chore(deps): update kubezero-mq-dependencies

Reviewed-on: #68

Dockerfile

@@ -5,8 +5,8 @@ FROM docker.io/alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
 ARG KUBE_VERSION=1.31
 
-ARG SOPS_VERSION="3.9.4"
-ARG VALS_VERSION="0.39.4"
+ARG SOPS_VERSION="3.10.1"
+ARG VALS_VERSION="0.40.1"
 ARG HELM_SECRETS_VERSION="4.6.3"
 
 RUN cd /etc/apk/keys && \

README.md

@@ -19,7 +19,7 @@ KubeZero is a Kubernetes distribution providing an integrated container platform
 
 # Version / Support Matrix
 KubeZero releases track the same *minor* version of Kubernetes.
-Any 1.30.X-Y release of Kubezero supports any Kubernetes cluster 1.30.X.
+Any 1.31.X-Y release of Kubezero supports any Kubernetes cluster 1.31.X.
 
 KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed.
 
@@ -28,15 +28,15 @@ KubeZero is distributed as a collection of versioned Helm charts, allowing custo
 gantt
     title KubeZero Support Timeline
     dateFormat  YYYY-MM-DD
-    section 1.29
-    beta     :129b, 2024-07-01, 2024-07-31
-    release  :after 129b, 2024-11-30
     section 1.30
     beta     :130b, 2024-09-01, 2024-10-31
-    release  :after 130b, 2025-02-28
+    release  :after 130b, 2025-04-30
     section 1.31
-    beta     :131b, 2024-12-01, 2025-01-30
-    release  :after 131b, 2025-04-30
+    beta     :131b, 2024-12-01, 2025-02-28
+    release  :after 131b, 2025-06-30
+    section 1.32
+    beta     :132b, 2025-04-01, 2025-05-19
+    release  :after 132b, 2025-09-30
 ```
 
 [Upstream release policy](https://kubernetes.io/releases/)
@@ -44,7 +44,7 @@ gantt
 # Components
 
 ## OS
-- all compute nodes are running on Alpine V3.20
+- all compute nodes are running on Alpine V3.21
 - 1 or 2 GB encrypted root file system
 - no external dependencies at boot time, apart from container registries
 - focused on security and minimal footprint

admin/cluster_bootstrap.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -eEx
+set -o pipefail
+set -x
+
+VALUES=$1
+
+WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
+[ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# shellcheck disable=SC1091
+. "$SCRIPT_DIR"/libhelm.sh
+CHARTS="$(dirname $SCRIPT_DIR)/charts"
+
+KUBE_VERSION="$(get_kube_version)"
+PLATFORM="$(get_kubezero_platform)"
+
+if [ -z "$KUBE_VERSION" ]; then
+  echo "Cannot contact cluster, cannot parse version!"
+  exit 1
+fi
+
+
+# Upload values into kubezero-values
+kubectl create ns kubezero || true
+kubectl create cm -n kubezero kubezero-values \
+    --from-file values.yaml=$VALUES || \
+    kubectl get cm -n kubezero kubezero-values -o=yaml | \
+    yq e ".data.\"values.yaml\" |= load_str($1)" | \
+    kubectl replace -f -
+
+### Main
+get_kubezero_values $ARGOCD
+
+# Always use embedded kubezero chart
+helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+
+ARTIFACTS=(network addons cert-manager storage argo)
+
+for t in ${ARTIFACTS[@]}; do
+  _helm crds $t || true
+  _helm apply $t || true
+done

admin/dev_apply.sh

@@ -9,34 +9,23 @@ ARGOCD="${3:-true}"
 
 LOCAL_DEV=1
 
-#VERSION="latest"
-KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
-
 WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
 [ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 # shellcheck disable=SC1091
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"
 
-# Guess platform from current context
-_auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
-if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
-  PLATFORM=gke
-elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
-  PLATFORM=aws
-else
-  PLATFORM=nocloud
+KUBE_VERSION="$(get_kube_version)"
+PLATFORM="$(get_kubezero_platform)"
+
+if [ -z "$KUBE_VERSION" ]; then
+  echo "Cannot contact cluster, cannot parse version!"
+  exit 1
 fi
 
-parse_version() {
-  echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
-}
-
-KUBE_VERSION=$(parse_version $KUBE_VERSION)
-
-
 ### Main
 get_kubezero_values $ARGOCD
 

admin/kubezero.sh

@@ -320,7 +320,7 @@ apply_module() {
   get_kubezero_values $ARGOCD
 
   # Always use embedded kubezero chart
-  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
 
   # CRDs first
   for t in $MODULES; do

admin/libhelm.sh

@@ -44,6 +44,25 @@ function field_manager() {
 }
 
 
+function get_kube_version() {
+  local git_version="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
