chore(deps): update kubezero-metrics-dependencies

9725c2ef fix: ensure we dont remove rc builds

git-subtree-dir: .ci
git-subtree-split: 9725c2ef8842467951ec60adb1b45dfeca7618f5

.ci/README.md

@@ -14,7 +14,7 @@ include .ci/podman.mk
 
 Add subtree to your project:
 ```
-git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
+git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash
 ```
 
 

.ci/ecr_public_lifecycle.py

@@ -41,7 +41,8 @@ for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
         _delete = True
         for tag in image["imageTags"]:
             # Look for at least one tag NOT beign a SemVer dev tag
-            if "-" not in tag:
+            # untagged dev builds get tagged as <tag>-g<commit>
+            if "-g" not in tag and "dirty" not in tag:
                 _delete = False
         if _delete:
             print("Deleting development image {}".format(image["imageTags"]))

.ci/podman.mk

@@ -8,8 +8,8 @@ SHELL := bash
 .PHONY: all # All targets are accessible for user
 .DEFAULT: help # Running Make will run the help target
 
-# Parse version from latest git semver tag
-GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
+# Parse version from latest git semver tag, use short commit otherwise
+GIT_TAG ?= $(shell git describe --tags --match v*.*.* --dirty 2>/dev/null || git describe --match="" --always --dirty 2>/dev/null)
 GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 
 TAG ::= $(GIT_TAG)
@@ -85,7 +85,7 @@ rm-image:
 
 ## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree
-	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
+	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash -m "Merge latest ci-tools-lib"
 
 create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

Dockerfile

@@ -5,8 +5,8 @@ FROM docker.io/alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
 ARG KUBE_VERSION=1.31
 
-ARG SOPS_VERSION="3.9.4"
-ARG VALS_VERSION="0.39.4"
+ARG SOPS_VERSION="3.10.1"
+ARG VALS_VERSION="0.40.1"
 ARG HELM_SECRETS_VERSION="4.6.3"
 
 RUN cd /etc/apk/keys && \

README.md

@@ -19,7 +19,7 @@ KubeZero is a Kubernetes distribution providing an integrated container platform
 
 # Version / Support Matrix
 KubeZero releases track the same *minor* version of Kubernetes.
-Any 1.30.X-Y release of Kubezero supports any Kubernetes cluster 1.30.X.
+Any 1.31.X-Y release of Kubezero supports any Kubernetes cluster 1.31.X.
 
 KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed.
 
