chore(deps): update kubezero-storage-dependencies

9725c2ef fix: ensure we dont remove rc builds

git-subtree-dir: .ci
git-subtree-split: 9725c2ef8842467951ec60adb1b45dfeca7618f5

.ci/README.md

@@ -14,7 +14,7 @@ include .ci/podman.mk
 
 Add subtree to your project:
 ```
-git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
+git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash
 ```
 
 

.ci/ecr_public_lifecycle.py

@@ -41,7 +41,8 @@ for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
         _delete = True
         for tag in image["imageTags"]:
             # Look for at least one tag NOT beign a SemVer dev tag
-            if "-" not in tag:
+            # untagged dev builds get tagged as <tag>-g<commit>
+            if "-g" not in tag and "dirty" not in tag:
                 _delete = False
         if _delete:
             print("Deleting development image {}".format(image["imageTags"]))

.ci/podman.mk

@@ -8,8 +8,8 @@ SHELL := bash
 .PHONY: all # All targets are accessible for user
 .DEFAULT: help # Running Make will run the help target
 
-# Parse version from latest git semver tag
-GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
+# Parse version from latest git semver tag, use short commit otherwise
+GIT_TAG ?= $(shell git describe --tags --match v*.*.* --dirty 2>/dev/null || git describe --match="" --always --dirty 2>/dev/null)
 GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 
 TAG ::= $(GIT_TAG)
@@ -85,7 +85,7 @@ rm-image:
 
 ## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree
-	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
+	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash -m "Merge latest ci-tools-lib"
 
 create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

Dockerfile

@@ -5,9 +5,9 @@ FROM docker.io/alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
 ARG KUBE_VERSION=1.31
 
-ARG SOPS_VERSION="3.9.4"
-ARG VALS_VERSION="0.39.1"
-ARG HELM_SECRETS_VERSION="4.6.2"
+ARG SOPS_VERSION="3.10.1"
+ARG VALS_VERSION="0.40.1"
+ARG HELM_SECRETS_VERSION="4.6.3"
 
 RUN cd /etc/apk/keys && \
     wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
@@ -24,6 +24,7 @@ RUN cd /etc/apk/keys && \
       py3-yaml \
       restic \
       helm \
+      apache2-utils \
       ytt@testing \
       etcd-ctl@edge-community \
       cri-tools@kubezero \

README.md

@@ -19,7 +19,7 @@ KubeZero is a Kubernetes distribution providing an integrated container platform
 
 # Version / Support Matrix
 KubeZero releases track the same *minor* version of Kubernetes.
-Any 1.30.X-Y release of Kubezero supports any Kubernetes cluster 1.30.X.
+Any 1.31.X-Y release of Kubezero supports any Kubernetes cluster 1.31.X.
 
 KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed.
 
