feat: various fixes and version bumps for >= 1.22.8

charts/kubezero-argocd/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
 name: kubezero-argocd
-version: 0.9.5
+version: 0.9.6
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,6 +16,6 @@ dependencies:
     version: ">= 0.1.4"
     repository: https://cdn.zero-downtime.net/charts/
   - name: argo-cd
-    version: 3.32.1
+    version: 3.33.8
     repository: https://argoproj.github.io/argo-helm
 kubeVersion: ">= 1.20.0"

charts/kubezero-cert-manager/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-cert-manager
 description: KubeZero Umbrella Chart for cert-manager
 type: application
-version: 0.8.0
+version: 0.8.2
 appVersion: 1.6.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png

charts/kubezero-cert-manager/README.md

@@ -1,6 +1,6 @@
 # kubezero-cert-manager
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square)
+![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square)
 
 KubeZero Umbrella Chart for cert-manager
 

charts/kubezero-cert-manager/templates/prometheus-rules.yaml

@@ -1,3 +1,4 @@
+{{- if index .Values "cert-manager" "prometheus" "servicemonitor" "enabled" }}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
@@ -50,4 +51,4 @@ spec:
       for: 5m
       labels:
         severity: critical
-
+{{- end }}

charts/kubezero-ci/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.4.26
+version: 0.4.44
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,19 +18,19 @@ dependencies:
     version: ">= 0.1.5"
     repository: https://cdn.zero-downtime.net/charts/
   - name: gocd
-    version: 1.39.4
+    version: 1.40.8
     repository: https://gocd.github.io/helm-chart
     condition: gocd.enabled
   - name: gitea
-    version: 5.0.0
+    version: 5.0.3
     repository: https://dl.gitea.io/charts/
     condition: gitea.enabled
   - name: jenkins
-    version: 3.11.3
+    version: 3.11.10
     repository: https://charts.jenkins.io
     condition: jenkins.enabled
   - name: trivy
-    version: 0.4.9
+    version: 0.4.12
     repository: https://aquasecurity.github.io/helm-charts/
     condition: trivy.enabled
 

charts/kubezero-ci/README.md.gotmpl

@@ -28,4 +28,7 @@
 
 ## Resources
 
+### JVM tuning in containers
+- https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers?extIdCarryOver=true&sc_cid=701f2000001Css5AAC
+
 {{ template "chart.valuesSection" . }}

charts/kubezero-ci/values.yaml

@@ -17,7 +17,7 @@ gitea:
   enabled: false
 
   image:
-    tag: 1.16.1
+    tag: 1.16.5
     rootless: true
 
   securityContext:
@@ -69,14 +69,14 @@ jenkins:
   enabled: false
 
   controller:
-    tagLabel: alpine
+    tag: 2.332.2-lts-jdk17-preview
+    #tagLabel: alpine
     disableRememberMe: true
     prometheus:
       enabled: false
     testEnabled: false
     enableRawHtmlMarkupFormatter: true
-    # javaOpts: "-Xms512m -Xmx512m"
-    javaOpts: "-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""
+    javaOpts: "-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""
     jenkinsOpts: "--sessionTimeout=180 --sessionEviction=3600"
 
     resources:
@@ -114,14 +114,15 @@ jenkins:
                       numToKeepStr: "10"
 
     installPlugins:
-      - kubernetes:1.31.3
+      - kubernetes:3580.v78271e5631dc
       - workflow-aggregator:2.6
-      - git:4.10.3
-      - configuration-as-code:1346.ve8cfa_3473c94
+      - git:4.11.0
+      - configuration-as-code:1414.v878271fc496f
       - antisamy-markup-formatter:2.7
-      - prometheus:2.0.10
+      - prometheus:2.0.11
       - htmlpublisher:1.29
       - build-discarder:60.v1747b0eb632a
+      - dark-theme:156.v6cf16af6f9ef
 
