chore(deps): update keycloak docker tag to v24.4.10

admin/hooks-1.31.sh

@@ -20,28 +20,20 @@ post_control_plane_upgrade_cluster() {
 
 # All things AFTER all contollers are on the new version
 pre_cluster_upgrade_final() {
-  set +e
 
   if [ "$PLATFORM" == "aws" ];then
     # cleanup aws-iam-authenticator
-    kubectl delete clusterrolebinding aws-iam-authenticator
-    kubectl delete clusterrole aws-iam-authenticator
-    kubectl delete serviceaccount aws-iam-authenticator -n kube-system
-    kubectl delete cm aws-iam-authenticator -n kube-system
-    kubectl delete ds aws-iam-authenticator -n kube-system
-    kubectl delete IAMIdentityMapping kubezero-worker-nodes
-    kubectl delete IAMIdentityMapping kubernetes-admin
-    kubectl delete crd iamidentitymappings.iamauthenticator.k8s.aws
-    kubectl delete secret aws-iam-certs -n kube-system
+    kubectl delete clusterrolebinding aws-iam-authenticator || true
+    kubectl delete clusterrole aws-iam-authenticator || true
+    kubectl delete serviceaccount aws-iam-authenticator -n kube-system || true
+    kubectl delete cm aws-iam-authenticator -n kube-system || true
+    kubectl delete ds aws-iam-authenticator -n kube-system || true
+    kubectl delete IAMIdentityMapping kubezero-worker-nodes || true
+    kubectl delete IAMIdentityMapping kubernetes-admin || true
+    kubectl delete crd iamidentitymappings.iamauthenticator.k8s.aws || true
+
+    kubectl delete secret aws-iam-certs -n kube-system || true
   fi
-
-  # Remove any helm hook related resources
-  kubectl delete rolebinding argo-argocd-redis-secret-init -n argocd
-  kubectl delete sa argo-argocd-redis-secret-init -n argocd
-  kubectl delete role argo-argocd-redis-secret-init -n argocd
-  kubectl delete job argo-argocd-redis-secret-init -n argocd
-
-  set -e
 }
 
 

admin/kubezero.sh

@@ -134,6 +134,9 @@ control_plane_upgrade() {
         yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
         > $WORKDIR/new-argocd-app.yaml
       kubectl replace -f $WORKDIR/new-argocd-app.yaml
+
+      # finally remove annotation to allow argo to sync again
+      kubectl patch app kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
     fi
 
     pre_kubeadm

admin/migrate_argo_values.py

@@ -8,13 +8,6 @@ import yaml
 def migrate(values):
     """Actual changes here"""
 
-    # remove syncOptions from root app
-    try:
-        if values["kubezero"]["syncPolicy"]:
-            values["kubezero"].pop("syncPolicy")
-    except KeyError:
-        pass
-
     return values
 
 

charts/clamav/Chart.yaml

@@ -14,6 +14,6 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
 kubeVersion: ">= 1.26.0"

charts/envoy-ratelimit/.gitignore

@@ -1,3 +0,0 @@
-istioctl
-istio
-istio.zdt

charts/envoy-ratelimit/.helmignore

@@ -1,32 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
-
-README.md.gotmpl
-*.patch
-*.sh
-*.py
-
-istioctl
-istio
-istio.zdt

charts/envoy-ratelimit/Chart.yaml

@@ -1,19 +0,0 @@
-apiVersion: v2
-name: envoy-ratelimit
-description: Envoy gobal ratelimiting service - part of KubeZero
-type: application
-version: 0.1.2
-home: https://kubezero.com
-icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
-keywords:
-  - kubezero
-  - envoy
-  - istio
-maintainers:
-  - name: Stefan Reimer
-    email: stefan@zero-downtime.net
-dependencies:
-  - name: kubezero-lib
-    version: 0.2.1
-    repository: https://cdn.zero-downtime.net/charts/
-kubeVersion: ">= 1.31.0-0"

charts/envoy-ratelimit/README.md

@@ -1,37 +0,0 @@
-# envoy-ratelimit
-
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
-
-Envoy gobal ratelimiting service - part of KubeZero
-
-**Homepage:** <https://kubezero.com>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| Stefan Reimer | <stefan@zero-downtime.net> |  |
-
-## Requirements
-
-Kubernetes: `>= 1.31.0-0`
-
-| Repository | Name | Version |
-|------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| descriptors.ingress[0].key | string | `"remote_address"` |  |
-| descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
-| descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
-| descriptors.privateIngress[0].key | string | `"remote_address"` |  |
-| descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
-| descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
-| failureModeDeny | bool | `false` |  |
-| localCacheSize | int | `1048576` |  |
-| log.format | string | `"json"` |  |
-| log.level | string | `"warn"` |  |
-| metrics.enabled | bool | `true` |  |