@@ -28,15 +28,15 @@ KubeZero is distributed as a collection of versioned Helm charts, allowing custo
 gantt
     title KubeZero Support Timeline
     dateFormat  YYYY-MM-DD
-    section 1.29
-    beta     :129b, 2024-07-01, 2024-07-31
-    release  :after 129b, 2024-11-30
     section 1.30
     beta     :130b, 2024-09-01, 2024-10-31
-    release  :after 130b, 2025-02-28
+    release  :after 130b, 2025-04-30
     section 1.31
-    beta     :131b, 2024-12-01, 2025-01-30
-    release  :after 131b, 2025-04-30
+    beta     :131b, 2024-12-01, 2025-02-28
+    release  :after 131b, 2025-06-30
+    section 1.32
+    beta     :132b, 2025-04-01, 2025-05-19
+    release  :after 132b, 2025-09-30
 ```
 
 [Upstream release policy](https://kubernetes.io/releases/)
@@ -44,7 +44,7 @@ gantt
 # Components
 
 ## OS
-- all compute nodes are running on Alpine V3.20
+- all compute nodes are running on Alpine V3.21
 - 1 or 2 GB encrypted root file system
 - no external dependencies at boot time, apart from container registries
 - focused on security and minimal footprint

admin/cluster_bootstrap.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -eEx
+set -o pipefail
+set -x
+
+VALUES=$1
+
+WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
+[ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# shellcheck disable=SC1091
+. "$SCRIPT_DIR"/libhelm.sh
+CHARTS="$(dirname $SCRIPT_DIR)/charts"
+
+KUBE_VERSION="$(get_kube_version)"
+PLATFORM="$(get_kubezero_platform)"
+
+if [ -z "$KUBE_VERSION" ]; then
+  echo "Cannot contact cluster, cannot parse version!"
+  exit 1
+fi
+
+
+# Upload values into kubezero-values
+kubectl create ns kubezero || true
+kubectl create cm -n kubezero kubezero-values \
+    --from-file values.yaml=$VALUES || \
+    kubectl get cm -n kubezero kubezero-values -o=yaml | \
+    yq e ".data.\"values.yaml\" |= load_str($1)" | \
+    kubectl replace -f -
+
+### Main
+get_kubezero_values $ARGOCD
+
+# Always use embedded kubezero chart
+helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+
+ARTIFACTS=(network addons cert-manager storage argo)
+
+for t in ${ARTIFACTS[@]}; do
+  _helm crds $t || true
+  _helm apply $t || true
+done

admin/dev_apply.sh

@@ -9,34 +9,23 @@ ARGOCD="${3:-true}"
 
 LOCAL_DEV=1
 
-#VERSION="latest"
-KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
-
 WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
 [ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 # shellcheck disable=SC1091
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"
 
-# Guess platform from current context
-_auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
-if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
-  PLATFORM=gke
-elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
-  PLATFORM=aws
-else
-  PLATFORM=nocloud
+KUBE_VERSION="$(get_kube_version)"
+PLATFORM="$(get_kubezero_platform)"
+
+if [ -z "$KUBE_VERSION" ]; then
+  echo "Cannot contact cluster, cannot parse version!"
+  exit 1
 fi
 
-parse_version() {
-  echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
-}
-
-KUBE_VERSION=$(parse_version $KUBE_VERSION)
-
-
 ### Main
 get_kubezero_values $ARGOCD
 
@@ -45,6 +34,7 @@ helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $
 
 # Root KubeZero apply directly and exit
 if [ ${ARTIFACTS[0]} == "kubezero" ]; then
+  [ -f $CHARTS/kubezero/hooks.d/pre-install.sh ] && . $CHARTS/kubezero/hooks.d/pre-install.sh
   kubectl replace -f $WORKDIR/kubezero/templates $(field_manager $ARGOCD)
   exit $?
 

admin/hooks-1.31.sh

@@ -14,7 +14,12 @@ pre_control_plane_upgrade_cluster() {
 
 # All things after the first controller / control plane upgrade
 post_control_plane_upgrade_cluster() {
-  echo
+  # delete previous root app controlled by kubezero module
+  kubectl delete application kubezero-git-sync -n argocd || true
+
+  # only patch appproject to keep SyncWindow in place
+  kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/labels"}]' || true
+  kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
 }
 
 

admin/kubezero.sh

@@ -111,35 +111,42 @@ post_kubeadm() {
 }
 
 
-# Control plane upgrade
-control_plane_upgrade() {
-  CMD=$1
+# Migrate KubeZero Config to current version
+upgrade_kubezero_config() {
+  # get current values, argo app over cm
+  get_kubezero_values $ARGOCD
 
+  # tumble new config through migrate.py
+  migrate_argo_values.py < "$WORKDIR"/kubezero-values.yaml > "$WORKDIR"/new-kubezero-values.yaml \
+    && mv "$WORKDIR"/new-kubezero-values.yaml "$WORKDIR"/kubezero-values.yaml
+
+  update_kubezero_cm
+
+  if [ "$ARGOCD" == "true" ]; then
+    # update argo app
+    export kubezero_chart_version=$(yq .version $CHARTS/kubezero/Chart.yaml)
+    kubectl get application kubezero -n argocd -o yaml | \
+      yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
+      > $WORKDIR/new-argocd-app.yaml
+      kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD)
+  fi
+}
+
+
+# Control plane upgrade
+kubeadm_upgrade() {
   ARGOCD=$(argo_used)
 
   render_kubeadm upgrade
 
-  if [[ "$CMD" =~ ^(cluster)$ ]]; then
+  # Check if we already have all controllers on the current version
+  OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
+
+  # run control plane upgrade
+  if [ "$OLD_CONTROLLERS" != "0" ]; then
+
     pre_control_plane_upgrade_cluster
 
-    # get current values, argo app over cm
-    get_kubezero_values $ARGOCD
-
-    # tumble new config through migrate.py
-    migrate_argo_values.py < "$WORKDIR"/kubezero-values.yaml > "$WORKDIR"/new-kubezero-values.yaml \
-      && mv "$WORKDIR"/new-kubezero-values.yaml "$WORKDIR"/kubezero-values.yaml
-
-    update_kubezero_cm
-
-    if [ "$ARGOCD" == "true" ]; then
-      # update argo app
-      export kubezero_chart_version=$(yq .version $CHARTS/kubezero/Chart.yaml)