   serviceAccountAgent:
     create: true
@@ -130,22 +131,22 @@ jenkins:
   # Preconfigure agents to use zdt podman requires fuse/overlayfs
   agent:
     image: public.ecr.aws/zero-downtime/jenkins-podman
-    tag: v0.2.4-6
+    tag: v0.2.4-21
     resources:
       requests:
         cpu: "512m"
-        memory: "512Mi"
+        memory: "1024Mi"
       limits:
-        cpu: "1"
-        memory: "2048Mi"
-    alwaysPullImage: true
+        cpu: "4"
+        memory: "6144Mi"
+    #alwaysPullImage: true
     podRetention: "Default"
     showRawYaml: false
     podName: "podman-aws"
     customJenkinsLabels:
     - podman-aws-trivy
     idleMinutes: 10
-    containerCap: 4
+    containerCap: 2
     annotations:
       container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
     # envVars:

charts/kubezero-metrics/jsonnet/build.sh

@@ -10,7 +10,7 @@ if [ -r jsonnetfile.lock.json ]; then
   jb update
 else
   #jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@main
-  jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@release-0.9
+  jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@release-0.10
 fi
 
 make clean

charts/kubezero-metrics/values.yaml

@@ -73,6 +73,8 @@ kube-prometheus-stack:
     enabled: true
 
   prometheus-node-exporter:
+    hostRootFsMount:
+      enabled: false
     prometheus:
       monitor:
         relabelings:

charts/kubezero-network/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-network
 description: KubeZero umbrella chart for all things network
 type: application
-version: 0.1.7
+version: 0.2.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,7 +16,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: cilium
-    version: 1.10.5
+    version: 1.11.3
     repository: https://helm.cilium.io/
     condition: cilium.enabled
   - name: metallb

charts/kubezero-network/charts/calico/Chart.yaml

@@ -3,7 +3,7 @@ name: calico
 description: KubeZero Chart for Calico
 type: application
 version: 0.2.2
-appVersion: v3.16.5
+appVersion: v3.16.10
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-network/charts/calico/templates/calico.yaml

@@ -518,7 +518,7 @@ spec:
               mountPath: /sys/fs/
               # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
               # If the host is known to mount that filesystem already then Bidirectional can be omitted.
-              mountPropagation: Bidirectional
+              # mountPropagation: Bidirectional
       volumes:
         # Used by calico-node.
         - name: lib-modules
@@ -541,7 +541,7 @@ spec:
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:
-            path: /opt/cni/bin
+            path: /usr/libexec/cni
         - name: cni-net-dir
           hostPath:
             path: /etc/cni/net.d

charts/kubezero-network/templates/multus/daemonset.yaml

@@ -115,6 +115,7 @@ spec:
         args:
         - "--multus-conf-file=auto"
         - "--rename-conf-file=true"
+        - "--cni-bin-dir=/host/usr/libexec/cni"
         - "--cni-version=0.3.1"
         resources:
           requests:
@@ -133,7 +134,7 @@ spec:
         - name: cni
           mountPath: /host/etc/cni/net.d
         - name: cnibin
-          mountPath: /host/opt/cni/bin
+          mountPath: /host/usr/libexec/cni
         - name: multus-cfg
           mountPath: /tmp/multus-conf
       terminationGracePeriodSeconds: 10
@@ -146,7 +147,7 @@ spec:
             path: /etc/cni/net.d
         - name: cnibin
           hostPath:
-            path: /opt/cni/bin
+            path: /usr/libexec/cni
         - name: multus-cfg
           configMap:
             name: multus-cni-config

charts/kubezero-storage/Chart.yaml

@@ -28,7 +28,7 @@ dependencies:
     condition: gemini.enabled
     # repository: https://charts.fairwinds.com/stable
   - name: aws-ebs-csi-driver
-    version: 2.6.3
+    version: 2.6.4
     condition: aws-ebs-csi-driver.enabled
     # repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver

charts/kubezero-storage/charts/aws-ebs-csi-driver/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Helm chart
 
+## v2.6.4
+
+* Remove exposure all secrets to external-snapshotter-role
+
 ## v2.6.3
 