charts/envoy-ratelimit/README.md.gotmpl

@@ -1,16 +0,0 @@
-{{ template "chart.header" . }}
-{{ template "chart.deprecationWarning" . }}
-
-{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
-
-{{ template "chart.description" . }}
-
-{{ template "chart.homepageLine" . }}
-
-{{ template "chart.maintainersSection" . }}
-
-{{ template "chart.sourcesSection" . }}
-
-{{ template "chart.requirementsSection" . }}
-
-{{ template "chart.valuesSection" . }}

charts/envoy-ratelimit/templates/deployment.yaml

@@ -1,63 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ratelimit
-  namespace: {{ .Release.Namespace }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ratelimit
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: ratelimit
-    spec:
-      containers:
-      - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-        imagePullPolicy: IfNotPresent
-        name: ratelimit
-        command: ["/bin/ratelimit"]
-        env:
-        - name: LOG_LEVEL
-          value: {{ default "WARN" .Values.log.level }}
-        - name: LOG_FORMAT
-          value: {{ default "text" .Values.log.format }}
-        - name: REDIS_SOCKET_TYPE
-          value: tcp
-        - name: REDIS_URL
-          value: ratelimit-valkey:6379
-        - name: USE_PROMETHEUS
-          value: "true"
-        - name: USE_STATSD
-          value: "false"
-        - name: RUNTIME_ROOT
-          value: /data
-        - name: RUNTIME_SUBDIRECTORY
-          value: ratelimit
-        - name: RUNTIME_WATCH_ROOT
-          value: "false"
-        - name: RUNTIME_IGNOREDOTFILES
-          value: "true"
-        - name: LOCAL_CACHE_SIZE_IN_BYTES
-          value: "{{ default 0 .Values.localCacheSize | int }}"
-        ports:
-        - containerPort: 8081
-        #- containerPort: 8080
-        #- containerPort: 6070
-        volumeMounts:
-        - name: ratelimit-config
-          mountPath: /data/ratelimit/config
-        resources:
-          requests:
-            cpu: 50m
-            memory: 32Mi
-          limits:
-            cpu: 1
-            memory: 256Mi
-      volumes:
-      - name: ratelimit-config
-        configMap:
-          name: ratelimit-config

charts/envoy-ratelimit/templates/service.yaml

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: ratelimit
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: ratelimit
-spec:
-  ports:
-  #- name: http-port
-  #  port: 8080
-  #  targetPort: 8080
-  #  protocol: TCP
-  - name: grpc-port
-    port: 8081
-    targetPort: 8081
-    protocol: TCP
-  #- name: http-debug
-  #  port: 6070
-  #  targetPort: 6070
-  #  protocol: TCP
-  - name: http-monitoring
-    port: 9090
-    targetPort: 9090
-    protocol: TCP
-  selector:
-    app: ratelimit

charts/envoy-ratelimit/templates/valkey-deployment.yaml

@@ -1,24 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ratelimit-valkey
-  namespace: {{ .Release.Namespace }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ratelimit-valkey
-  template:
-    metadata:
-      labels:
-        app: ratelimit-valkey
-    spec:
-      containers:
-      - image: valkey/valkey:8.1-alpine3.21
-        imagePullPolicy: IfNotPresent
-        name: valkey
-        ports:
-        - name: valkey
-          containerPort: 6379
-      restartPolicy: Always
-      serviceAccountName: ""

charts/envoy-ratelimit/templates/valkey-service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: ratelimit-valkey
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: ratelimit-valkey
-spec:
-  ports:
-  - name: valkey
-    port: 6379
-  selector:
-    app: ratelimit-valkey

charts/envoy-ratelimit/update.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-set -ex
-
-. ../../scripts/lib-update.sh
-
-#login_ecr_public
-update_helm
-
-update_docs

