chore(deps): update kubezero-addons-dependencies

2025-04-01 03:02:35 +00:00
18 changed files with 140 additions and 208 deletions
--- a/admin/cluster_bootstrap.sh
+++ b/admin/cluster_bootstrap.sh
@ -1,44 +0,0 @@
 #!/bin/bash
 set -eEx
 set -o pipefail
 set -x
 VALUES=$1
 WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
 [ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 # shellcheck disable=SC1091
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"
 KUBE_VERSION="$(get_kube_version)"
 PLATFORM="$(get_kubezero_platform)"
 if [ -z "$KUBE_VERSION" ]; then
  echo "Cannot contact cluster, cannot parse version!"
  exit 1
 fi
 # Upload values into kubezero-values
 kubectl create ns kubezero || true
 kubectl create cm -n kubezero kubezero-values \
    --from-file values.yaml=$VALUES || \
    kubectl get cm -n kubezero kubezero-values -o=yaml | \
    yq e ".data.\"values.yaml\" |= load_str($1)" | \
    kubectl replace -f -
 ### Main
 get_kubezero_values $ARGOCD
 # Always use embedded kubezero chart
 helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
 ARTIFACTS=(network addons cert-manager storage argo)
 for t in ${ARTIFACTS[@]}; do
  _helm crds $t || true
  _helm apply $t || true
 done
--- a/admin/dev_apply.sh
+++ b/admin/dev_apply.sh
@ -9,23 +9,34 @@ ARGOCD="${3:-true}"
 LOCAL_DEV=1
 #VERSION="latest"
 KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
 WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
 [ -z "$DEBUG" ] && trap 'rm -rf $WORKDIR' ERR EXIT
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 # shellcheck disable=SC1091
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"
-KUBE_VERSION="$(get_kube_version)"
+# Guess platform from current context
-PLATFORM="$(get_kubezero_platform)"
+_auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
-
+if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
-if [ -z "$KUBE_VERSION" ]; then
+  PLATFORM=gke
-  echo "Cannot contact cluster, cannot parse version!"
+elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
-  exit 1
+  PLATFORM=aws
 else
  PLATFORM=nocloud
 fi
 parse_version() {
  echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
 }
 KUBE_VERSION=$(parse_version $KUBE_VERSION)
 ### Main
 get_kubezero_values $ARGOCD
--- a/admin/kubezero.sh
+++ b/admin/kubezero.sh
@ -320,7 +320,7 @@ apply_module() {
  get_kubezero_values $ARGOCD
  # Always use embedded kubezero chart
-  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+  helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
  # CRDs first
  for t in $MODULES; do
--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@ -44,25 +44,6 @@ function field_manager() {
 }
 function get_kube_version() {
  local git_version="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
  echo $([[ $git_version =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
 }
 function get_kubezero_platform() {
  _auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
  if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
    PLATFORM=gke
  elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
    PLATFORM=aws
  else
    PLATFORM=nocloud
  fi
  echo $PLATFORM
 }
 function get_secret_val() {
  local ns=$1
  local secret=$2
@ -102,7 +83,6 @@ function get_kubezero_values() {
  fi
 }
 # Overwrite kubezero-values CM with file
 function update_kubezero_cm() {
  kubectl get cm -n kubezero kubezero-values -o=yaml | \
@ -110,7 +90,6 @@ function update_kubezero_cm() {
    kubectl replace -f -
 }
 # sync kubezero-values CM from ArgoCD app
 function sync_kubezero_cm_from_argo() {
  get_kubezero_values true
@ -279,7 +258,6 @@ function _helm() {
  return 0
 }
 function all_nodes_upgrade() {
  CMD="$1"
--- a/charts/kubezero-addons/Chart.yaml
+++ b/charts/kubezero-addons/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-addons
 description: KubeZero umbrella chart for various optional cluster addons
 type: application
-version: 0.8.13
+version: 0.8.14
 appVersion: v1.30
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
@ -21,15 +21,15 @@ maintainers:
    email: stefan@zero-downtime.net
 dependencies:
  - name: external-dns
-    version: 1.15.1
+    version: 1.16.0
    repository: https://kubernetes-sigs.github.io/external-dns/
    condition: external-dns.enabled
  - name: cluster-autoscaler
-    version: 9.46.0
+    version: 9.46.6
    repository: https://kubernetes.github.io/autoscaler
    condition: cluster-autoscaler.enabled
  - name: nvidia-device-plugin
-    version: 0.17.0
+    version: 0.17.1
    # https://github.com/NVIDIA/k8s-device-plugin
    repository: https://nvidia.github.io/k8s-device-plugin
    condition: nvidia-device-plugin.enabled