-      kubectl get application kubezero -n argocd -o yaml | \
-        yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
-        > $WORKDIR/new-argocd-app.yaml
-        kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD)
-    fi
-
     pre_kubeadm
 
     _kubeadm init phase upload-config kubeadm
@@ -155,7 +162,8 @@ control_plane_upgrade() {
 
     echo "Successfully upgraded KubeZero control plane to $KUBE_VERSION using kubeadm."
 
-  elif [[ "$CMD" =~ ^(final)$ ]]; then
+  # All controllers already on current version
+  else
     pre_cluster_upgrade_final
 
     # Finally upgrade addons last, with 1.32 we can ONLY call addon phase
@@ -320,7 +328,7 @@ apply_module() {
   get_kubezero_values $ARGOCD
 
   # Always use embedded kubezero chart
-  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
 
   # CRDs first
   for t in $MODULES; do
@@ -330,6 +338,7 @@ apply_module() {
   for t in $MODULES; do
     # apply/replace app of apps directly
     if [ $t == "kubezero" ]; then
+      [ -f $CHARTS/kubezero/hooks.d/pre-install.sh ] && . $CHARTS/kubezero/hooks.d/pre-install.sh
       kubectl replace -f $WORKDIR/kubezero/templates $(field_manager $ARGOCD)
     else
       #_helm apply $t
@@ -410,12 +419,8 @@ for t in $@; do
     bootstrap) control_plane_node bootstrap;;
     join) control_plane_node join;;
     restore) control_plane_node restore;;
-    kubeadm_upgrade)
-      control_plane_upgrade cluster
-      ;;
-    finalize_cluster_upgrade)
-      control_plane_upgrade final
-      ;;
+    upgrade_control_plane) kubeadm_upgrade;;
+    upgrade_kubezero) upgrade_kubezero_config;;
     apply_*)
       ARGOCD=$(argo_used)
       apply_module "${t##apply_}";;

admin/libhelm.sh

@@ -44,10 +44,53 @@ function field_manager() {
 }
 
 
-function get_kubezero_secret() {
-  export _key="$1"
+function get_kube_version() {
+  local git_version="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
+  echo $([[ $git_version =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
+}
 
-  kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0
+
+function get_kubezero_platform() {
+  _auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
+  if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
+    PLATFORM=gke
+  elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
+    PLATFORM=aws
+  else
+    PLATFORM=nocloud
+  fi
+  echo $PLATFORM
+}
+
+
+function get_secret_val() {
+  local ns=$1
+  local secret=$2
+  local val=$(kubectl get secret -n $ns $secret -o yaml | yq ".data.\"$3\"")
+
+  if [ "$val" != "null" ]; then
+    echo -n $val | base64 -d -w0
+  else
+    echo ""
+  fi
+}
+
+
+function get_kubezero_secret() {
+  get_secret_val kubezero kubezero-secrets "$1"
+}
+
+function ensure_kubezero_secret_key() {
+  local secret="$(kubectl get secret -n kubezero kubezero-secrets -o yaml)"
+  local key=""
+  local val=""
+
+  for key in $@; do
+    val=$(echo "$secret" | yq ".data.\"$key\"")
+    if [ "$val" == "null" ]; then
+      kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"\" }}"
+    fi
+  done
 }
 
 
@@ -55,7 +98,9 @@ function set_kubezero_secret() {
   local key="$1"
   local val="$2"
 
-  kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}"
+  if [ -n "$val" ]; then
+    kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n "$val" |base64 -w0)\" }}"
+  fi
 }
 
 
@@ -78,6 +123,7 @@ function update_kubezero_cm() {
     kubectl replace -f -
 }
 
+
 # sync kubezero-values CM from ArgoCD app
 function sync_kubezero_cm_from_argo() {
   get_kubezero_values true
@@ -140,7 +186,7 @@ function delete_ns() {
 
 # Extract crds via helm calls
 function crds() {
-  helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
+  helm template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
 #!/usr/bin/python3
 import yaml
 import sys
@@ -212,7 +258,7 @@ function _helm() {
 
   if [ $action == "crds" ]; then
     # Pre-crd hook
-    [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-crds.sh)
+    [ -f $WORKDIR/$chart/hooks.d/pre-crds.sh ] && . $WORKDIR/$chart/hooks.d/pre-crds.sh
 
     crds
 
@@ -224,7 +270,7 @@ function _helm() {
     create_ns $namespace
 
     # Optional pre hook
-    [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/pre-install.sh)
+    [ -f $WORKDIR/$chart/hooks.d/pre-install.sh ] && . $WORKDIR/$chart/hooks.d/pre-install.sh
 
     render
     [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$?
@@ -233,7 +279,7 @@ function _helm() {
     [ $action == "apply" -o $rc -ne 0 ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$?
 
     # Optional post hook
-    [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && (cd $WORKDIR; bash ./$chart/hooks.d/post-install.sh)
+    [ -f $WORKDIR/$chart/hooks.d/post-install.sh ] && . $WORKDIR/$chart/hooks.d/post-install.sh
 
   elif [ $action == "delete" ]; then
     render
@@ -246,6 +292,7 @@ function _helm() {
   return 0
 }
 
+
 function all_nodes_upgrade() {
   CMD="$1"
 
@@ -306,7 +353,7 @@ EOF
 }
 
 
-function control_plane_upgrade() {
+function admin_job() {
   TASKS="$1"
 
   [ -z "$KUBE_VERSION" ] && KUBE_VERSION="latest"
@@ -316,7 +363,7 @@ function control_plane_upgrade() {
 apiVersion: v1
 kind: Pod
 metadata:
-  name: kubezero-upgrade
+  name: kubezero-admin-job
   namespace: kube-system
   labels:
     app: kubezero-upgrade
@@ -361,10 +408,10 @@ spec:
   restartPolicy: Never
 EOF
 
-  kubectl wait pod kubezero-upgrade -n kube-system --timeout 120s --for=condition=initialized 2>/dev/null
+  kubectl wait pod kubezero-admin-job -n kube-system --timeout 120s --for=condition=initialized 2>/dev/null
   while true; do
-    kubectl logs kubezero-upgrade -n kube-system -f 2>/dev/null && break
+    kubectl logs kubezero-admin-job -n kube-system -f 2>/dev/null && break
     sleep 3
   done