@@ -28,15 +28,15 @@ KubeZero is distributed as a collection of versioned Helm charts, allowing custo
 gantt
     title KubeZero Support Timeline
     dateFormat  YYYY-MM-DD
-    section 1.29
-    beta     :129b, 2024-07-01, 2024-07-31
-    release  :after 129b, 2024-11-30
     section 1.30
     beta     :130b, 2024-09-01, 2024-10-31
-    release  :after 130b, 2025-02-28
+    release  :after 130b, 2025-04-30
     section 1.31
-    beta     :131b, 2024-12-01, 2025-01-30
-    release  :after 131b, 2025-04-30
+    beta     :131b, 2024-12-01, 2025-02-28
+    release  :after 131b, 2025-06-30
+    section 1.32
+    beta     :132b, 2025-04-01, 2025-05-19
+    release  :after 132b, 2025-09-30
 ```
 
 [Upstream release policy](https://kubernetes.io/releases/)
@@ -44,7 +44,7 @@ gantt
 # Components
 
 ## OS
-- all compute nodes are running on Alpine V3.20
+- all compute nodes are running on Alpine V3.21
 - 1 or 2 GB encrypted root file system
 - no external dependencies at boot time, apart from container registries
 - focused on security and minimal footprint

admin/hooks-1.31.sh

@@ -17,7 +17,7 @@ post_control_plane_upgrade_cluster() {
   # delete previous root app controlled by kubezero module
   kubectl delete application kubezero-git-sync -n argocd || true
 
-  # Patch appproject to keep SyncWindow in place
+  # only patch appproject to keep SyncWindow in place
   kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/labels"}]' || true
   kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
 }

admin/kubezero.sh

@@ -111,35 +111,42 @@ post_kubeadm() {
 }
 
 
-# Control plane upgrade
-control_plane_upgrade() {
-  CMD=$1
+# Migrate KubeZero Config to current version
+upgrade_kubezero_config() {
+  # get current values, argo app over cm
+  get_kubezero_values $ARGOCD
 
+  # tumble new config through migrate.py
+  migrate_argo_values.py < "$WORKDIR"/kubezero-values.yaml > "$WORKDIR"/new-kubezero-values.yaml \
+    && mv "$WORKDIR"/new-kubezero-values.yaml "$WORKDIR"/kubezero-values.yaml
+
+  update_kubezero_cm
+
+  if [ "$ARGOCD" == "true" ]; then
+    # update argo app
+    export kubezero_chart_version=$(yq .version $CHARTS/kubezero/Chart.yaml)
+    kubectl get application kubezero -n argocd -o yaml | \
+      yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
+      > $WORKDIR/new-argocd-app.yaml
+      kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD)
+  fi
+}
+
+
+# Control plane upgrade
+kubeadm_upgrade() {
   ARGOCD=$(argo_used)
 
   render_kubeadm upgrade
 
-  if [[ "$CMD" =~ ^(cluster)$ ]]; then
+  # Check if we already have all controllers on the current version
+  OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
+
+  # run control plane upgrade
+  if [ "$OLD_CONTROLLERS" != "0" ]; then
+
     pre_control_plane_upgrade_cluster
 
-    # get current values, argo app over cm
-    get_kubezero_values $ARGOCD
-
-    # tumble new config through migrate.py
-    migrate_argo_values.py < "$WORKDIR"/kubezero-values.yaml > "$WORKDIR"/new-kubezero-values.yaml \
-      && mv "$WORKDIR"/new-kubezero-values.yaml "$WORKDIR"/kubezero-values.yaml
-
-    update_kubezero_cm
-
-    if [ "$ARGOCD" == "true" ]; then
-      # update argo app
-      export kubezero_chart_version=$(yq .version $CHARTS/kubezero/Chart.yaml)
-      kubectl get application kubezero -n argocd -o yaml | \
-        yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
-        > $WORKDIR/new-argocd-app.yaml
-        kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD)
-    fi
-
     pre_kubeadm
 
     _kubeadm init phase upload-config kubeadm
@@ -155,7 +162,8 @@ control_plane_upgrade() {
 
     echo "Successfully upgraded KubeZero control plane to $KUBE_VERSION using kubeadm."
 
-  elif [[ "$CMD" =~ ^(final)$ ]]; then
+  # All controllers already on current version
+  else
     pre_cluster_upgrade_final
 
     # Finally upgrade addons last, with 1.32 we can ONLY call addon phase
@@ -411,12 +419,8 @@ for t in $@; do
     bootstrap) control_plane_node bootstrap;;
     join) control_plane_node join;;
     restore) control_plane_node restore;;
-    kubeadm_upgrade)
-      control_plane_upgrade cluster
-      ;;
-    finalize_cluster_upgrade)
-      control_plane_upgrade final
-      ;;
+    upgrade_control_plane) kubeadm_upgrade;;
+    upgrade_kubezero) upgrade_kubezero_config;;
     apply_*)
       ARGOCD=$(argo_used)
       apply_module "${t##apply_}";;

admin/libhelm.sh

@@ -80,6 +80,19 @@ function get_kubezero_secret() {
   get_secret_val kubezero kubezero-secrets "$1"
 }
 
+function ensure_kubezero_secret_key() {
+  local secret="$(kubectl get secret -n kubezero kubezero-secrets -o yaml)"
+  local key=""
+  local val=""
