chore(deps): update helm release rabbitmq to v15

Reviewed-on: #68

admin/cluster_bootstrap.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -eEx
+set -o pipefail
+set -x
+
+VALUES=$1
+
+WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
+[ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# shellcheck disable=SC1091
+. "$SCRIPT_DIR"/libhelm.sh
+CHARTS="$(dirname $SCRIPT_DIR)/charts"
+
+KUBE_VERSION="$(get_kube_version)"
+PLATFORM="$(get_kubezero_platform)"
+
+if [ -z "$KUBE_VERSION" ]; then
+  echo "Cannot contact cluster, cannot parse version!"
+  exit 1
+fi
+
+
+# Upload values into kubezero-values
+kubectl create ns kubezero || true
+kubectl create cm -n kubezero kubezero-values \
+    --from-file values.yaml=$VALUES || \
+    kubectl get cm -n kubezero kubezero-values -o=yaml | \
+    yq e ".data.\"values.yaml\" |= load_str($1)" | \
+    kubectl replace -f -
+
+### Main
+get_kubezero_values $ARGOCD
+
+# Always use embedded kubezero chart
+helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+
+ARTIFACTS=(network addons cert-manager storage argo)
+
+for t in ${ARTIFACTS[@]}; do
+  _helm crds $t || true
+  _helm apply $t || true
+done

admin/dev_apply.sh

@@ -9,34 +9,23 @@ ARGOCD="${3:-true}"
 
 LOCAL_DEV=1
 
-#VERSION="latest"
-KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
-
 WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
 [ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 # shellcheck disable=SC1091
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"
 
-# Guess platform from current context
-_auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
-if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
-  PLATFORM=gke
-elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
-  PLATFORM=aws
-else
-  PLATFORM=nocloud
+KUBE_VERSION="$(get_kube_version)"
+PLATFORM="$(get_kubezero_platform)"
+
+if [ -z "$KUBE_VERSION" ]; then
+  echo "Cannot contact cluster, cannot parse version!"
+  exit 1
 fi
 
-parse_version() {
-  echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
-}
-
-KUBE_VERSION=$(parse_version $KUBE_VERSION)
-
-
 ### Main
 get_kubezero_values $ARGOCD
 

admin/kubezero.sh

@@ -320,7 +320,7 @@ apply_module() {
   get_kubezero_values $ARGOCD
 
   # Always use embedded kubezero chart
-  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
 
   # CRDs first
   for t in $MODULES; do

admin/libhelm.sh

@@ -44,6 +44,25 @@ function field_manager() {
 }
 
 
+function get_kube_version() {
+  local git_version="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
+  echo $([[ $git_version =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
+}
+
+
+function get_kubezero_platform() {
+  _auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
+  if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
+    PLATFORM=gke
+  elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
+    PLATFORM=aws
+  else
+    PLATFORM=nocloud
+  fi
+  echo $PLATFORM
+}
+
+
 function get_secret_val() {
   local ns=$1
   local secret=$2
@@ -83,6 +102,7 @@ function get_kubezero_values() {
   fi
 }
 
+
 # Overwrite kubezero-values CM with file
 function update_kubezero_cm() {
   kubectl get cm -n kubezero kubezero-values -o=yaml | \
@@ -90,6 +110,7 @@ function update_kubezero_cm() {
     kubectl replace -f -
 }
 
+
 # sync kubezero-values CM from ArgoCD app
 function sync_kubezero_cm_from_argo() {
   get_kubezero_values true
@@ -258,6 +279,7 @@ function _helm() {
   return 0
 }
 
+
 function all_nodes_upgrade() {
   CMD="$1"
 

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.3.1
+version: 0.3.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,15 +18,15 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: argo-events
-    version: 2.4.14
+    version: 2.4.15
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 7.8.13
+    version: 7.8.23
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-image-updater
-    version: 0.12.0
+    version: 0.12.1
     repository: https://argoproj.github.io/argo-helm
     condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-argo/README.md