+  echo $([[ $git_version =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
+}
+
+
+function get_kubezero_platform() {
+  _auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
+  if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
+    PLATFORM=gke
+  elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
+    PLATFORM=aws
+  else
+    PLATFORM=nocloud
+  fi
+  echo $PLATFORM
+}
+
+
 function get_secret_val() {
   local ns=$1
   local secret=$2
@@ -83,6 +102,7 @@ function get_kubezero_values() {
   fi
 }
 
+
 # Overwrite kubezero-values CM with file
 function update_kubezero_cm() {
   kubectl get cm -n kubezero kubezero-values -o=yaml | \
@@ -90,6 +110,7 @@ function update_kubezero_cm() {
     kubectl replace -f -
 }
 
+
 # sync kubezero-values CM from ArgoCD app
 function sync_kubezero_cm_from_argo() {
   get_kubezero_values true
@@ -258,6 +279,7 @@ function _helm() {
   return 0
 }
 
+
 function all_nodes_upgrade() {
   CMD="$1"
 

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.3.1
+version: 0.3.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,15 +18,15 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: argo-events
-    version: 2.4.14
+    version: 2.4.15
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 7.8.13
+    version: 7.8.23
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-image-updater
-    version: 0.12.0
+    version: 0.12.1
     repository: https://argoproj.github.io/argo-helm
     condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-argo/README.md

@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square)
+![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.13 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.14 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.23 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 
 ## Values
@@ -54,25 +54,25 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.7"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.9-1"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
 | argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App |
+| argo-cd.kubezero.password | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password"` |  |
 | argo-cd.kubezero.path | string | `"/"` |  |
 | argo-cd.kubezero.repoUrl | string | `""` |  |
 | argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` |  |
 | argo-cd.kubezero.targetRevision | string | `"HEAD"` |  |
+| argo-cd.kubezero.username | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username"` |  |
 | argo-cd.notifications.enabled | bool | `false` |  |
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
-| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
-| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
-| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
+| argo-cd.repoServer.volumes[0].name | string | `"cmp-tmp"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |

charts/kubezero-argo/hooks.d/pre-install.sh

@@ -18,12 +18,6 @@ if [ -z "$PW" ]; then
   set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
 fi
 
-# GitSync privateKey
-GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey)
-if [ -z "$GITKEY" ]; then
-  set_kubezero_secret argo-cd.kubezero.sshPrivateKey "Insert ssh Private Key from your git server"
-fi
-
 # Redis secret
 kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
     --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)

charts/kubezero-argo/templates/argo-cd/admin-secret.yaml

@@ -9,5 +9,5 @@ metadata:
 type: Opaque
 stringData:
   admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }}
-  admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") }}
+  admin.passwordMtime: "2006-01-02T15:04:05Z"
 {{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml

@@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -19,12 +19,15 @@ spec:
     targetRevision: {{ .targetRevision }}
     path: {{ .path }}
     {{- end }}
-    directory:
-      recurse: true
+    plugin:
+      name: kubezero-git-sync
   syncPolicy:
     automated:
       prune: true
     syncOptions:
       - ServerSideApply=true
       - ApplyOutOfSyncOnly=true
+  info:
+    - name: "Source:"
+      value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/"
 {{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "repoUrl" }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,5 +12,10 @@ stringData:
   name: kubezero-git-sync