@ -39,11 +39,11 @@ dependencies:
    repository: oci://public.ecr.aws/neuron #/neuron-helm-chart
    condition: neuron-helm-chart.enabled
  - name: sealed-secrets
-    version: 2.17.1
+    version: 2.17.2
    repository: https://bitnami-labs.github.io/sealed-secrets
    condition: sealed-secrets.enabled
  - name: aws-node-termination-handler
-    version: 0.26.0
+    version: 0.27.0
    repository: "oci://public.ecr.aws/aws-ec2/helm"
    condition: aws-node-termination-handler.enabled
  - name: aws-eks-asg-rolling-update-handler
@ -51,7 +51,7 @@ dependencies:
    repository: https://twin.github.io/helm-charts
    condition: aws-eks-asg-rolling-update-handler.enabled
  - name: py-kube-downscaler
-    version: 0.2.12
+    version: 0.3.2
    repository: https://caas-team.github.io/helm-charts/
    condition: py-kube-downscaler.enabled
 kubeVersion: ">= 1.30.0-0"
--- a/charts/kubezero-argo/Chart.yaml
+++ b/charts/kubezero-argo/Chart.yaml
@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.3.2
+version: 0.3.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -18,15 +18,15 @@ dependencies:
    version: 0.2.1
    repository: https://cdn.zero-downtime.net/charts/
  - name: argo-events
-    version: 2.4.15
+    version: 2.4.14
    repository: https://argoproj.github.io/argo-helm
    condition: argo-events.enabled
  - name: argo-cd
-    version: 7.8.23
+    version: 7.8.13
    repository: https://argoproj.github.io/argo-helm
    condition: argo-cd.enabled
  - name: argocd-image-updater
-    version: 0.12.1
+    version: 0.12.0
    repository: https://argoproj.github.io/argo-helm
    condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.30.0-0"
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@ -1,6 +1,6 @@
 # kubezero-argo
-![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
+![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square)
 KubeZero Argo - Events, Workflow, CD
@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.23 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.13 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.14 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 ## Values
@ -54,7 +54,7 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.9"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.7"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
@ -69,6 +69,10 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
 | argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
 | argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |
--- a/charts/kubezero-argo/hooks.d/pre-install.sh
+++ b/charts/kubezero-argo/hooks.d/pre-install.sh
@ -18,6 +18,12 @@ if [ -z "$PW" ]; then
  set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
 fi
 # GitSync privateKey
 GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey)
 if [ -z "$GITKEY" ]; then
  set_kubezero_secret argo-cd.kubezero.sshPrivateKey "Insert ssh Private Key from your git server"
 fi
 # Redis secret
 kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
    --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
--- a/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/admin-secret.yaml
@ -9,5 +9,5 @@ metadata:
 type: Opaque
 stringData:
  admin.password: {{ index .Values "argo-cd" "configs" "secret" "argocdServerAdminPassword" }}
-  admin.passwordMtime: "2006-01-02T15:04:05Z"
+  admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") }}
 {{- end }}
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
@ -1,4 +1,4 @@
-{{- if index .Values "argo-cd" "kubezero" "repoUrl" }}
+{{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -12,10 +12,5 @@ stringData:
  name: kubezero-git-sync
  type: git
  url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
  {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
  username: {{ index .Values "argo-cd" "kubezero" "username" }}
  password: {{ index .Values "argo-cd" "kubezero" "password" }}
  {{- else }}
  sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
  {{- end }}
 {{- end }}
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@ -38,7 +38,7 @@ argo-cd:
      format: json
    image:
      repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.9
+      tag: v2.14.7
    networkPolicy:
      create: true
@ -116,6 +116,13 @@ argo-cd:
      serviceMonitor:
        enabled: true
    volumes:
      - name: kubeconfigs
        emptyDir: {}
    volumeMounts:
    - mountPath: /home/argocd/.kube
      name: kubeconfigs
    # Allow vals to read internal secrets across all namespaces
    # @ignored
    clusterRoleRules:
@ -125,33 +132,26 @@ argo-cd:
          resources: ["secrets"]
          verbs: ["get", "watch", "list"]