@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square)
+![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.13 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.14 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.23 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 
 ## Values
@@ -54,7 +54,7 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.7"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.9"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
@@ -69,10 +69,6 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
-| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
-| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
-| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
-| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |

charts/kubezero-argo/templates/argo-cd/admin-secret.yaml

@@ -9,5 +9,5 @@ metadata:
 type: Opaque
 stringData:
   admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }}
-  admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") }}
+  admin.passwordMtime: "2006-01-02T15:04:05Z"
 {{- end }}

charts/kubezero-argo/values.yaml

@@ -38,7 +38,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.7
+      tag: v2.14.9
     networkPolicy:
       create: true
 
@@ -116,13 +116,6 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
-    volumes:
-      - name: kubeconfigs
-        emptyDir: {}
-    volumeMounts:
-    - mountPath: /home/argocd/.kube
-      name: kubeconfigs
-
     # Allow vals to read internal secrets across all namespaces
     # @ignored
     clusterRoleRules:
@@ -132,27 +125,6 @@ argo-cd:
           resources: ["secrets"]
           verbs: ["get", "watch", "list"]
 
-    # @ignored
-    initContainers:
-      - name: create-kubeconfig
-        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
-        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
-        command:
-          - /usr/local/bin/sa2kubeconfig.sh
-          - /home/argocd/.kube/config
-        volumeMounts:
-        - mountPath: /home/argocd/.kube
-          name: kubeconfigs
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-            - ALL
-
   server:
     # Rename former https port to grpc, works with istio + insecure
     service:

charts/kubezero-auth/values.yaml

@@ -19,7 +19,7 @@ keycloak:
   resources:
     limits:
       #cpu: 750m
-      memory: 768Mi
+      memory: 1024Mi
     requests:
       cpu: 100m
       memory: 512Mi

charts/kubezero-mq/Chart.yaml

@@ -21,7 +21,7 @@ dependencies:
     repository: https://nats-io.github.io/k8s/helm/charts/
     condition: nats.enabled
   - name: rabbitmq
-    version: 15.5.0
+    version: 15.5.1
     repository: https://charts.bitnami.com/bitnami
     condition: rabbitmq.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero/templates/argo.yaml

@@ -25,6 +25,33 @@ argo-cd:
   repoServer:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
+
+    {{- if eq .Values.global.platform "aws" }}
+    env:
+      - name: AWS_ROLE_ARN
+        value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-repo-server"
+      - name: AWS_WEB_IDENTITY_TOKEN_FILE
+        value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+      - name: AWS_STS_REGIONAL_ENDPOINTS
+        value: "regional"
+      - name: METADATA_TRIES
+        value: "0"
+      - name: AWS_REGION
+        value: {{ .Values.global.aws.region }}
+    volumes:
+    - name: aws-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+            expirationSeconds: 86400
+            audience: "sts.amazonaws.com"
+    volumeMounts:
+    - name: aws-token
+      mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+      readOnly: true
+    {{- end }}
+
     {{- with index .Values "argo" "argo-cd" "repoServer" }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -51,7 +78,7 @@ argocd-image-updater:
   {{- toYaml . | nindent 2 }}
   {{- end }}
 
-  {{- if .Values.global.aws }}
+  {{- if eq .Values.global.platform "aws" }}
   extraEnv:
     - name: AWS_ROLE_ARN
       value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"

charts/kubezero/values.yaml

@@ -115,7 +115,7 @@ logging:
 argo:
   enabled: false
   namespace: argocd
-  targetRevision: 0.3.1
+  targetRevision: 0.3.2
   argo-cd:
     enabled: false
     istio:

scripts/lib-update.sh

@@ -18,7 +18,7 @@ update_jsonnet() {
 
 update_helm() {
   #helm repo update
-  helm dep build
+  helm dep update
 }
 
 # AWS public ECR