+
+  for key in $@; do
+    val=$(echo "$secret" | yq ".data.\"$key\"")
+    if [ "$val" == "null" ]; then
+      kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"\" }}"
+    fi
+  done
+}
+
 
 function set_kubezero_secret() {
   local key="$1"
@@ -340,7 +353,7 @@ EOF
 }
 
 
-function control_plane_upgrade() {
+function admin_job() {
   TASKS="$1"
 
   [ -z "$KUBE_VERSION" ] && KUBE_VERSION="latest"
@@ -350,7 +363,7 @@ function control_plane_upgrade() {
 apiVersion: v1
 kind: Pod
 metadata:
-  name: kubezero-upgrade
+  name: kubezero-admin-job
   namespace: kube-system
   labels:
     app: kubezero-upgrade
@@ -395,10 +408,10 @@ spec:
   restartPolicy: Never
 EOF
 
-  kubectl wait pod kubezero-upgrade -n kube-system --timeout 120s --for=condition=initialized 2>/dev/null
+  kubectl wait pod kubezero-admin-job -n kube-system --timeout 120s --for=condition=initialized 2>/dev/null
   while true; do
-    kubectl logs kubezero-upgrade -n kube-system -f 2>/dev/null && break
+    kubectl logs kubezero-admin-job -n kube-system -f 2>/dev/null && break
     sleep 3
   done
-  kubectl delete pod kubezero-upgrade -n kube-system
+  kubectl delete pod kubezero-admin-job -n kube-system
 }

admin/upgrade_cluster.sh

@@ -15,37 +15,28 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 ARGOCD=$(argo_used)
 
 echo "Checking that all pods in kube-system are running ..."
-#waitSystemPodsRunning
+waitSystemPodsRunning
 
 [ "$ARGOCD" == "true" ] && disable_argo
 
-# Check if we already have all controllers on the current version
-#OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
-
-if [ "$OLD_CONTROLLERS" == "0" ]; then
-  # All controllers already on current version
-  control_plane_upgrade finalize_cluster_upgrade
-else
-  # Otherwise run control plane upgrade
-  control_plane_upgrade kubeadm_upgrade
-fi
-
-echo "<Return> to continue"
-read -r
+admin_job "upgrade_control_plane, upgrade_kubezero"
 
 #echo "Adjust kubezero values as needed:"
 # shellcheck disable=SC2015
 #[ "$ARGOCD" == "true" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero
 
+#echo "<Return> to continue"
+#read -r
+
 # upgrade modules
-control_plane_upgrade "apply_kubezero, apply_network, apply_addons, apply_storage, apply_operators"
+admin_job "apply_kubezero, apply_network, apply_addons, apply_storage, apply_operators"
 
 echo "Checking that all pods in kube-system are running ..."
 waitSystemPodsRunning
 
 echo "Applying remaining KubeZero modules..."
 
-control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"
+admin_job "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"
 
 # we replace the project during v1.31 so disable again
 [ "$ARGOCD" == "true" ] && disable_argo
@@ -60,6 +51,12 @@ while true; do
   sleep 1
 done
 
+echo "Once all controller nodes are running on $KUBE_VERSION, <return> to continue"
+read -r
+
+# Final control plane upgrades
+admin_job "upgrade_control_plane"
+
 echo "Please commit $ARGO_APP as the updated kubezero/application.yaml for your cluster."
 echo "Then head over to ArgoCD for this cluster and sync all KubeZero modules to apply remaining upgrades."
 

charts/kubezero-addons/Chart.yaml

@@ -3,7 +3,7 @@ name: kubezero-addons
 description: KubeZero umbrella chart for various optional cluster addons
 type: application
 version: 0.8.13
-appVersion: v1.30
+appVersion: v1.31
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-argo/README.md

@@ -54,21 +54,25 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.9"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.9-1"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
 | argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App |
+| argo-cd.kubezero.password | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password"` |  |
 | argo-cd.kubezero.path | string | `"/"` |  |
 | argo-cd.kubezero.repoUrl | string | `""` |  |
 | argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` |  |
 | argo-cd.kubezero.targetRevision | string | `"HEAD"` |  |
+| argo-cd.kubezero.username | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username"` |  |
 | argo-cd.notifications.enabled | bool | `false` |  |
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
+| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
+| argo-cd.repoServer.volumes[0].name | string | `"cmp-tmp"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |

charts/kubezero-argo/hooks.d/pre-install.sh

@@ -18,12 +18,9 @@ if [ -z "$PW" ]; then
   set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
 fi
 
-# GitSync privateKey
-GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey)
-if [ -z "$GITKEY" ]; then
-  set_kubezero_secret argo-cd.kubezero.sshPrivateKey "Insert ssh Private Key from your git server"
