feat: First v1.29 basic control plane working

Dockerfile

@@ -3,7 +3,9 @@ ARG ALPINE_VERSION=3.20
 FROM docker.io/alpine:${ALPINE_VERSION}
 
 ARG ALPINE_VERSION
-ARG KUBE_VERSION=1.28.9
+ARG KUBE_VERSION=1.29.7
+ARG SECRETS_VERSION=4.6.0
+ARG VALS_VERSION=0.37.3
 
 RUN cd /etc/apk/keys && \
     wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
@@ -29,6 +31,13 @@ RUN cd /etc/apk/keys && \
 RUN helm repo add kubezero https://cdn.zero-downtime.net/charts && \
     mkdir -p /var/lib/kubezero
 
+# helm secrets
+RUN mkdir -p $(helm env HELM_PLUGINS) && \
+    wget -qO - https://github.com/jkroepke/helm-secrets/releases/download/v${SECRETS_VERSION}/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
+
+# vals
+RUN wget -qO - https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -C /usr/local/bin -xzf- vals
+
 ADD admin/kubezero.sh admin/libhelm.sh admin/migrate_argo_values.py /usr/bin
 ADD admin/libhelm.sh /var/lib/kubezero
 

admin/kubezero.sh

@@ -149,8 +149,8 @@ kubeadm_upgrade() {
   post_kubeadm
 
   # If we have a re-cert kubectl config install for root
-  if [ -f ${HOSTFS}/etc/kubernetes/admin.conf ]; then
+  if [ -f ${HOSTFS}/etc/kubernetes/super-admin.conf ]; then
-    cp ${HOSTFS}/etc/kubernetes/admin.conf ${HOSTFS}/root/.kube/config
+    cp ${HOSTFS}/etc/kubernetes/super-admin.conf ${HOSTFS}/root/.kube/config
   fi
 
   # post upgrade hook
@@ -190,7 +190,7 @@ control_plane_node() {
     cp -r ${WORKDIR}/pki ${HOSTFS}/etc/kubernetes
 
     # Always use kubeadm kubectl config to never run into chicken egg with custom auth hooks
-    cp ${WORKDIR}/admin.conf ${HOSTFS}/root/.kube/config
+    cp ${WORKDIR}/super-admin.conf ${HOSTFS}/root/.kube/config
 
     # Only restore etcd data during "restore" and none exists already
     if [[ "$CMD" =~ ^(restore)$ ]]; then
@@ -258,7 +258,7 @@ control_plane_node() {
 
   _kubeadm init phase kubelet-start
 
-  cp ${HOSTFS}/etc/kubernetes/admin.conf ${HOSTFS}/root/.kube/config
+  cp ${HOSTFS}/etc/kubernetes/super-admin.conf ${HOSTFS}/root/.kube/config
 
   # Wait for api to be online
   echo "Waiting for Kubernetes API to be online ..."
@@ -347,7 +347,7 @@ delete_module() {
 # backup etcd + /etc/kubernetes/pki
 backup() {
   # Display all ENVs, careful this exposes the password !
-  [ -n "$DEBUG" ] && env 
+  [ -n "$DEBUG" ] && env
 
   restic snapshots || restic init || exit 1
 
@@ -361,7 +361,8 @@ backup() {
 
   # pki & cluster-admin access
   cp -r ${HOSTFS}/etc/kubernetes/pki ${WORKDIR}
-  cp -r ${HOSTFS}/etc/kubernetes/admin.conf ${WORKDIR}
+  cp ${HOSTFS}/etc/kubernetes/admin.conf ${WORKDIR}
+  cp ${HOSTFS}/etc/kubernetes/super-admin.conf ${WORKDIR}
 
   # Backup via restic
   restic backup ${WORKDIR} -H $CLUSTERNAME --tag $CLUSTER_VERSION

charts/kubeadm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm cluster config
 type: application
-version: 1.28.9
+version: 1.29.7
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubeadm/templates/KubeletConfiguration.yaml

@@ -33,5 +33,6 @@ kubeReserved:
 #evictionHard:
 #  memory.available: "484Mi"
 imageGCLowThresholdPercent: 70
+imageMaximumGCAge: 168h
 serializeImagePulls: false
 maxParallelImagePulls: 4

charts/kubeadm/templates/_helpers.tpl

@@ -2,10 +2,9 @@
 {{- /* Issues: MemoryQoS */ -}}
 {{- /* v1.28: PodAndContainerStatsFromCRI still not working */ -}}
 {{- /* v1.28: UnknownVersionInteroperabilityProxy requires StorageVersionAPI which is still alpha in 1.30 */ -}}
-{{- /* v1.29: remove/beta SidecarContainers */ -}}
 {{- /* v1.30: remove/beta KubeProxyDrainingTerminatingNodes */ -}}
 {{- define "kubeadm.featuregates" }}
-{{- $gates := list "CustomCPUCFSQuotaPeriod" "SidecarContainers" "KubeProxyDrainingTerminatingNodes" }}
+{{- $gates := list "CustomCPUCFSQuotaPeriod" "KubeProxyDrainingTerminatingNodes" "ImageMaximumGCAge" }}
 {{- if eq .return "csv" }}
 {{- range $key := $gates }}
 {{- $key }}=true,

charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml

@@ -117,7 +117,7 @@ spec:
 
       containers:
       - name: aws-iam-authenticator
-        image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.6.14
+        image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.6.22
         args:
         - server
         - --backend-mode=CRD,MountedFile

charts/kubezero-addons/README.md

@@ -1,6 +1,6 @@
 # kubezero-addons
 
-![Version: 0.8.7](https://img.shields.io/badge/Version-0.8.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.28](https://img.shields.io/badge/AppVersion-v1.28-informational?style=flat-square)
+![Version: 0.8.8](https://img.shields.io/badge/Version-0.8.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.28](https://img.shields.io/badge/AppVersion-v1.28-informational?style=flat-square)
 
