docs: update support timeline

README.md

@@ -18,7 +18,7 @@ KubeZero is a Kubernetes distribution providing an integrated container platform
 
 
 # Version / Support Matrix
-KubeZero releases track the same *minor* version of Kubernetes.  
+KubeZero releases track the same *minor* version of Kubernetes.
 Any 1.26.X-Y release of Kubezero supports any Kubernetes cluster 1.26.X.
 
 KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed.
@@ -28,15 +28,15 @@ KubeZero is distributed as a collection of versioned Helm charts, allowing custo
 gantt
     title KubeZero Support Timeline
     dateFormat  YYYY-MM-DD
-    section 1.25
-    beta     :125b, 2023-03-01, 2023-03-31
-    release  :after 125b, 2023-08-01
-    section 1.26
-    beta     :126b, 2023-06-01, 2023-06-30
-    release  :after 126b, 2023-11-01
     section 1.27
     beta     :127b, 2023-09-01, 2023-09-30
-    release  :after 127b, 2024-02-01
+    release  :after 127b, 2024-04-30
+    section 1.28
+    beta     :128b, 2024-03-01, 2024-04-30
+    release  :after 128b, 2023-08-31
+    section 1.29
+    beta     :129b, 2024-06-01, 2024-06-30
+    release  :after 129b, 2024-11-30
 ```
 
 [Upstream release policy](https://kubernetes.io/releases/)
@@ -57,7 +57,7 @@ gantt
 
 ## Featured workloads
 - rootless CI/CD build platform to build containers as part of a CI pipeline, using podman / fuse device plugin support
-- containerized AI models via integrated out of the box support for Nvidia GPU workers as well as AWS Neuron  
+- containerized AI models via integrated out of the box support for Nvidia GPU workers as well as AWS Neuron
 
 ## Control plane
 - all Kubernetes components compiled against Alpine OS using `buildmode=pie`
@@ -85,12 +85,12 @@ gantt
 - CSI Snapshot controller and Gemini snapshot groups and retention
 
 ## Ingress
-- AWS Network Loadbalancer and Istio Ingress controllers  
+- AWS Network Loadbalancer and Istio Ingress controllers
 - no additional costs per exposed service
 - real client source IP available to workloads via HTTP header and access logs
 - ACME SSL Certificate handling via cert-manager incl. renewal etc.
 - support for TCP services
-- optional rate limiting support 
+- optional rate limiting support
 - optional full service mesh
 
 ## Metrics
@@ -104,4 +104,4 @@ gantt
 - flexible ElasticSearch setup, leveraging the ECK operator, for easy maintenance & minimal admin knowledge required, incl. automated backups to S3
 - Kibana allowing easy search and dashboards for all logs, incl. pre configured index templates and index management
 - [fluentd-concerter](https://git.zero-downtime.net/ZeroDownTime/container-park/src/branch/master/fluentd-concenter) service providing queuing during highload as well as additional parsing options
-- lightweight fluent-bit agents on each node requiring minimal resources forwarding logs secure via TLS to fluentd-concenter
+- lightweight fluent-bit agents on each node requiring minimal resources forwarding logs secure via TLS to fluentd-concenter

charts/kubezero-argo/dashboards.yaml

@@ -0,0 +1,9 @@
+configmap: grafana-dashboards
+gzip: true
+condition: 'index .Values "argo-cd" "controller" "metrics" "enabled"'
+folder: KubeZero
+dashboards:
+- name: ArgoCD
+  url: https://grafana.com/api/dashboards/14584/revisions/1/download
+  tags:
+  - ArgoCD

charts/kubezero-argo/templates/argo-cd/istio-authorization-policy.yaml

@@ -0,0 +1,28 @@
+{{- if index .Values "argo-cd" "istio" "enabled" }}
+{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: argocd-deny-not-in-ipblocks
+  namespace: istio-system
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notIpBlocks:
+        {{- toYaml .Values.istio.ipBlocks | nindent 8 }}
+    to:
+    - operation:
+        hosts: [{{ index .Values "argo-cd" "configs" "cm" "url" | quote }}]
+    when:
+    - key: connection.sni
+      values:
+      - '*'
+{{- end }}
+{{- end }}

charts/kubezero-argo/templates/argo-cd/istio-service.yaml

@@ -0,0 +1,31 @@
+{{- if index .Values "argo-cd" "istio" "enabled" }}
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: argocd-server
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+spec:
+  gateways:
+  - {{ .Values.istio.gateway }}
+  hosts:
+  - {{ get (urlParse (index .Values "argo-cd" "configs" "cm" "url")) "host" }}
+  http:
+  - name: grpc
+    match:
+    - headers:
+        user-agent:
+          prefix: argocd-client
+    route:
+    - destination:
+        host: argocd-server
+        port:
+          number: 443
+  - name: http
+    route:
+    - destination:
+        host: argocd-server
+        port:
+          number: 80
+{{- end }}

charts/kubezero/templates/argo.yaml

@@ -0,0 +1,105 @@
+{{- define "argo-values" }}
+
+argo-cd:
+  enabled: {{ default "false" (index .Values "argo" "argo-cd" "enabled") }}
+  {{- with index .Values "argo" "argo-cd" "configs" }}
+  configs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+  controller:
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+  repoServer:
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+  server:
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+
+  {{- if and ( index .Values "argo" "argo-cd" "istio" "enabled" ) .Values.istio.enabled }}
+  istio:
+    {{- with index .Values "argo" "argo-cd" "istio" }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+
+argocd-apps:
+  projects:
+    kubezero:
+      namespace: argocd
+      description: KubeZero - ZeroDownTime Kubernetes Platform
+      sourceRepos:
+      - {{ .Values.kubezero.repoURL }}
+      {{- with .Values.kubezero.gitSync.repoURL }}
+      - {{ . }}
+      {{- end }}
+      destinations:
+      - namespace: '*'
+        server: https://kubernetes.default.svc
+      clusterResourceWhitelist:
+      - group: '*'
+        kind: '*'
+  applications:
+    kubezero-git-sync:
+      namespace: argocd
+      project: kubezero
+      source:
+        repoURL: {{ .Values.kubezero.gitSync.repoURL }}
+        targetRevision: {{ .Values.kubezero.gitSync.targetRevision }}
+        path: {{ .Values.kubezero.gitSync.path }}
+
+        directory:
+          recurse: true
+
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: argocd
+
+      {{- with .Values.kubezero.syncPolicy }}
+      syncPolicy:
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+
+argocd-image-updater:
+  enabled: {{ default "false" (index .Values "argo" "argocd-image-updater" "enabled") }}
+
+  {{- with omit (index .Values "argo" "argocd-image-updater") "enabled" }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+
+  {{- if .Values.global.aws }}
+  extraEnv:
+    - name: AWS_ROLE_ARN
+      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
+    - name: AWS_WEB_IDENTITY_TOKEN_FILE
+      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+    - name: AWS_STS_REGIONAL_ENDPOINTS
+      value: "regional"
+    - name: METADATA_TRIES
+      value: "0"
+    - name: AWS_REGION
+      value: {{ .Values.global.aws.region }}
+  volumes:
+  - name: aws-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: token
+          expirationSeconds: 86400
+          audience: "sts.amazonaws.com"
+  volumeMounts:
+  - name: aws-token
+    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+    readOnly: true
+  {{- end }}
+
+  metrics:
+    enabled: {{ .Values.metrics.enabled }}
+
+{{- end }}
+
+{{- define "argo-argo" }}
+{{- end }}
+
+{{ include "kubezero-app.app" . }}