-fi
-
 # Redis secret
 kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
     --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+
+# required keys in kubezero-secrets, as --ignore-missing-values in helm-secrets doesnt work with vals ;-(
+ensure_kubezero_secret_key argo-cd.kubezero.username argo-cd.kubezero.password argo-cd.kubezero.sshPrivateKey

charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml

@@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -19,12 +19,15 @@ spec:
     targetRevision: {{ .targetRevision }}
     path: {{ .path }}
     {{- end }}
-    directory:
-      recurse: true
+    plugin:
+      name: kubezero-git-sync
   syncPolicy:
     automated:
       prune: true
     syncOptions:
       - ServerSideApply=true
       - ApplyOutOfSyncOnly=true
+  info:
+    - name: "Source:"
+      value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/"
 {{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "repoUrl" }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,5 +12,10 @@ stringData:
   name: kubezero-git-sync
   type: git
   url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
+  {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
+  username: {{ index .Values "argo-cd" "kubezero" "username" }}
+  password: {{ index .Values "argo-cd" "kubezero" "password" }}
+  {{- else }}
   sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
+  {{- end }}
 {{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml

@@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:

charts/kubezero-argo/values.yaml

@@ -25,7 +25,7 @@ argo-events:
       # do NOT use -alpine tag as the entrypoint differs
       versions:
         - version: 2.10.11
-          natsImage: nats:2.10.11-scratch
+          natsImage: nats:2.11.1-scratch
           metricsExporterImage: natsio/prometheus-nats-exporter:0.16.0
           configReloaderImage: natsio/nats-server-config-reloader:0.14.1
           startCommand: /nats-server
@@ -38,7 +38,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.9
+      tag: v2.14.9-1
     networkPolicy:
       create: true
 
@@ -125,6 +125,34 @@ argo-cd:
           resources: ["secrets"]
           verbs: ["get", "watch", "list"]
 
+    # cmp kubezero-git-sync plugin
+    # @ignored
+    extraContainers:
+      - name: cmp-kubezero-git-sync
+        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
+        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+
   server:
     # Rename former https port to grpc, works with istio + insecure
     service:
@@ -164,6 +192,8 @@ argo-cd:
     path: "/"
     targetRevision: HEAD
     sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
+    username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
+    password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password
 
 argocd-image-updater:
   enabled: false

charts/kubezero-cache/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-cache
 description: KubeZero Cache module
 type: application
-version: 0.1.0
+version: 0.1.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -17,11 +17,11 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: redis
-    version: 20.0.3
+    version: 20.11.5
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled
   - name: redis-cluster
-    version: 11.0.2
+    version: 11.5.0
     repository: https://charts.bitnami.com/bitnami
     condition: redis-cluster.enabled
 

charts/kubezero-graph/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-graph
 description: KubeZero GraphQL and GraphDB
 type: application
-version: 0.1.0
+version: 0.1.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,7 +16,7 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: neo4j
-    version: 5.26.0
+    version: 2025.3.0
     repository: https://helm.neo4j.com/neo4j
     condition: neo4j.enabled
 

charts/kubezero-graph/README.md

@@ -1,6 +1,6 @@
 # kubezero-graph
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero GraphQL and GraphDB
 
@@ -18,8 +18,8 @@ Kubernetes: `>= 1.29.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.2.1 |
-| https://helm.neo4j.com/neo4j | neo4j | 5.26.0 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
+| https://helm.neo4j.com/neo4j | neo4j | 2025.3.0 |
 
 ## Values
 
@@ -28,6 +28,8 @@ Kubernetes: `>= 1.29.0-0`
 | neo4j.disableLookups | bool | `true` |  |
 | neo4j.enabled | bool | `false` |  |
 | neo4j.neo4j.name | string | `"test-db"` |  |
+| neo4j.neo4j.password | string | `"secret"` |  |
+| neo4j.neo4j.passwordFromSecret | string | `"neo4j-admin"` |  |
 | neo4j.serviceMonitor.enabled | bool | `false` |  |
 | neo4j.services.neo4j.enabled | bool | `false` |  |