charts/envoy-ratelimit/values.yaml

@@ -1,38 +0,0 @@
-image:
-  repository: envoyproxy/ratelimit
-  # see: https://hub.docker.com/r/envoyproxy/ratelimit/tags
-  tag: 80b15778
-
-log:
-  level: warn
-  format: json
-
-# 1MB local cache for already reached limits to reduce calls to Redis
-localCacheSize: 1048576
-
-# Wether to block requests if ratelimiting is down
-failureModeDeny: false
-
-# rate limit descriptors for each domain
-# - slow: 1 req/s over a minute per sourceIP
-descriptors:
-  ingress:
-  - key: speed
-    value: slow
-    descriptors:
-    - key: remote_address
-      rate_limit:
-        unit: minute
-        requests_per_unit: 60
-
-  privateIngress:
-  - key: speed
-    value: slow
-    descriptors:
-    - key: remote_address
-      rate_limit:
-        unit: minute
-        requests_per_unit: 60
-
-metrics:
-  enabled: false

charts/kubezero-addons/README.md

@@ -14,7 +14,7 @@ KubeZero umbrella chart for various optional cluster addons
 
 ## Requirements
 
-Kubernetes: `>= 1.30.0-0`
+Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
@@ -94,8 +94,9 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | aws-node-termination-handler.managedTag | string | `"zdt:kubezero:nth:${ClusterName}"` | "zdt:kubezero:nth:${ClusterName}" |
 | aws-node-termination-handler.metadataTries | int | `0` |  |
 | aws-node-termination-handler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
+| aws-node-termination-handler.podMonitor.create | bool | `false` |  |
 | aws-node-termination-handler.queueURL | string | `""` | https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/${ClusterName}_Nth |
-| aws-node-termination-handler.serviceMonitor.create | bool | `false` |  |
+| aws-node-termination-handler.rbac.pspEnabled | bool | `false` |  |
 | aws-node-termination-handler.taintNode | bool | `true` |  |
 | aws-node-termination-handler.tolerations[0].effect | string | `"NoSchedule"` |  |
 | aws-node-termination-handler.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
@@ -109,7 +110,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | cluster-autoscaler.extraArgs.scan-interval | string | `"30s"` |  |
 | cluster-autoscaler.extraArgs.skip-nodes-with-local-storage | bool | `false` |  |
 | cluster-autoscaler.image.repository | string | `"registry.k8s.io/autoscaling/cluster-autoscaler"` |  |
-| cluster-autoscaler.image.tag | string | `"v1.31.1"` |  |
+| cluster-autoscaler.image.tag | string | `"v1.30.2"` |  |
 | cluster-autoscaler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | cluster-autoscaler.podDisruptionBudget | bool | `false` |  |
 | cluster-autoscaler.prometheusRule.enabled | bool | `false` |  |
@@ -158,9 +159,6 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | neuron-helm-chart.enabled | bool | `false` |  |
 | neuron-helm-chart.npd.enabled | bool | `false` |  |
 | nvidia-device-plugin.cdi.nvidiaHookPath | string | `"/usr/bin"` |  |
-| nvidia-device-plugin.config.default | string | `"default"` |  |
-| nvidia-device-plugin.config.map.default | string | `"version: v1\nflags:\n  migStrategy: none"` |  |
-| nvidia-device-plugin.config.map.time-slice-4x | string | `"version: v1\nflags:\n  migStrategy: none\nsharing:\n  timeSlicing:\n    resources:\n    - name: nvidia.com/gpu\n      replicas: 4"` |  |
 | nvidia-device-plugin.deviceDiscoveryStrategy | string | `"nvml"` |  |
 | nvidia-device-plugin.enabled | bool | `false` |  |
 | nvidia-device-plugin.runtimeClassName | string | `"nvidia"` |  |

charts/kubezero-addons/values.yaml

@@ -185,22 +185,6 @@ neuron-helm-chart:
 nvidia-device-plugin:
   enabled: false
 
-  config:
-    default: "default"
-    map:
-      default: |-
-        version: v1
-        flags:
-          migStrategy: none
-      time-slice-4x: |-
-        version: v1
-        flags:
-          migStrategy: none
-        sharing:
-          timeSlicing:
-            resources:
-            - name: nvidia.com/gpu
-              replicas: 4
   cdi:
     nvidiaHookPath: /usr/bin
   deviceDiscoveryStrategy: nvml

charts/kubezero-argo/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
 # Url: https://github.com/argoproj/argo-helm/tree/main/charts
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: argo-events
     version: 2.4.13

charts/kubezero-argo/values.yaml

@@ -106,12 +106,10 @@ argo-cd:
       extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
 
     params:
-      controller.status.processors: 8
-      controller.operation.processors: 4
-      controller.kubectl.parallelism.limit: 8
-      controller.resource.health.persist: "false"
+      controller.status.processors: "10"
+      controller.operation.processors: "5"
       controller.diff.server.side: "true"
-      controller.sync.timeout.seconds: 1800
+      controller.sync.timeout.seconds: "1800"
 