-  kubectl delete pod kubezero-upgrade -n kube-system
+  kubectl delete pod kubezero-admin-job -n kube-system
 }

admin/upgrade_cluster.sh

@@ -15,37 +15,31 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 ARGOCD=$(argo_used)
 
 echo "Checking that all pods in kube-system are running ..."
-#waitSystemPodsRunning
+waitSystemPodsRunning
 
 [ "$ARGOCD" == "true" ] && disable_argo
 
-# Check if we already have all controllers on the current version
-OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
-
-# All controllers already on current version
-if [ "$OLD_CONTROLLERS" == "0" ]; then
-  control_plane_upgrade finalize_cluster_upgrade
-# Otherwise run control plane upgrade
-else
-  control_plane_upgrade kubeadm_upgrade
-fi
-
-echo "<Return> to continue"
-read -r
+admin_job "upgrade_control_plane, upgrade_kubezero"
 
 #echo "Adjust kubezero values as needed:"
 # shellcheck disable=SC2015
 #[ "$ARGOCD" == "true" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero
 
+#echo "<Return> to continue"
+#read -r
+
 # upgrade modules
-control_plane_upgrade "apply_network, apply_addons, apply_storage, apply_operators"
+admin_job "apply_kubezero, apply_network, apply_addons, apply_storage, apply_operators"
 
 echo "Checking that all pods in kube-system are running ..."
 waitSystemPodsRunning
 
 echo "Applying remaining KubeZero modules..."
 
-control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"
+admin_job "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"
+
+# we replace the project during v1.31 so disable again
+[ "$ARGOCD" == "true" ] && disable_argo
 
 # Final step is to commit the new argocd kubezero app
 kubectl get app kubezero -n argocd -o yaml | yq 'del(.status) | del(.metadata) | del(.operation) | .metadata.name="kubezero" | .metadata.namespace="argocd"' | yq 'sort_keys(..)' > $ARGO_APP
@@ -57,6 +51,12 @@ while true; do
   sleep 1
 done
 
+echo "Once all controller nodes are running on $KUBE_VERSION, <return> to continue"
+read -r
+
+# Final control plane upgrades
+admin_job "upgrade_control_plane"
+
 echo "Please commit $ARGO_APP as the updated kubezero/application.yaml for your cluster."
 echo "Then head over to ArgoCD for this cluster and sync all KubeZero modules to apply remaining upgrades."
 

charts/kubezero-addons/Chart.yaml

@@ -3,7 +3,7 @@ name: kubezero-addons
 description: KubeZero umbrella chart for various optional cluster addons
 type: application
 version: 0.8.13
-appVersion: v1.30
+appVersion: v1.31
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-argo/.helmignore

@@ -25,3 +25,4 @@
 README.md.gotmpl
 dashboards.yaml
 jsonnet
+update.sh

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.3.0
+version: 0.3.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,15 +18,15 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: argo-events
-    version: 2.4.13
+    version: 2.4.15
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 7.8.9
+    version: 7.8.23
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-image-updater
-    version: 0.12.0
+    version: 0.12.1
     repository: https://argoproj.github.io/argo-helm
     condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-argo/README.md

@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square)
+![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.9 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.13 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.23 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 
 ## Values
@@ -42,6 +42,7 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.configs.params."controller.sync.timeout.seconds" | int | `1800` |  |
 | argo-cd.configs.params."server.enable.gzip" | bool | `true` |  |
 | argo-cd.configs.params."server.insecure" | bool | `true` |  |
+| argo-cd.configs.secret.argocdServerAdminPassword | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword"` |  |
 | argo-cd.configs.secret.createSecret | bool | `false` |  |
 | argo-cd.configs.ssh.extraHosts | string | `"git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="` |  |
 | argo-cd.configs.styles | string | `".sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }\n.sidebar__logo__text-logo { height: 0em; }\n.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }\n"` |  |
@@ -53,30 +54,25 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.5"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.9-1"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
-| argo-cd.kubezero.bootstrap | bool | `false` |  |
+| argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App |
+| argo-cd.kubezero.password | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password"` |  |
 | argo-cd.kubezero.path | string | `"/"` |  |
-| argo-cd.kubezero.repoUrl | string | `"https://git.my.org/thiscluster"` |  |
+| argo-cd.kubezero.repoUrl | string | `""` |  |
+| argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` |  |
 | argo-cd.kubezero.targetRevision | string | `"HEAD"` |  |
+| argo-cd.kubezero.username | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username"` |  |
 | argo-cd.notifications.enabled | bool | `false` |  |
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
-| argo-cd.repoServer.clusterRoleRules.enabled | bool | `true` |  |
-| argo-cd.repoServer.clusterRoleRules.rules[0].apiGroups[0] | string | `""` |  |
-| argo-cd.repoServer.clusterRoleRules.rules[0].resources[0] | string | `"secrets"` |  |
-| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[0] | string | `"get"` |  |
-| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[1] | string | `"watch"` |  |
-| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
-| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
-| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
-| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