 | neo4j.volumes.data.mode | string | `"defaultStorageClass"` |  |

charts/kubezero-metrics/Chart.yaml

@@ -26,7 +26,7 @@ dependencies:
     repository: https://prometheus-community.github.io/helm-charts
     condition: prometheus-adapter.enabled
   - name: prometheus-pushgateway
-    version: 3.1.0
+    version: 3.1.1
     repository: https://prometheus-community.github.io/helm-charts
     condition: prometheus-pushgateway.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-mq/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-mq
 description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
 type: application
-version: 0.3.10
+version: 0.3.11
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -17,11 +17,11 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: nats
-    version: 1.2.2
+    version: 1.3.3
     repository: https://nats-io.github.io/k8s/helm/charts/
     condition: nats.enabled
   - name: rabbitmq
-    version: 14.6.6
+    version: 14.7.0
     repository: https://charts.bitnami.com/bitnami
     condition: rabbitmq.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero-mq/README.md

@@ -1,6 +1,6 @@
 # kubezero-mq
 
-![Version: 0.3.10](https://img.shields.io/badge/Version-0.3.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.3.11](https://img.shields.io/badge/Version-0.3.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://charts.bitnami.com/bitnami | rabbitmq | 14.6.6 |
-| https://nats-io.github.io/k8s/helm/charts/ | nats | 1.2.2 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
+| https://charts.bitnami.com/bitnami | rabbitmq | 14.7.0 |
+| https://nats-io.github.io/k8s/helm/charts/ | nats | 1.3.3 |
 
 ## Values
 
@@ -34,13 +34,6 @@ Kubernetes: `>= 1.26.0`
 | nats.natsBox.enabled | bool | `false` |  |
 | nats.promExporter.enabled | bool | `false` |  |
 | nats.promExporter.podMonitor.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.clusterOperator.metrics.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.clusterOperator.metrics.serviceMonitor.enabled | bool | `true` |  |
-| rabbitmq-cluster-operator.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.msgTopologyOperator.metrics.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.msgTopologyOperator.metrics.serviceMonitor.enabled | bool | `true` |  |
-| rabbitmq-cluster-operator.rabbitmqImage.tag | string | `"3.11.4-debian-11-r0"` |  |
-| rabbitmq-cluster-operator.useCertManager | bool | `true` |  |
 | rabbitmq.auth.existingErlangSecret | string | `"rabbitmq"` |  |
 | rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq"` |  |
 | rabbitmq.auth.tls.enabled | bool | `false` |  |

charts/kubezero-mq/templates/nats/grafana-dashboards.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.nats.exporter.serviceMonitor.enabled }}
+{{- if .Values.nats.promExporter.podMonitor.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

charts/kubezero-mq/values.yaml

@@ -6,6 +6,12 @@ nats:
     jetstream:
       enabled: true
 
+  podTemplate:
+    topologySpreadConstraints:
+      kubernetes.io/hostname:
+        maxSkew: 1
+        whenUnsatisfiable: DoNotSchedule
+
   natsBox:
     enabled: false
 

charts/kubezero/templates/_app.tpl

@@ -42,6 +42,9 @@ spec:
       - ServerSideApply=true
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
+  info:
+    - name: "Source:"
+      value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"
 {{- include (print $name "-argo") $ }}
 {{- end }}
 

charts/kubezero/templates/_aws.tpl

@@ -0,0 +1,30 @@
+{{- define "aws-iam-env" -}}
+- name: AWS_ROLE_ARN
+  value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
+- name: AWS_WEB_IDENTITY_TOKEN_FILE
+  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+- name: AWS_STS_REGIONAL_ENDPOINTS
+  value: "regional"
+- name: METADATA_TRIES
+  value: "0"
+- name: AWS_REGION
+  value: {{ $.Values.global.aws.region }}
+{{- end }}
+
+
+{{- define "aws-iam-volumes" -}}
+- name: aws-token
+  projected:
+    sources:
+    - serviceAccountToken:
+        path: token
+        expirationSeconds: 86400
+        audience: "sts.amazonaws.com"
+{{- end }}
+
+
+{{- define "aws-iam-volumemounts" -}}
+- name: aws-token
+  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+  readOnly: true
+{{- end }}

charts/kubezero/templates/addons.yaml

@@ -1,6 +1,6 @@
 {{- define "addons-values" }}
 clusterBackup:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.clusterBackup.enabled) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.clusterBackup.enabled) }}
 
   {{- with omit .Values.addons.clusterBackup "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -14,7 +14,7 @@ clusterBackup:
   {{- end }}
 