 * Bump app/driver to version `v1.5.1`

charts/kubezero-storage/charts/aws-ebs-csi-driver/Chart.yaml

@@ -19,4 +19,4 @@ maintainers:
 name: aws-ebs-csi-driver
 sources:
 - https://github.com/kubernetes-sigs/aws-ebs-csi-driver
-version: 2.6.3
+version: 2.6.4

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml

@@ -9,9 +9,13 @@ rules:
   - apiGroups: [ "" ]
     resources: [ "events" ]
     verbs: [ "list", "watch", "create", "update", "patch" ]
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "get", "list" ]
+  # Secret permission is optional.
+  # Enable it if your driver needs secret.
+  # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
+  # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
+  # - apiGroups: [ "" ]
+  #   resources: [ "secrets" ]
+  #   verbs: [ "get", "list" ]
   - apiGroups: [ "snapshot.storage.k8s.io" ]
     resources: [ "volumesnapshotclasses" ]
     verbs: [ "get", "list", "watch" ]

charts/kubezero/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero
 description: KubeZero - Root App of Apps chart
 type: application
-version: 1.21.9-4
+version: 1.22.8-1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero/README.md

@@ -1,6 +1,6 @@
 # kubezero
 
-![Version: 1.21.9](https://img.shields.io/badge/Version-1.21.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.22.8-1](https://img.shields.io/badge/Version-1.22.8--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero - Root App of Apps chart
 
@@ -14,7 +14,7 @@ KubeZero - Root App of Apps chart
 
 ## Requirements
 
-Kubernetes: `>= 1.20.0`
+Kubernetes: `>= 1.22.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
@@ -26,29 +26,27 @@ Kubernetes: `>= 1.20.0`
 |-----|------|---------|-------------|
 | HighAvailableControlplane | bool | `false` |  |
 | addons.enabled | bool | `false` |  |
-| addons.targetRevision | string | `"0.2.4"` |  |
+| addons.targetRevision | string | `"0.4.1"` |  |
 | argocd.enabled | bool | `false` |  |
 | argocd.istio.enabled | bool | `false` |  |
 | argocd.namespace | string | `"argocd"` |  |
-| argocd.targetRevision | string | `"0.9.4"` |  |
+| argocd.targetRevision | string | `"0.9.6"` |  |
 | cert-manager.enabled | bool | `false` |  |
 | cert-manager.namespace | string | `"cert-manager"` |  |
-| cert-manager.targetRevision | string | `"0.8.0"` |  |
+| cert-manager.targetRevision | string | `"0.8.2"` |  |
 | istio-ingress.enabled | bool | `false` |  |
 | istio-ingress.namespace | string | `"istio-ingress"` |  |
 | istio-ingress.targetRevision | string | `"0.7.6"` |  |
 | istio.enabled | bool | `false` |  |
 | istio.namespace | string | `"istio-system"` |  |
 | istio.targetRevision | string | `"0.7.6"` |  |
-| kiam.enabled | bool | `false` |  |
-| kiam.targetRevision | string | `"0.3.5"` |  |
 | kubezero.defaultTargetRevision | string | `"*"` |  |
 | kubezero.gitSync | object | `{}` |  |
 | kubezero.repoURL | string | `"https://cdn.zero-downtime.net/charts"` |  |
 | kubezero.server | string | `"https://kubernetes.default.svc"` |  |
 | logging.enabled | bool | `false` |  |
 | logging.namespace | string | `"logging"` |  |
-| logging.targetRevision | string | `"0.7.17"` |  |
+| logging.targetRevision | string | `"0.7.19"` |  |
 | metrics.enabled | bool | `false` |  |
 | metrics.istio.grafana | object | `{}` |  |
 | metrics.istio.prometheus | object | `{}` |  |
@@ -56,11 +54,11 @@ Kubernetes: `>= 1.20.0`
 | metrics.targetRevision | string | `"0.7.4"` |  |
 | network.enabled | bool | `false` |  |
 | network.retain | bool | `true` |  |
-| network.targetRevision | string | `"0.1.0"` |  |
+| network.targetRevision | string | `"0.1.7"` |  |
 | storage.aws-ebs-csi-driver.enabled | bool | `false` |  |
 | storage.aws-efs-csi-driver.enabled | bool | `false` |  |
 | storage.enabled | bool | `false` |  |
-| storage.targetRevision | string | `"0.5.2"` |  |
+| storage.targetRevision | string | `"0.5.7"` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

charts/kubezero/templates/kiam.yaml

@@ -1,20 +0,0 @@
-{{- define "kiam-values" }}
-kiam:
-  server:
-    assumeRoleArn: "{{ .Values.kiam.IamArn }}"
-    deployment:
-      replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }}
-    prometheus:
-      servicemonitor:
-        enabled: {{ .Values.metrics.enabled }}
-  agent:
-    prometheus:
-      servicemonitor:
-        enabled: {{ .Values.metrics.enabled }}
-{{- end }}
-
-
-{{- define "kiam-argo" }}
-{{- end }}
-
-{{ include "kubezero-app.app" . }}

charts/kubezero/values.yaml

@@ -20,11 +20,6 @@ cert-manager:
   namespace: cert-manager
   targetRevision: 0.8.2
 
-# deprecated - removed with 1.22
-kiam:
-  enabled: false
-  targetRevision: 0.3.5
-
 storage:
   enabled: false
   targetRevision: 0.5.7
@@ -54,7 +49,7 @@ metrics:
 logging:
   enabled: false
   namespace: logging
-  targetRevision: 0.7.18
+  targetRevision: 0.8.0
 
 argocd:
   enabled: false

scripts/publish.sh

@@ -13,30 +13,41 @@ mkdir -p $TMPDIR
 
 [ -z "$DEBUG" ] && trap 'rm -rf $TMPDIR' ERR EXIT
 
-for dir in $(find -L $SRCROOT/charts -mindepth 1 -maxdepth 1 -type d);
-do
-    name=$(basename $dir)
-    [[ $name =~ $CHARTS ]] || continue
 
-    #if [ $(helm dep list $dir 2>/dev/null| wc -l) -gt 1 ]
-    #then
-    #    echo "Processing chart dependencies"
-    #    rm -rf $dir/tmpcharts
-    #    helm dependency update --skip-refresh $dir
-    #fi
+function reset_index() {
+  aws s3 sync $REPO_URL_S3/ $TMPDIR/
+  helm repo index $TMPDIR --url $REPO_URL
+  aws s3 cp $TMPDIR/index.yaml $REPO_URL_S3/ --cache-control max-age=1
+}
 
-    echo "Processing $dir"
-    helm lint $dir
-    helm package -d $TMPDIR $dir
-done
 
-curl -L -s -o $TMPDIR/index.yaml ${REPO_URL}/index.yaml
+function publish_chart() {
+  for dir in $(find -L $SRCROOT/charts -mindepth 1 -maxdepth 1 -type d);
+  do
+      name=$(basename $dir)
+      [[ $name =~ $CHARTS ]] || continue
 
-helm repo index $TMPDIR --url $REPO_URL --merge $TMPDIR/index.yaml
+      #if [ $(helm dep list $dir 2>/dev/null| wc -l) -gt 1 ]
+      #then
+      #    echo "Processing chart dependencies"
+      #    rm -rf $dir/tmpcharts
+      #    helm dependency update --skip-refresh $dir
+      #fi
 
-for p in $TMPDIR/*.tgz; do
-  aws s3 cp $p $REPO_URL_S3/
-done
-aws s3 cp $TMPDIR/index.yaml $REPO_URL_S3/ --cache-control max-age=1
+      echo "Processing $dir"
+      helm lint $dir
+      helm package -d $TMPDIR $dir
+  done
 
-rm -rf $TMPDIR
+  curl -L -s -o $TMPDIR/index.yaml ${REPO_URL}/index.yaml
+  helm repo index $TMPDIR --url $REPO_URL --merge $TMPDIR/index.yaml
+
+  for p in $TMPDIR/*.tgz; do
+    aws s3 cp $p $REPO_URL_S3/
+  done
+  aws s3 cp $TMPDIR/index.yaml $REPO_URL_S3/ --cache-control max-age=1
+}
+
+
+publish_chart
+#reset_index