+| argo-cd.repoServer.volumes[0].name | string | `"cmp-tmp"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |

charts/kubezero-argo/hooks.d/pre-install.sh

@@ -1,6 +1,26 @@
-#!/bin/sh
+# Bootstrap kubezero-git-sync app only if it doesnt exist yet
+kubectl get application kubezero-git-sync -n argocd || \
+  yq -i '.argo-cd.kubezero.bootstrap=true' $WORKDIR/values.yaml
 
-# Bootstrap kubezero-git-sync app if it doenst exist
-kubectl get application kubezero-git-sync -n argocd && rc=$? || rc=$?
+# Ensure we have an adminPassword or migrate existing one
+PW=$(get_kubezero_secret argo-cd.adminPassword)
+if [ -z "$PW" ]; then
+  # Check for existing password in actual secret
+  NEW_PW=$(get_secret_val argocd argocd-secret "admin.password")
 
-[ $rc != 0 ] && yq -i '.argo-cd.kubezero.bootstrap=true' values.yaml
+  if [ -z "$NEW_PW" ];then
+    ARGO_PWD=$(date +%s | sha256sum | base64 | head -c 12 ; echo)
+    NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/')
+
+    set_kubezero_secret argo-cd.adminPasswordClear $ARGO_PWD
+  fi
+
+  set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
+fi
+
+# Redis secret
+kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
+    --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
+
+# required keys in kubezero-secrets, as --ignore-missing-values in helm-secrets doesnt work with vals ;-(
+ensure_kubezero_secret_key argo-cd.kubezero.username argo-cd.kubezero.password argo-cd.kubezero.sshPrivateKey

charts/kubezero-argo/secrets.yaml

@@ -1,22 +0,0 @@
-# KubeZero secrets
-#
-test: supergeheim
-secrets:
-  - name: argocd-secret
-    optional: false
-    data:
-      admin.password: test
-      admin.passwordMtime: now
-      server.secretkey: boohoo
-  - name: zero-downtime-gitea
-    optional: true
-    data:
-      name: zero-downtime-gitea
-      type: git
-      url: ssh://git@git.zero-downtime.net/quark/kube-grandnagus.git
-      sshPrivateKey: |
-        boohooKey
-      metadata:
-        labels:
-          argocd.argoproj.io/secret-type: repository
-

charts/kubezero-argo/templates/argo-cd/admin-secret.yaml

@@ -0,0 +1,13 @@
+{{- if index .Values "argo-cd" "enabled" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+  namespace: argocd
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }}
+  admin.passwordMtime: "2006-01-02T15:04:05Z"
+{{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml

@@ -4,6 +4,8 @@ kind: Application
 metadata:
   name: kubezero-git-sync
   namespace: argocd
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/sync-wave: "-20"
 spec:
@@ -17,12 +19,15 @@ spec:
     targetRevision: {{ .targetRevision }}
     path: {{ .path }}
     {{- end }}
-    directory:
-      recurse: true
+    plugin:
+      name: kubezero-git-sync
   syncPolicy:
     automated:
       prune: true
     syncOptions:
       - ServerSideApply=true
       - ApplyOutOfSyncOnly=true
+  info:
+    - name: "Source:"
+      value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/"
 {{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml

@@ -0,0 +1,21 @@
+{{- if index .Values "argo-cd" "kubezero" "repoUrl" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubezero-git-sync
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  name: kubezero-git-sync
+  type: git
+  url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
+  {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
+  username: {{ index .Values "argo-cd" "kubezero" "username" }}
+  password: {{ index .Values "argo-cd" "kubezero" "password" }}
+  {{- else }}
+  sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
+  {{- end }}
+{{- end }}

charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml

@@ -4,6 +4,8 @@ kind: AppProject
 metadata:
   name: kubezero
   namespace: argocd
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
   clusterResourceWhitelist:
   - group: '*'
@@ -15,4 +17,10 @@ spec:
   sourceRepos:
   - https://cdn.zero-downtime.net/charts
   - {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
+  syncWindows:
+    - kind: deny
+      schedule: '0 * * * *'
+      duration: 24h
+      namespaces:
+      - '*'
 {{- end }}

charts/kubezero-argo/values.yaml

@@ -25,7 +25,7 @@ argo-events:
       # do NOT use -alpine tag as the entrypoint differs
       versions:
         - version: 2.10.11
-          natsImage: nats:2.10.11-scratch
+          natsImage: nats:2.11.1-scratch
           metricsExporterImage: natsio/prometheus-nats-exporter:0.16.0
           configReloaderImage: natsio/nats-server-config-reloader:0.14.1
           startCommand: /nats-server
@@ -38,7 +38,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.5
+      tag: v2.14.9-1
     networkPolicy:
       create: true
 
@@ -81,10 +81,9 @@ argo-cd:
 
     secret:
       createSecret: false
+
       # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0`
-      # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
-      # argocdServerAdminPassword: "ref+file://secrets.yaml#/test"
-      # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
+      argocdServerAdminPassword: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.adminPassword
 
     ssh:
       extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
@@ -117,14 +116,8 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
-    volumes:
-      - name: kubeconfigs
-        emptyDir: {}
-    volumeMounts:
-    - mountPath: /home/argocd/.kube
-      name: kubeconfigs
-
     # Allow vals to read internal secrets across all namespaces
+    # @ignored
     clusterRoleRules:
       enabled: true
       rules:
@@ -132,6 +125,34 @@ argo-cd:
           resources: ["secrets"]
           verbs: ["get", "watch", "list"]
 
+    # cmp kubezero-git-sync plugin
+    # @ignored
+    extraContainers:
+      - name: cmp-kubezero-git-sync
+        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
+        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+
   server:
     # Rename former https port to grpc, works with istio + insecure
     service:
@@ -163,12 +184,16 @@ argo-cd:
     ipBlocks: []
 
   kubezero:
-    # only set this once initially to prevent the circular dependency
+    # -- deploy the KubeZero Project and GitSync Root App
     bootstrap: false
 
-    repoUrl: "https://git.my.org/thiscluster"
+    # valid git+ssh repository url
+    repoUrl: ""
     path: "/"
     targetRevision: HEAD
+    sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
+    username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
+    password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password
 
 argocd-image-updater:
   enabled: false

charts/kubezero-auth/values.yaml

@@ -19,7 +19,7 @@ keycloak:
   resources:
     limits:
       #cpu: 750m
-      memory: 768Mi
+      memory: 1024Mi
     requests:
       cpu: 100m
       memory: 512Mi

charts/kubezero-cache/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-cache
 description: KubeZero Cache module
 type: application
-version: 0.1.0
+version: 0.1.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -17,11 +17,11 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: redis
-    version: 20.0.3
+    version: 20.11.5
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled
   - name: redis-cluster
-    version: 11.0.2
+    version: 11.5.0
     repository: https://charts.bitnami.com/bitnami
     condition: redis-cluster.enabled
 

charts/kubezero-graph/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-graph
 description: KubeZero GraphQL and GraphDB
 type: application
-version: 0.1.0
+version: 0.1.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,7 +16,7 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: neo4j
-    version: 5.26.0
+    version: 2025.3.0
     repository: https://helm.neo4j.com/neo4j
     condition: neo4j.enabled
 

charts/kubezero-graph/README.md

@@ -1,6 +1,6 @@
 # kubezero-graph
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero GraphQL and GraphDB
 
@@ -18,8 +18,8 @@ Kubernetes: `>= 1.29.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.2.1 |
-| https://helm.neo4j.com/neo4j | neo4j | 5.26.0 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
+| https://helm.neo4j.com/neo4j | neo4j | 2025.3.0 |
 
 ## Values
 
@@ -28,6 +28,8 @@ Kubernetes: `>= 1.29.0-0`
 | neo4j.disableLookups | bool | `true` |  |
 | neo4j.enabled | bool | `false` |  |
 | neo4j.neo4j.name | string | `"test-db"` |  |
+| neo4j.neo4j.password | string | `"secret"` |  |
+| neo4j.neo4j.passwordFromSecret | string | `"neo4j-admin"` |  |
 | neo4j.serviceMonitor.enabled | bool | `false` |  |
 | neo4j.services.neo4j.enabled | bool | `false` |  |
 | neo4j.volumes.data.mode | string | `"defaultStorageClass"` |  |

charts/kubezero-mq/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-mq
 description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
 type: application
-version: 0.3.10
+version: 0.3.11
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -17,11 +17,11 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: nats
-    version: 1.2.2
+    version: 1.3.3
     repository: https://nats-io.github.io/k8s/helm/charts/
     condition: nats.enabled
   - name: rabbitmq
-    version: 14.6.6
+    version: 14.7.0
     repository: https://charts.bitnami.com/bitnami
     condition: rabbitmq.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero-mq/README.md

@@ -1,6 +1,6 @@
 # kubezero-mq
 
-![Version: 0.3.10](https://img.shields.io/badge/Version-0.3.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.3.11](https://img.shields.io/badge/Version-0.3.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://charts.bitnami.com/bitnami | rabbitmq | 14.6.6 |
-| https://nats-io.github.io/k8s/helm/charts/ | nats | 1.2.2 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
+| https://charts.bitnami.com/bitnami | rabbitmq | 14.7.0 |
+| https://nats-io.github.io/k8s/helm/charts/ | nats | 1.3.3 |
 
 ## Values
 
@@ -34,13 +34,6 @@ Kubernetes: `>= 1.26.0`
 | nats.natsBox.enabled | bool | `false` |  |
 | nats.promExporter.enabled | bool | `false` |  |
 | nats.promExporter.podMonitor.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.clusterOperator.metrics.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.clusterOperator.metrics.serviceMonitor.enabled | bool | `true` |  |
-| rabbitmq-cluster-operator.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.msgTopologyOperator.metrics.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.msgTopologyOperator.metrics.serviceMonitor.enabled | bool | `true` |  |
-| rabbitmq-cluster-operator.rabbitmqImage.tag | string | `"3.11.4-debian-11-r0"` |  |
-| rabbitmq-cluster-operator.useCertManager | bool | `true` |  |
 | rabbitmq.auth.existingErlangSecret | string | `"rabbitmq"` |  |
 | rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq"` |  |
 | rabbitmq.auth.tls.enabled | bool | `false` |  |

charts/kubezero-mq/templates/nats/grafana-dashboards.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.nats.exporter.serviceMonitor.enabled }}
+{{- if .Values.nats.promExporter.podMonitor.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

charts/kubezero-mq/values.yaml

@@ -6,6 +6,12 @@ nats:
     jetstream:
       enabled: true
 
+  podTemplate:
+    topologySpreadConstraints:
+      kubernetes.io/hostname:
+        maxSkew: 1
+        whenUnsatisfiable: DoNotSchedule
+
   natsBox:
     enabled: false
 

charts/kubezero-storage/Chart.yaml

@@ -24,7 +24,7 @@ dependencies:
     condition: lvm-localpv.enabled
     repository: https://openebs.github.io/lvm-localpv
   - name: aws-ebs-csi-driver
-    version: 2.41.0
+    version: 2.42.0
     condition: aws-ebs-csi-driver.enabled
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver

charts/kubezero/.helmignore

@@ -21,4 +21,8 @@
 .idea/
 *.tmproj
 .vscode/
-Chart.lock
+
+README.md.gotmpl
+dashboards.yaml
+jsonnet
+update.sh

charts/kubezero/README.md

@@ -35,11 +35,10 @@ Kubernetes: `>= 1.31.0-0`
 | addons.targetRevision | string | `"0.8.13"` |  |
 | argo.argo-cd.enabled | bool | `false` |  |
 | argo.argo-cd.istio.enabled | bool | `false` |  |
-| argo.argocd-apps.enabled | bool | `false` |  |
 | argo.argocd-image-updater.enabled | bool | `false` |  |
 | argo.enabled | bool | `false` |  |
 | argo.namespace | string | `"argocd"` |  |
-| argo.targetRevision | string | `"0.2.9"` |  |
+| argo.targetRevision | string | `"0.3.1"` |  |
 | cert-manager.enabled | bool | `false` |  |
 | cert-manager.namespace | string | `"cert-manager"` |  |
 | cert-manager.targetRevision | string | `"0.9.12"` |  |

charts/kubezero/docs/applicationSet.yaml

@@ -1,41 +0,0 @@
-kind: ApplicationSet
-metadata:
-  name: kubezero
-  namespace: argocd
-  labels:
-    {{- include "kubezero-lib.labels" . | nindent 4 }}
-spec:
-  generators:
-  - git:
-      repoURL: {{ .Values.kubezero.applicationSet.repoURL }}
-      revision: {{ .Values.kubezero.applicationSet.revision }}
-      files:
-      {{- toYaml .Values.kubezero.applicationSet.files | nindent 6 }}
-  template:
-    metadata:
-      name: kubezero
-    spec:
-      project: kubezero
-      source:
-        repoURL: https://cdn.zero-downtime.net/charts
-        chart: kubezero
-        targetRevision: '{{ "{{" }} kubezero.version {{ "}}" }}'
-        helm:
-          parameters:
-          # We use this to detect if we are called from ArgoCD
-          - name: argocdAppName
-            value: $ARGOCD_APP_NAME
-          # This breaks the recursion, otherwise we install another kubezero project and app
-          # To be removed once we applicationSet is working and AppProject is moved back to ArgoCD chart
-          - name: installKubeZero
-            value: "false"
-          valueFiles:
-          - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/kubezero.yaml'
-          - '{{ "{{" }} kubezero.valuesPath {{ "}}" }}/values.yaml'
-
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: argocd
-      syncPolicy:
-        automated:
-          prune: true

charts/kubezero/hooks.d/pre-install.sh

@@ -0,0 +1,6 @@
+# ensure we have a basic kubezero secret for cluster bootstrap and defaults
+kubectl get secret kubezero-secrets -n kubezero && rc=$? || rc=$?
+
+if [ $rc != 0 ]; then
+  kubectl create secret generic kubezero-secrets -n kubezero
+fi

charts/kubezero/scripts/remove_argo_ns.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-ns=$(kubectl get ns -l argocd.argoproj.io/instance | grep -v NAME | awk '{print $1}')
-
-for n in $ns; do
-  kubectl label --overwrite namespace $n 'argocd.argoproj.io/instance-'
-done

charts/kubezero/scripts/remove_old_eck.sh

@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
-# or more contributor license agreements. Licensed under the Elastic License;
-# you may not use this file except in compliance with the Elastic License.
-
-# Script to migrate an existing ECK 1.2.1 installation to Helm. 
-
-set -euo pipefail
-
-RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"elastic-system"}
-
-echo "Uninstalling ECK"
-kubectl delete -n "${RELEASE_NAMESPACE}" \
-    serviceaccount/elastic-operator \
-    secret/elastic-webhook-server-cert \
-    clusterrole.rbac.authorization.k8s.io/elastic-operator \
-    clusterrole.rbac.authorization.k8s.io/elastic-operator-view \
-    clusterrole.rbac.authorization.k8s.io/elastic-operator-edit \
-    clusterrolebinding.rbac.authorization.k8s.io/elastic-operator \
-    rolebinding.rbac.authorization.k8s.io/elastic-operator \
-    service/elastic-webhook-server \
-    statefulset.apps/elastic-operator \
-    validatingwebhookconfiguration.admissionregistration.k8s.io/elastic-webhook.k8s.elastic.co
-

charts/kubezero/templates/_app.tpl

@@ -25,7 +25,8 @@ spec:
     repoURL: {{ default "https://cdn.zero-downtime.net/charts" (index .Values $name "repository") }}
     targetRevision: {{ default "HEAD" ( index .Values $name "targetRevision" ) | quote }}
     helm:
-      skipTests: true
+      # add with 1.32
+      #skipTests: true
       valuesObject:
         {{- include (print $name "-values") $ | nindent 8 }}
 
@@ -41,6 +42,9 @@ spec:
       - ServerSideApply=true
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
+  info:
+    - name: "Source:"
+      value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"
 {{- include (print $name "-argo") $ }}
 {{- end }}
 

charts/kubezero/templates/_aws.tpl

@@ -0,0 +1,30 @@
+{{- define "aws-iam-env" -}}
+- name: AWS_ROLE_ARN
+  value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
+- name: AWS_WEB_IDENTITY_TOKEN_FILE
+  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+- name: AWS_STS_REGIONAL_ENDPOINTS
+  value: "regional"
+- name: METADATA_TRIES
+  value: "0"
+- name: AWS_REGION
+  value: {{ $.Values.global.aws.region }}
+{{- end }}
+
+
+{{- define "aws-iam-volumes" -}}
+- name: aws-token
+  projected:
+    sources:
+    - serviceAccountToken:
+        path: token
+        expirationSeconds: 86400
+        audience: "sts.amazonaws.com"
+{{- end }}
+
+
+{{- define "aws-iam-volumemounts" -}}
+- name: aws-token
+  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+  readOnly: true
+{{- end }}

charts/kubezero/templates/addons.yaml

@@ -1,6 +1,6 @@
 {{- define "addons-values" }}
 clusterBackup:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.clusterBackup.enabled) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.clusterBackup.enabled) }}
 