       server.insecure: true
       server.enable.gzip: true
@@ -180,9 +178,6 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
-  redisSecretInit:
-    enabled: false
-
   # redis:
   # We might want to try to keep redis close to the controller
   #   affinity:

charts/kubezero-auth/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-auth
 description: KubeZero umbrella chart for all things Authentication and Identity management
 type: application
-version: 0.6.1
+version: 0.6.2
 appVersion: 26.0.5
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
@@ -14,10 +14,10 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: keycloak
     repository: "oci://registry-1.docker.io/bitnamicharts"
-    version: 24.2.1
+    version: 24.4.10
     condition: keycloak.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero-cache/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.2.1"
     repository: https://cdn.zero-downtime.net/charts/
   - name: redis
     version: 20.0.3

charts/kubezero-cert-manager/Chart.yaml

@@ -13,7 +13,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: cert-manager
     version: v1.17.1

charts/kubezero-ci/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.8.20
+version: 0.8.19
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -15,22 +15,22 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: gitea
     version: 10.6.0
     repository: https://dl.gitea.io/charts/
     condition: gitea.enabled
   - name: jenkins
-    version: 5.8.16
+    version: 5.7.15
     repository: https://charts.jenkins.io
     condition: jenkins.enabled
   - name: trivy
-    version: 0.11.1
+    version: 0.9.0
     repository: https://aquasecurity.github.io/helm-charts/
     condition: trivy.enabled
   - name: renovate
-    version: 39.180.2
+    version: 39.33.1
     repository: https://docs.renovatebot.com/helm-charts
     condition: renovate.enabled
 kubeVersion: ">= 1.25.0"

charts/kubezero-ci/README.md

@@ -1,6 +1,6 @@
 # kubezero-ci
 
-![Version: 0.8.20](https://img.shields.io/badge/Version-0.8.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.8.19](https://img.shields.io/badge/Version-0.8.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for all things CI
 
@@ -18,11 +18,11 @@ Kubernetes: `>= 1.25.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://aquasecurity.github.io/helm-charts/ | trivy | 0.11.1 |
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.1.6 |
-| https://charts.jenkins.io | jenkins | 5.8.16 |
+| https://aquasecurity.github.io/helm-charts/ | trivy | 0.9.0 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://charts.jenkins.io | jenkins | 5.7.15 |
 | https://dl.gitea.io/charts/ | gitea | 10.6.0 |
-| https://docs.renovatebot.com/helm-charts | renovate | 39.180.2 |
+| https://docs.renovatebot.com/helm-charts | renovate | 39.33.1 |
 
 # Jenkins
 - default build retention 10 builds, 32days
@@ -68,7 +68,7 @@ Kubernetes: `>= 1.25.0`
 | gitea.gitea.metrics.enabled | bool | `false` |  |
 | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` |  |
 | gitea.image.rootless | bool | `true` |  |
-| gitea.image.tag | string | `"1.23.4"` |  |
+| gitea.image.tag | string | `"1.22.3"` |  |
 | gitea.istio.enabled | bool | `false` |  |
 | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | gitea.istio.url | string | `"git.example.com"` |  |
@@ -90,7 +90,6 @@ Kubernetes: `>= 1.25.0`
 | jenkins.agent.containerCap | int | `2` |  |
 | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` |  |
 | jenkins.agent.defaultsProviderTemplate | string | `"podman-aws"` |  |
-| jenkins.agent.garbageCollection.enabled | bool | `true` |  |
 | jenkins.agent.idleMinutes | int | `30` |  |
 | jenkins.agent.image.repository | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` |  |
 | jenkins.agent.image.tag | string | `"v0.7.0"` |  |
@@ -161,8 +160,7 @@ Kubernetes: `>= 1.25.0`
 | renovate.cronjob.successfulJobsHistoryLimit | int | `1` |  |
 | renovate.enabled | bool | `false` |  |
 | renovate.env.LOG_FORMAT | string | `"json"` |  |
-| renovate.renovate.config | string | `"{\n}\n"` |  |
-| renovate.securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
+| renovate.securityContext.fsGroup | int | `1000` |  |
 | trivy.enabled | bool | `false` |  |
 | trivy.persistence.enabled | bool | `true` |  |
 | trivy.persistence.size | string | `"1Gi"` |  |

charts/kubezero-ci/charts/jenkins/CHANGELOG.md

@@ -12,122 +12,6 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0.
 The changelog until v1.5.7 was auto-generated based on git commits.
 Those entries include a reference to the git commit to be able to get more details.
 