    # cmp vals plugin
    # @ignored
-    extraContainers:
+    initContainers:
-      - name: cmp-vals
+      - name: create-kubeconfig
        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
-        command: ["/var/run/argocd/argocd-cmp-server"]
+        command:
          - /usr/local/bin/sa2kubeconfig.sh
          - /home/argocd/.kube/config
        volumeMounts:
-          - mountPath: /var/run/argocd
+        - mountPath: /home/argocd/.kube
-            name: var-files
+          name: kubeconfigs
          - mountPath: /home/argocd/cmp-server/plugins
            name: plugins
          - mountPath: /tmp
            name: cmp-tmp
        securityContext:
          runAsNonRoot: true
          readOnlyRootFilesystem: true
          runAsUser: 999
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
          capabilities:
            drop:
            - ALL
    volumes:
      - name: cmp-tmp
        emptyDir: {}
  server:
    # Rename former https port to grpc, works with istio + insecure
@ -192,8 +192,6 @@ argo-cd:
    path: "/"
    targetRevision: HEAD
    sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
    username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
    password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password
 argocd-image-updater:
  enabled: false
--- a/charts/kubezero-auth/values.yaml
+++ b/charts/kubezero-auth/values.yaml
@ -19,7 +19,7 @@ keycloak:
  resources:
    limits:
      #cpu: 750m
-      memory: 1024Mi
+      memory: 768Mi
    requests:
      cpu: 100m
      memory: 512Mi
--- a/charts/kubezero/templates/_aws.tpl
+++ b/charts/kubezero/templates/_aws.tpl
@ -1,30 +0,0 @@
 {{- define "aws-iam-env" -}}
 - name: AWS_ROLE_ARN
  value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
 - name: AWS_WEB_IDENTITY_TOKEN_FILE
  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
 - name: AWS_STS_REGIONAL_ENDPOINTS
  value: "regional"
 - name: METADATA_TRIES
  value: "0"
 - name: AWS_REGION
  value: {{ $.Values.global.aws.region }}
 {{- end }}
 {{- define "aws-iam-volumes" -}}
 - name: aws-token
  projected:
    sources:
    - serviceAccountToken:
        path: token
        expirationSeconds: 86400
        audience: "sts.amazonaws.com"
 {{- end }}
 {{- define "aws-iam-volumemounts" -}}
 - name: aws-token
  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
  readOnly: true
 {{- end }}
--- a/charts/kubezero/templates/addons.yaml
+++ b/charts/kubezero/templates/addons.yaml
@ -1,6 +1,6 @@
 {{- define "addons-values" }}
 clusterBackup:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.clusterBackup.enabled) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.clusterBackup.enabled) }}
  {{- with omit .Values.addons.clusterBackup "enabled" }}
  {{- toYaml . | nindent 2 }}
@ -14,7 +14,7 @@ clusterBackup:
  {{- end }}
 forseti:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.forseti.enabled) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.forseti.enabled) }}
  {{- with omit .Values.addons.forseti "enabled" }}
  {{- toYaml . | nindent 2 }}
@ -28,7 +28,7 @@ forseti:
  {{- end }}
 external-dns:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "external-dns" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "external-dns" "enabled")) }}
  {{- with omit (index .Values "addons" "external-dns") "enabled" }}
  {{- toYaml . | nindent 2 }}
@ -42,15 +42,32 @@ external-dns:
    - "--aws-zone-type=public"
    - "--aws-zones-cache-duration=1h"
  env:
-    {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }}
+    - name: AWS_REGION
      value: {{ .Values.global.aws.region }}
    - name: AWS_ROLE_ARN
      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: "regional"
    - name: METADATA_TRIES
      value: "0"
  extraVolumes:
-    {{- include "aws-iam-volumes" . | nindent 4 }}
+  - name: aws-token
    projected:
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 86400
          audience: "sts.amazonaws.com"
  extraVolumeMounts:
-    {{- include "aws-iam-volumemounts" . | nindent 4 }}
+  - name: aws-token
    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
    readOnly: true
  {{- end }}
 cluster-autoscaler:
-  enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
+  enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
  autoDiscovery:
    clusterName: {{ .Values.global.clusterName }}
@ -81,9 +98,17 @@ cluster-autoscaler:
    AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    AWS_STS_REGIONAL_ENDPOINTS: "regional"
  extraVolumes:
-    {{- include "aws-iam-volumes" . | nindent 4 }}
+  - name: aws-token
    projected:
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 86400
          audience: "sts.amazonaws.com"
  extraVolumeMounts:
-    {{- include "aws-iam-volumemounts" . | nindent 4 }}
+  - name: aws-token
    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
    readOnly: true
  {{- end }}
 {{- with .Values.addons.fuseDevicePlugin }}
@ -130,7 +155,14 @@ aws-node-termination-handler:
  queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
  managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
  extraEnv:
-    {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }}
+    - name: AWS_ROLE_ARN
      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: "regional"
    - name: METADATA_TRIES
      value: "0"
 aws-eks-asg-rolling-update-handler:
  enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@ -140,9 +172,10 @@ aws-eks-asg-rolling-update-handler:
  {{- end }}
  environmentVars:
    {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
    - name: CLUSTER_NAME
      value: {{ .Values.global.clusterName }}
    - name: AWS_REGION
      value: {{ .Values.global.aws.region }}
    - name: EXECUTION_INTERVAL
      value: "60"
    - name: METRICS
@ -151,6 +184,12 @@ aws-eks-asg-rolling-update-handler:
      value: "true"
    - name: SLOW_MODE
      value: "true"
    - name: AWS_ROLE_ARN
      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: "regional"
 {{- with (index .Values "addons" "neuron-helm-chart") }}
 neuron-helm-chart:
--- a/charts/kubezero/templates/argo.yaml
+++ b/charts/kubezero/templates/argo.yaml
@ -23,51 +23,11 @@ argo-cd:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
  repoServer:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
    {{- with index .Values "argo" "argo-cd" "repoServer" }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    metrics:
      enabled: {{ .Values.metrics.enabled }}
    volumes:
      - name: cmp-tmp
        emptyDir: {}
    {{- if eq .Values.global.platform "aws" }}
      {{- include "aws-iam-volumes" . | nindent 6 }}
    env:
      {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }}
    volumeMounts:
      {{- include "aws-iam-volumemounts" . | nindent 6 }}
    extraContainers:
      - name: cmp-vals
        image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
        imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
        command: ["/var/run/argocd/argocd-cmp-server"]
        env:
          {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
        volumeMounts:
          - mountPath: /var/run/argocd
            name: var-files
          - mountPath: /home/argocd/cmp-server/plugins
            name: plugins
          - mountPath: /tmp
            name: cmp-tmp
          {{- include "aws-iam-volumemounts" . | nindent 10 }}
        securityContext:
          runAsNonRoot: true
          readOnlyRootFilesystem: true
          runAsUser: 999
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
          capabilities:
            drop:
            - ALL
    {{- end }}
  server:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
@ -91,13 +51,30 @@ argocd-image-updater:
  {{- toYaml . | nindent 2 }}
  {{- end }}
-  {{- if eq .Values.global.platform "aws" }}
+  {{- if .Values.global.aws }}
  extraEnv:
-    {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }}
+    - name: AWS_ROLE_ARN
      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: "regional"
    - name: METADATA_TRIES
      value: "0"
    - name: AWS_REGION
      value: {{ .Values.global.aws.region }}
  volumes:
-    {{- include "aws-iam-volumes" . | nindent 4 }}
+  - name: aws-token
    projected:
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 86400
          audience: "sts.amazonaws.com"
  volumeMounts:
-    {{- include "aws-iam-volumemounts" . | nindent 4 }}
+  - name: aws-token
    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
    readOnly: true
  {{- end }}
  metrics:
--- a/charts/kubezero/templates/metrics.yaml
+++ b/charts/kubezero/templates/metrics.yaml
@ -1,6 +1,6 @@
 {{- define "_kube-prometheus-stack" }}
-{{- if eq .global.platform "aws" }}
+{{- if .global.aws.region }}
 alertmanager:
  alertmanagerSpec:
    podMetadata:
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -6,9 +6,7 @@ global:
  highAvailable: false
-  aws:
+  aws: {}
    accountId: "123456789012"
    region: the-moon
  gcp: {}
 addons:
@ -117,7 +115,7 @@ logging:
 argo:
  enabled: false
  namespace: argocd
-  targetRevision: 0.3.2
+  targetRevision: 0.3.1
  argo-cd:
    enabled: false
    istio:
--- a/scripts/lib-update.sh
+++ b/scripts/lib-update.sh
@ -18,7 +18,7 @@ update_jsonnet() {
 update_helm() {
  #helm repo update
-  helm dep update
+  helm dep build
 }
 # AWS public ECR