 KubeZero umbrella chart for various optional cluster addons
 
@@ -18,12 +18,12 @@ Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.15.3 |
+| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.16.0 |
-| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.14.4 |
+| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.14.5 |
-| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.36.0 |
+| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.37.0 |
-| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.15.0 |
+| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.16.0 |
 | https://twin.github.io/helm-charts | aws-eks-asg-rolling-update-handler | 1.5.0 |
-| oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.23.0 |
+| oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.24.0 |
 
 # MetalLB   
    
@@ -110,7 +110,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | cluster-autoscaler.extraArgs.scan-interval | string | `"30s"` |  |
 | cluster-autoscaler.extraArgs.skip-nodes-with-local-storage | bool | `false` |  |
 | cluster-autoscaler.image.repository | string | `"registry.k8s.io/autoscaling/cluster-autoscaler"` |  |
-| cluster-autoscaler.image.tag | string | `"v1.28.2"` |  |
+| cluster-autoscaler.image.tag | string | `"v1.29.4"` |  |
 | cluster-autoscaler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | cluster-autoscaler.podDisruptionBudget | bool | `false` |  |
 | cluster-autoscaler.prometheusRule.enabled | bool | `false` |  |

charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.21.0
+appVersion: 1.22.0
 description: A Helm chart for the AWS Node Termination Handler.
 home: https://github.com/aws/aws-node-termination-handler/
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
@@ -21,4 +21,4 @@ name: aws-node-termination-handler
 sources:
 - https://github.com/aws/aws-node-termination-handler/
 type: application
-version: 0.23.0
+version: 0.24.0

charts/kubezero-addons/values.yaml

@@ -200,7 +200,7 @@ cluster-autoscaler:
 
   image:
     repository: registry.k8s.io/autoscaling/cluster-autoscaler
-    tag: v1.28.2
+    tag: v1.29.4
 
   autoDiscovery:
     clusterName: ""

charts/kubezero-network/README.md

@@ -1,6 +1,6 @@
 # kubezero-network
 
-![Version: 0.5.2](https://img.shields.io/badge/Version-0.5.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.5.3](https://img.shields.io/badge/Version-0.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for all things network
 
@@ -20,8 +20,8 @@ Kubernetes: `>= 1.26.0`
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 | https://haproxytech.github.io/helm-charts | haproxy | 1.22.0 |
-| https://helm.cilium.io/ | cilium | 1.15.5 |
+| https://helm.cilium.io/ | cilium | 1.15.7 |
-| https://metallb.github.io/metallb | metallb | 0.14.5 |
+| https://metallb.github.io/metallb | metallb | 0.14.7 |
 
 ## Values
 

charts/kubezero-network/values.yaml

@@ -45,10 +45,6 @@ cilium:
     #-- Ensure this is false if multus is enabled
     exclusive: false
 
-# bpf:
-#   autoMount:
-#     enabled: false
-
   cluster:
     # This should match the second octet of clusterPoolIPv4PodCIDRList
     # to prevent IP space overlap and easy tracking
@@ -71,6 +67,14 @@ cilium:
       enabled: false
     hostRoot: "/sys/fs/cgroup"
 
+  # we need biDirectional so use helm init-container
+  #bpf:
+  # autoMount:
+  #   enabled: false
+
+  sysctlfix:
+    enabled: false
+
   routingMode: tunnel
   tunnelProtocol: geneve
 

charts/kubezero-telemetry/templates/opensearch/cluster.yaml

@@ -21,6 +21,7 @@ spec:
       runAsUser: 1000
       runAsGroup: 1000
       runAsNonRoot: true
+      fsGroup: 1000
     securityContext:
       allowPrivilegeEscalation: false
       privileged: false

charts/kubezero-telemetry/templates/opensearch/ism-policy.yaml

@@ -35,4 +35,5 @@ spec:
      indexPatterns:
        - "logstash-*"
        - "jaeger-*"
+      -  "otel-v1-apm-span-*"
 {{- end }}

charts/kubezero/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero
 description: KubeZero - Root App of Apps chart
 type: application
-version: 1.28.9-2
+version: 1.29.7
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero/values.yaml

@@ -11,7 +11,7 @@ global:
 
 addons:
   enabled: true
-  targetRevision: 0.8.7
+  targetRevision: 0.8.8
   external-dns:
     enabled: false
   forseti:
@@ -30,7 +30,7 @@ addons:
 network:
   enabled: true
   retain: true
-  targetRevision: 0.5.1
+  targetRevision: 0.5.3
   cilium:
     cluster: {}