   {{- with omit .Values.addons.clusterBackup "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -14,7 +14,7 @@ clusterBackup:
   {{- end }}
 
 forseti:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.forseti.enabled) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.forseti.enabled) }}
 
   {{- with omit .Values.addons.forseti "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -28,7 +28,7 @@ forseti:
   {{- end }}
 
 external-dns:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "external-dns" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "external-dns" "enabled")) }}
 
   {{- with omit (index .Values "addons" "external-dns") "enabled" }}
   {{- toYaml . | nindent 2 }}
@@ -42,32 +42,15 @@ external-dns:
     - "--aws-zone-type=public"
     - "--aws-zones-cache-duration=1h"
   env:
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }}
   extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
 cluster-autoscaler:
-  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
 
   autoDiscovery:
     clusterName: {{ .Values.global.clusterName }}
@@ -98,17 +81,9 @@ cluster-autoscaler:
     AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
     AWS_STS_REGIONAL_ENDPOINTS: "regional"
   extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
 {{- with .Values.addons.fuseDevicePlugin }}
@@ -155,14 +130,7 @@ aws-node-termination-handler:
   queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
   managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
   extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }}
 
 aws-eks-asg-rolling-update-handler:
   enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@@ -172,10 +140,9 @@ aws-eks-asg-rolling-update-handler:
   {{- end }}
 
   environmentVars:
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
     - name: CLUSTER_NAME
       value: {{ .Values.global.clusterName }}
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
     - name: EXECUTION_INTERVAL
       value: "60"
     - name: METRICS
@@ -184,12 +151,6 @@ aws-eks-asg-rolling-update-handler:
       value: "true"
     - name: SLOW_MODE
       value: "true"
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
 
 {{- with (index .Values "addons" "neuron-helm-chart") }}
 neuron-helm-chart:

charts/kubezero/templates/argo.yaml

@@ -23,11 +23,51 @@ argo-cd:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
   repoServer:
-    metrics:
-      enabled: {{ .Values.metrics.enabled }}
     {{- with index .Values "argo" "argo-cd" "repoServer" }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+    {{- if eq .Values.global.platform "aws" }}
+      {{- include "aws-iam-volumes" . | nindent 6 }}
+
+    env:
+      {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }}
+    volumeMounts:
+      {{- include "aws-iam-volumemounts" . | nindent 6 }}
+
+    extraContainers:
+      - name: cmp-kubezero-git-sync
+        image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
+        imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        env:
+          {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+          {{- include "aws-iam-volumemounts" . | nindent 10 }}
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    {{- end }}
+
   server:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
@@ -51,30 +91,13 @@ argocd-image-updater:
   {{- toYaml . | nindent 2 }}
   {{- end }}
 
-  {{- if .Values.global.aws }}
+  {{- if eq .Values.global.platform "aws" }}
   extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
+    {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }}
   volumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
   volumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
   {{- end }}
 
   metrics:

charts/kubezero/templates/metrics.yaml

@@ -1,6 +1,6 @@
 {{- define "_kube-prometheus-stack" }}
 
-{{- if .global.aws.region }}
+{{- if eq .global.platform "aws" }}
 alertmanager:
   alertmanagerSpec:
     podMetadata:

charts/kubezero/values.yaml

@@ -6,7 +6,9 @@ global:
 
   highAvailable: false
 
-  aws: {}
+  aws:
+    accountId: "123456789012"
+    region: the-moon
   gcp: {}
 
 addons:
@@ -115,7 +117,7 @@ logging:
 argo:
   enabled: false
   namespace: argocd
-  targetRevision: 0.3.0
+  targetRevision: 0.3.2
   argo-cd:
     enabled: false
     istio:

docs/hooks.md

@@ -0,0 +1,11 @@
+# KubeZero Helm hooks
+
+## Abstract
+Scripts within the `hooks.d` folder of each chart are executed at the respective times when the charts are applied via libhelm.
+
+*These hooks do NOT work via ArgoCD*
+
+## Flow
+- hooks are execute as part of the libhelm tasks like `apply`
+- are running with the current kubectl context
+- executed at root working directory, eg. set a value for helm the scripts can edit the `./values.yaml` file.

docs/v1.31.md

@@ -3,6 +3,7 @@
 ## What's new - Major themes
 - all KubeZero and support AMIs based on [Alpine 3.21](https://alpinelinux.org/posts/Alpine-3.21.0-released.html)
 - network policies for ArgoCD
+- Nvidia worker nodes are labeled with detected GPU product code
 - Prometheus upgraded to V3, reducing CPU and memory requirements, see [upstream blog](https://prometheus.io/blog/2024/11/14/prometheus-3-0/)
 
 ## Features and fixes
@@ -10,10 +11,10 @@
 
 ## Version upgrades
 - cilium 1.16.6
-- istio 1.24.2
-- ArgoCD 2.14.3 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
+- istio 1.24.3
+- ArgoCD 2.14.5 [custom ZDT image](https://git.zero-downtime.net/ZeroDownTime/zdt-argocd)
 - Prometheus 3.1.0 / Grafana 11.5.1
-- Nvidia container toolkit 1.17, drivers  565.57.01, Cuda 12.7
+- Nvidia container toolkit 1.17.4, drivers  570.86.15, Cuda 12.8
 
 ## Resources
 - [Kubernetes v1.31 upstream release blog](https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/)