   type: git
   url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
+  {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
+  username: {{ index .Values "argo-cd" "kubezero" "username" }}
+  password: {{ index .Values "argo-cd" "kubezero" "password" }}
+  {{- else }}
   sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
+  {{- end }}
 {{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml

@@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "bootstrap" }}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:

charts/kubezero-argo/values.yaml

@@ -38,7 +38,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.7
+      tag: v2.14.9-1
     networkPolicy:
       create: true
 
@@ -116,13 +116,6 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
-    volumes:
-      - name: kubeconfigs
-        emptyDir: {}
-    volumeMounts:
-    - mountPath: /home/argocd/.kube
-      name: kubeconfigs
-
     # Allow vals to read internal secrets across all namespaces
     # @ignored
     clusterRoleRules:
@@ -132,26 +125,33 @@ argo-cd:
           resources: ["secrets"]
           verbs: ["get", "watch", "list"]
 
+    # cmp kubezero-git-sync plugin
     # @ignored
-    initContainers:
-      - name: create-kubeconfig
+    extraContainers:
+      - name: cmp-kubezero-git-sync
         image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
         imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
-        command:
-          - /usr/local/bin/sa2kubeconfig.sh
-          - /home/argocd/.kube/config
+        command: ["/var/run/argocd/argocd-cmp-server"]
         volumeMounts:
-        - mountPath: /home/argocd/.kube
-          name: kubeconfigs
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
         securityContext:
           runAsNonRoot: true
           readOnlyRootFilesystem: true
+          runAsUser: 999
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
           capabilities:
             drop:
             - ALL
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
 
   server:
     # Rename former https port to grpc, works with istio + insecure
@@ -192,6 +192,8 @@ argo-cd:
     path: "/"
     targetRevision: HEAD
     sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
+    username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
+    password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password
 
 argocd-image-updater:
   enabled: false

charts/kubezero-auth/values.yaml

@@ -19,7 +19,7 @@ keycloak:
   resources:
     limits:
       #cpu: 750m
-      memory: 768Mi
+      memory: 1024Mi
     requests:
       cpu: 100m
       memory: 512Mi

charts/kubezero-mq/Chart.yaml

@@ -17,7 +17,7 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: nats
-    version: 1.3.2
+    version: 1.3.3
     repository: https://nats-io.github.io/k8s/helm/charts/
     condition: nats.enabled
   - name: rabbitmq

charts/kubezero/templates/_app.tpl

@@ -42,6 +42,9 @@ spec:
       - ServerSideApply=true
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
+  info:
+    - name: "Source:"
+      value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"
 {{- include (print $name "-argo") $ }}
 {{- end }}
 

charts/kubezero/templates/_aws.tpl

@@ -0,0 +1,30 @@
+{{- define "aws-iam-env" -}}
+- name: AWS_ROLE_ARN
+  value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
+- name: AWS_WEB_IDENTITY_TOKEN_FILE
+  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+- name: AWS_STS_REGIONAL_ENDPOINTS
+  value: "regional"
+- name: METADATA_TRIES
+  value: "0"
+- name: AWS_REGION
+  value: {{ $.Values.global.aws.region }}
+{{- end }}
+
+
+{{- define "aws-iam-volumes" -}}
+- name: aws-token
+  projected:
+    sources:
+    - serviceAccountToken:
+        path: token
+        expirationSeconds: 86400
+        audience: "sts.amazonaws.com"
+{{- end }}
+
+
+{{- define "aws-iam-volumemounts" -}}
+- name: aws-token
+  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+  readOnly: true
+{{- end }}

charts/kubezero/templates/addons.yaml

@@ -1,6 +1,6 @@
 {{- define "addons-values" }}
 clusterBackup:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.clusterBackup.enabled) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.clusterBackup.enabled) }}
 
   {{- with omit .Values.addons.clusterBackup "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -14,7 +14,7 @@ clusterBackup:
   {{- end }}
 
 forseti:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.forseti.enabled) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.forseti.enabled) }}
 
   {{- with omit .Values.addons.forseti "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -28,7 +28,7 @@ forseti:
   {{- end }}
 
 external-dns:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "external-dns" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "external-dns" "enabled")) }}
 
   {{- with omit (index .Values "addons" "external-dns") "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -42,32 +42,15 @@ external-dns:
     - "--aws-zone-type=public"
     - "--aws-zones-cache-duration=1h"
   env:
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }}
   extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
 cluster-autoscaler:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
 
   autoDiscovery:
     clusterName: {{ .Values.global.clusterName }}
@@ -98,17 +81,9 @@ cluster-autoscaler:
     AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
     AWS_STS_REGIONAL_ENDPOINTS: "regional"
   extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
 {{- with .Values.addons.fuseDevicePlugin }}
@@ -155,14 +130,7 @@ aws-node-termination-handler:
   queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
   managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
   extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }}
 
 aws-eks-asg-rolling-update-handler:
   enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@@ -172,10 +140,9 @@ aws-eks-asg-rolling-update-handler:
   {{- end }}
 
   environmentVars:
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
     - name: CLUSTER_NAME
       value: {{ .Values.global.clusterName }}
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
     - name: EXECUTION_INTERVAL
       value: "60"
     - name: METRICS
@@ -184,12 +151,6 @@ aws-eks-asg-rolling-update-handler:
       value: "true"
     - name: SLOW_MODE
       value: "true"
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
 
 {{- with (index .Values "addons" "neuron-helm-chart") }}
 neuron-helm-chart:

charts/kubezero/templates/argo.yaml

@@ -23,11 +23,51 @@ argo-cd:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
   repoServer:
-    metrics:
-      enabled: {{ .Values.metrics.enabled }}
     {{- with index .Values "argo" "argo-cd" "repoServer" }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+    {{- if eq .Values.global.platform "aws" }}
+      {{- include "aws-iam-volumes" . | nindent 6 }}
+
+    env:
+      {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }}
+    volumeMounts:
+      {{- include "aws-iam-volumemounts" . | nindent 6 }}
+
+    extraContainers:
+      - name: cmp-kubezero-git-sync
+        image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
+        imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        env:
+          {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+          {{- include "aws-iam-volumemounts" . | nindent 10 }}
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    {{- end }}
+
   server:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
@@ -51,30 +91,13 @@ argocd-image-updater:
   {{- toYaml . | nindent 2 }}
   {{- end }}
 
-  {{- if .Values.global.aws }}
+  {{- if eq .Values.global.platform "aws" }}
   extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
+    {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }}
   volumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   volumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
   metrics:

charts/kubezero/templates/metrics.yaml

@@ -1,6 +1,6 @@
 {{- define "_kube-prometheus-stack" }}
 
-{{- if .global.aws.region }}
+{{- if eq .global.platform "aws" }}
 alertmanager:
   alertmanagerSpec:
     podMetadata:

charts/kubezero/values.yaml

@@ -6,7 +6,9 @@ global:
 
   highAvailable: false
 
-  aws: {}
+  aws:
+    accountId: "123456789012"
+    region: the-moon
   gcp: {}
 
 addons:
@@ -115,7 +117,7 @@ logging:
 argo:
   enabled: false
   namespace: argocd
-  targetRevision: 0.3.1
+  targetRevision: 0.3.2
   argo-cd:
     enabled: false
     istio:

scripts/lib-update.sh

@@ -18,7 +18,7 @@ update_jsonnet() {
 
 update_helm() {
   #helm repo update
-  helm dep build
+  helm dep update
 }
 
 # AWS public ECR