chore(deps): update kubezero-storage-dependencies

Reviewed-on: #59

admin/kubezero.sh

@@ -328,7 +328,10 @@ apply_module() {
   done
 
   for t in $MODULES; do
-    _helm apply $t
+    #_helm apply $t
+
+    # During 1.31 we change the ArgoCD tracking so replace
+    _helm replace $t
   done
 
   echo "Applied KubeZero modules: $MODULES"

admin/libhelm.sh

@@ -2,6 +2,7 @@
 
 # Simulate well-known CRDs being available
 API_VERSIONS="-a monitoring.coreos.com/v1 -a snapshot.storage.k8s.io/v1 -a policy/v1/PodDisruptionBudget -a apiregistration.k8s.io/v1"
+LOCAL_DEV=${LOCAL_DEV:-""}
 
 export HELM_SECRETS_BACKEND="vals"
 

charts/envoy-ratelimit/values.yaml

@@ -17,22 +17,36 @@ failureModeDeny: false
 # - slow: 1 req/s over a minute per sourceIP
 descriptors:
   ingress:
-  - key: speed
+  - key: sourceIp
-    value: slow
+    value: sixtyPerMinute
     descriptors:
     - key: remote_address
       rate_limit:
         unit: minute
         requests_per_unit: 60
+  - key: sourceIp
+    value: tenPerSecond
+    descriptors:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10
 
   privateIngress:
-  - key: speed
+  - key: sourceIp
-    value: slow
+    value: sixtyPerMinute
     descriptors:
     - key: remote_address
       rate_limit:
         unit: minute
         requests_per_unit: 60
+  - key: sourceIp
+    value: tenPerSecond
+    descriptors:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10
 
 metrics:
   enabled: false

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.2.8
+version: 0.2.9
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -22,7 +22,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 7.8.2
+    version: 7.8.9
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-apps

charts/kubezero-argo/values.yaml

@@ -106,9 +106,6 @@ argo-cd:
       extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
 
     params:
-      controller.status.processors: 8
-      controller.operation.processors: 4
-      controller.kubectl.parallelism.limit: 8
       controller.resource.health.persist: "false"
       controller.diff.server.side: "true"
       controller.sync.timeout.seconds: 1800

charts/kubezero-ci/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.8.20
+version: 0.8.21
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,19 +18,19 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: gitea
-    version: 10.6.0
+    version: 11.0.0
     repository: https://dl.gitea.io/charts/
     condition: gitea.enabled
   - name: jenkins
-    version: 5.8.16
+    version: 5.8.18
     repository: https://charts.jenkins.io
     condition: jenkins.enabled
   - name: trivy
-    version: 0.11.1
+    version: 0.12.0
     repository: https://aquasecurity.github.io/helm-charts/
     condition: trivy.enabled
   - name: renovate
-    version: 39.180.2
+    version: 39.200.0
     repository: https://docs.renovatebot.com/helm-charts
     condition: renovate.enabled
 kubeVersion: ">= 1.25.0"

charts/kubezero-ci/README.md

@@ -1,6 +1,6 @@
 # kubezero-ci
 
-![Version: 0.8.20](https://img.shields.io/badge/Version-0.8.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.8.21](https://img.shields.io/badge/Version-0.8.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for all things CI
 
@@ -18,11 +18,11 @@ Kubernetes: `>= 1.25.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://aquasecurity.github.io/helm-charts/ | trivy | 0.11.1 |
+| https://aquasecurity.github.io/helm-charts/ | trivy | 0.12.0 |
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.1.6 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-| https://charts.jenkins.io | jenkins | 5.8.16 |
+| https://charts.jenkins.io | jenkins | 5.8.18 |
-| https://dl.gitea.io/charts/ | gitea | 10.6.0 |
+| https://dl.gitea.io/charts/ | gitea | 11.0.0 |
-| https://docs.renovatebot.com/helm-charts | renovate | 39.180.2 |
+| https://docs.renovatebot.com/helm-charts | renovate | 39.200.0 |
 
 # Jenkins
 - default build retention 10 builds, 32days
@@ -68,7 +68,8 @@ Kubernetes: `>= 1.25.0`
 | gitea.gitea.metrics.enabled | bool | `false` |  |
 | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` |  |
 | gitea.image.rootless | bool | `true` |  |
-| gitea.image.tag | string | `"1.23.4"` |  |
+| gitea.image.tag | string | `"1.23.5"` |  |
+| gitea.istio.blockApi | bool | `false` |  |
 | gitea.istio.enabled | bool | `false` |  |
 | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | gitea.istio.url | string | `"git.example.com"` |  |
@@ -83,6 +84,7 @@ Kubernetes: `>= 1.25.0`
 | gitea.resources.requests.memory | string | `"320Mi"` |  |
 | gitea.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| gitea.service.http.port | int | `80` |  |
 | gitea.strategy.type | string | `"Recreate"` |  |
 | gitea.test.enabled | bool | `false` |  |
 | jenkins.agent.annotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"false"` |  |
@@ -156,7 +158,7 @@ Kubernetes: `>= 1.25.0`
 | jenkins.serviceAccountAgent.create | bool | `true` |  |
 | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` |  |
 | renovate.cronjob.concurrencyPolicy | string | `"Forbid"` |  |
-| renovate.cronjob.jobBackoffLimit | int | `3` |  |
+| renovate.cronjob.jobBackoffLimit | int | `2` |  |
 | renovate.cronjob.schedule | string | `"0 3 * * *"` |  |
 | renovate.cronjob.successfulJobsHistoryLimit | int | `1` |  |
 | renovate.enabled | bool | `false` |  |

charts/kubezero-ci/charts/jenkins/CHANGELOG.md

@@ -12,6 +12,14 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0.
 The changelog until v1.5.7 was auto-generated based on git commits.
 Those entries include a reference to the git commit to be able to get more details.
 
+## 5.8.18
+
+Update `jenkins/jenkins` to version `2.492.2-jdk17`
+
+## 5.8.17
+
+Update `kubernetes` to version `4314.v5b_846cf499eb_`
+
 ## 5.8.16
 
 Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`

charts/kubezero-ci/charts/jenkins/Chart.yaml

@@ -1,10 +1,10 @@
 annotations:
   artifacthub.io/category: integration-delivery
   artifacthub.io/changes: |
-    - Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`
+    - Update `jenkins/jenkins` to version `2.492.2-jdk17`
   artifacthub.io/images: |
     - name: jenkins
-      image: docker.io/jenkins/jenkins:2.492.1-jdk17
+      image: docker.io/jenkins/jenkins:2.492.2-jdk17
     - name: k8s-sidecar
       image: docker.io/kiwigrid/k8s-sidecar:1.30.1
     - name: inbound-agent
@@ -18,7 +18,7 @@ annotations:
     - name: support
       url: https://github.com/jenkinsci/helm-charts/issues
 apiVersion: v2
-appVersion: 2.492.1
+appVersion: 2.492.2
 description: 'Jenkins - Build great things at any scale! As the leading open source
   automation server, Jenkins provides over 2000 plugins to support building, deploying
   and automating any project. '
@@ -46,4 +46,4 @@ sources:
 - https://github.com/maorfr/kube-tasks
 - https://github.com/jenkinsci/configuration-as-code-plugin
 type: application
-version: 5.8.16
+version: 5.8.18

charts/kubezero-ci/charts/jenkins/VALUES.md

@@ -165,7 +165,7 @@ The following tables list the configurable parameters of the Jenkins chart and t
 | [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
 | [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` |
 | [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
-| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4313.va_9b_4fe2a_0e34","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` |
+| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4314.v5b_846cf499eb_","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` |
 | [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` |
 | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
 | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |

charts/kubezero-ci/charts/jenkins/values.yaml

@@ -403,7 +403,7 @@ controller:
   # Plugins will be installed during Jenkins controller start
   # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
   installPlugins:
-    - kubernetes:4313.va_9b_4fe2a_0e34
+    - kubernetes:4314.v5b_846cf499eb_
     - workflow-aggregator:600.vb_57cdd26fdd7
     - git:5.7.0
     - configuration-as-code:1932.v75cb_b_f1b_698d

charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml

@@ -1,4 +1,5 @@
-{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks }}
+{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks .Values.gitea.istio.blockApi }}
+# Limit access to /api
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -19,6 +20,7 @@ spec:
     to:
     - operation:
         hosts: ["{{ .Values.gitea.istio.url }}"]
+        paths: [ "/api/*" ]
     when:
     - key: connection.sni
       values:

charts/kubezero-ci/templates/gitea/istio-service.yaml

@@ -12,14 +12,15 @@ spec:
   hosts:
   - {{ .Values.gitea.istio.url }}
   http:
-  {{- if .Values.gitea.istio.blockApi }}
+  - name: api
-  - match:
+    match:
     - uri:
-        prefix: /api
+       prefix: /api/
-    directResponse:
+    route:
-      status: 401
+    - destination:
-  {{- end }}
+        host: gitea-http
-  - route:
+  - name: notApi
+    route:
     - destination:
         host: gitea-http
   tcp:

charts/kubezero-ci/values.yaml

@@ -2,7 +2,7 @@ gitea:
   enabled: false
 
   image:
-    tag: 1.23.4
+    tag: 1.23.5
     rootless: true
 
   repliaCount: 1

charts/kubezero-istio-gateway/README.md

@@ -41,6 +41,7 @@ Kubernetes: `>= 1.30.0-0`
 | gateway.service.externalTrafficPolicy | string | `"Local"` |  |
 | gateway.service.type | string | `"NodePort"` |  |
 | gateway.terminationGracePeriodSeconds | int | `120` |  |
+| hardening.preserveExternalRequestId | bool | `false` |  |
 | hardening.rejectUnderscoresHeaders | bool | `true` |  |
 | hardening.unescapeSlashes | bool | `true` |  |
 | proxyProtocol | bool | `true` |  |

charts/kubezero-istio/README.md

@@ -30,17 +30,7 @@ Kubernetes: `>= 1.30.0-0`
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| envoy-ratelimit.descriptors.ingress[0].key | string | `"remote_address"` |  |
-| envoy-ratelimit.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
-| envoy-ratelimit.descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].key | string | `"remote_address"` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
 | envoy-ratelimit.enabled | bool | `false` |  |
-| envoy-ratelimit.failureModeDeny | bool | `false` |  |
-| envoy-ratelimit.localCacheSize | int | `1048576` |  |
-| envoy-ratelimit.log.format | string | `"json"` |  |
-| envoy-ratelimit.log.level | string | `"warn"` |  |
 | global.defaultPodDisruptionBudget.enabled | bool | `false` |  |
 | global.logAsJson | bool | `true` |  |
 | global.variant | string | `"distroless"` |  |

charts/kubezero-metrics/values.yaml

@@ -62,12 +62,8 @@ kube-prometheus-stack:
         memory: 128Mi
 
     admissionWebhooks:
-      patch:
+      certManager:
-        tolerations:
+        enabled: true
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-        nodeSelector:
-          node-role.kubernetes.io/control-plane: ""
 
   nodeExporter:
     enabled: true

charts/kubezero-storage/Chart.yaml

@@ -24,7 +24,7 @@ dependencies:
     condition: lvm-localpv.enabled
     repository: https://openebs.github.io/lvm-localpv
   - name: aws-ebs-csi-driver
-    version: 2.40.3
+    version: 2.41.0
     condition: aws-ebs-csi-driver.enabled
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver

charts/kubezero/templates/_app.tpl

@@ -9,6 +9,10 @@ metadata:
   namespace: argocd
   labels:
     {{- include "kubezero-lib.labels" . | nindent 4 }}
+  {{- with ( index .Values $name "annotations" ) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- if not ( index .Values $name "retain" ) }}
   finalizers:
     - resources-finalizer.argocd.argoproj.io

charts/kubezero/templates/argo.yaml

@@ -2,10 +2,22 @@
 
 argo-cd:
   enabled: {{ default "false" (index .Values "argo" "argo-cd" "enabled") }}
-  {{- with index .Values "argo" "argo-cd" "configs" }}
+
   configs:
+    {{- with index .Values "argo" "argo-cd" "configs" }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+    params:
+    {{- if not $.Values.global.highAvailable }}
+      # Reduce load on API server on single node control plane
+      controller.status.processors: 2
+      controller.operation.processors: 1
+      controller.kubectl.parallelism.limit: 1
+    {{- else }}
+      controller.status.processors: 8
+      controller.operation.processors: 4
+      controller.kubectl.parallelism.limit: 4
+    {{- end }}
 
   controller:
     metrics:

charts/kubezero/values.yaml

@@ -115,6 +115,8 @@ logging:
   enabled: false
   namespace: logging
   targetRevision: 0.8.14
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=false
 
 argo:
   enabled: false