 forseti:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.forseti.enabled) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.forseti.enabled) }}
 
   {{- with omit .Values.addons.forseti "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -28,7 +28,7 @@ forseti:
   {{- end }}
 
 external-dns:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "external-dns" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "external-dns" "enabled")) }}
 
   {{- with omit (index .Values "addons" "external-dns") "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -42,32 +42,15 @@ external-dns:
     - "--aws-zone-type=public"
     - "--aws-zones-cache-duration=1h"
   env:
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }}
   extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
 cluster-autoscaler:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
 
   autoDiscovery:
     clusterName: {{ .Values.global.clusterName }}
@@ -98,17 +81,9 @@ cluster-autoscaler:
     AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
     AWS_STS_REGIONAL_ENDPOINTS: "regional"
   extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
 {{- with .Values.addons.fuseDevicePlugin }}
@@ -155,14 +130,7 @@ aws-node-termination-handler:
   queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
   managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
   extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }}
 
 aws-eks-asg-rolling-update-handler:
   enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@@ -172,10 +140,9 @@ aws-eks-asg-rolling-update-handler:
   {{- end }}
 
   environmentVars:
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
     - name: CLUSTER_NAME
       value: {{ .Values.global.clusterName }}
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
     - name: EXECUTION_INTERVAL
       value: "60"
     - name: METRICS
@@ -184,12 +151,6 @@ aws-eks-asg-rolling-update-handler:
       value: "true"
     - name: SLOW_MODE
       value: "true"
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
 
 {{- with (index .Values "addons" "neuron-helm-chart") }}
 neuron-helm-chart:

charts/kubezero/templates/argo.yaml

@@ -23,38 +23,51 @@ argo-cd:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
   repoServer:
-    metrics:
-      enabled: {{ .Values.metrics.enabled }}
-
-    {{- if eq .Values.global.platform "aws" }}
-    env:
-      - name: AWS_ROLE_ARN
-        value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-repo-server"
-      - name: AWS_WEB_IDENTITY_TOKEN_FILE
-        value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-      - name: AWS_STS_REGIONAL_ENDPOINTS
-        value: "regional"
-      - name: METADATA_TRIES
-        value: "0"
-      - name: AWS_REGION
-        value: {{ .Values.global.aws.region }}
-    volumes:
-    - name: aws-token
-      projected:
-        sources:
-        - serviceAccountToken:
-            path: token
-            expirationSeconds: 86400
-            audience: "sts.amazonaws.com"
-    volumeMounts:
-    - name: aws-token
-      mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-      readOnly: true
-    {{- end }}
-
     {{- with index .Values "argo" "argo-cd" "repoServer" }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+    {{- if eq .Values.global.platform "aws" }}
+      {{- include "aws-iam-volumes" . | nindent 6 }}
+
+    env:
+      {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }}
+    volumeMounts:
+      {{- include "aws-iam-volumemounts" . | nindent 6 }}
+
+    extraContainers:
+      - name: cmp-kubezero-git-sync
+        image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
+        imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        env:
+          {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+          {{- include "aws-iam-volumemounts" . | nindent 10 }}
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    {{- end }}
+
   server:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
@@ -80,28 +93,11 @@ argocd-image-updater:
 
   {{- if eq .Values.global.platform "aws" }}
   extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
+    {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }}
   volumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   volumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
   metrics:

charts/kubezero/templates/metrics.yaml

@@ -1,6 +1,6 @@
 {{- define "_kube-prometheus-stack" }}
 
-{{- if .global.aws.region }}
+{{- if eq .global.platform "aws" }}
 alertmanager:
   alertmanagerSpec:
     podMetadata:

charts/kubezero/values.yaml

@@ -6,7 +6,9 @@ global:
 
   highAvailable: false
 
-  aws: {}
+  aws:
+    accountId: "123456789012"
+    region: the-moon
   gcp: {}
 
 addons: