/Alpine-3.21.0-released.html)
 - network policies for ArgoCD
 - Nvidia worker nodes are labeled with detected GPU product code
 - Prometheus upgraded to V3, reducing CPU and memory requirements, see [upstream blog](https://prometheus.io/blog/2024/11/14/prometheus-3-0/)
 ## Features and fixes
@ -10,10 +11,10 @@
 ## Version upgrades
 - cilium 1.16.6
- istio 1.24.2
+- istio 1.24.3
- ArgoCD 2.14.3 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
+- ArgoCD 2.14.5 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
 - Prometheus 3.1.0 / Grafana 11.5.1
- Nvidia container toolkit 1.17, drivers  565.57.01, Cuda 12.7
+- Nvidia container toolkit 1.17.4, drivers  570.86.15, Cuda 12.8
 ## Resources
 - [Kubernetes v1.31 upstream release blog](https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/)
--- a/scripts/lib-update.sh
+++ b/scripts/lib-update.sh
@ -18,7 +18,7 @@ update_jsonnet() {
 update_helm() {
  #helm repo update
-  helm dep update
+  helm dep build
 }
 # AWS public ECR
--- a/charts/kubezero/scripts/patch_vs.sh
+++ b/charts/kubezero/scripts/patch_vs.sh