-## 5.8.16
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`
-
-## 5.8.15
-
-Update `kubernetes` to version `4313.va_9b_4fe2a_0e34`
-
-## 5.8.14
-
-Update `jenkins/inbound-agent` to version `3283.v92c105e0f819-9`
-
-## 5.8.13
-
-Fix `agentListenerPort` not being updated in `config.xml` when set via Helm values.
-
-## 5.8.12
-
-Update plugin count.
-
-## 5.8.11
-
-Update `jenkins/inbound-agent` to version `3283.v92c105e0f819-8`
-
-## 5.8.10
-
-Update `jenkins/jenkins` to version `2.492.1-jdk17`
-
-## 5.8.9
-
-Update `configuration-as-code` to version `1932.v75cb_b_f1b_698d`
-
-## 5.8.8
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.0`
-
-## 5.8.7
-
-Update `configuration-as-code` to version `1929.v036b_5a_e1f123`
-
-## 5.8.6
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.29.1`
-
-## 5.8.5
-
-Update `jenkins/inbound-agent` to version `3283.v92c105e0f819-7`
-
-## 5.8.4
-
-Allow setting [automountServiceAccountToken](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting)
-
-## 5.8.3
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.29.0`
-
-## 5.8.2
-
-Update `jenkins/jenkins` to version `2.479.3-jdk17`
-
-## 5.8.1
-
-Update `configuration-as-code` to version `1915.vcdd0a_d0d2625`
-
-## 5.8.0
-
-Add option to publish not-ready addresses in controller service.
-
-## 5.7.27
-
-Update `git` to version `5.7.0`
-
-## 5.7.26
-
-Update `configuration-as-code` to version `1909.vb_b_f59a_27d013`
-
-## 5.7.25
-
-Update `kubernetes` to version `4306.vc91e951ea_eb_d`
-
-## 5.7.24
-
-Update `kubernetes` to version `4304.v1b_39d4f98210`
-
-## 5.7.23
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.28.4`
-
-## 5.7.22
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.28.3`
-
-## 5.7.21
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.28.1`
-
-## 5.7.20
-
-Update `kubernetes` to version `4302.va_756e4b_67715`
-
-## 5.7.19
-
-Update `configuration-as-code` to version `1903.v004d55388f30`
-
-## 5.7.18
-
-Update `kubernetes` to version `4300.vd82c5692b_3a_e`
-
-## 5.7.17
-
-Update `docker.io/bats/bats` to version `1.11.1`
-
-## 5.7.16
-
-Add tpl support for persistence.storageClassName in home-pvc.yaml  and tpl support in controller.ingress parameters(ingressClassName, annotations, hostname) in jenkins-controller-ingress.yaml
-
 ## 5.7.15
 
 Update `jenkins/jenkins` to version `2.479.2-jdk17`

charts/kubezero-ci/charts/jenkins/Chart.yaml

@@ -1,14 +1,14 @@
 annotations:
   artifacthub.io/category: integration-delivery
   artifacthub.io/changes: |
-    - Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`
+    - Update `jenkins/jenkins` to version `2.479.2-jdk17`
   artifacthub.io/images: |
     - name: jenkins
-      image: docker.io/jenkins/jenkins:2.492.1-jdk17
+      image: docker.io/jenkins/jenkins:2.479.2-jdk17
     - name: k8s-sidecar
-      image: docker.io/kiwigrid/k8s-sidecar:1.30.1
+      image: docker.io/kiwigrid/k8s-sidecar:1.28.0
     - name: inbound-agent
-      image: jenkins/inbound-agent:3283.v92c105e0f819-9
+      image: jenkins/inbound-agent:3273.v4cfe589b_fd83-1
   artifacthub.io/license: Apache-2.0
   artifacthub.io/links: |
     - name: Chart Source
@@ -18,9 +18,9 @@ annotations:
     - name: support
       url: https://github.com/jenkinsci/helm-charts/issues
 apiVersion: v2
-appVersion: 2.492.1
+appVersion: 2.479.2
 description: 'Jenkins - Build great things at any scale! As the leading open source
-  automation server, Jenkins provides over 2000 plugins to support building, deploying
+  automation server, Jenkins provides over 1800 plugins to support building, deploying
   and automating any project. '
 home: https://www.jenkins.io/
 icon: https://get.jenkins.io/art/jenkins-logo/logo.svg
@@ -46,4 +46,4 @@ sources:
 - https://github.com/maorfr/kube-tasks
 - https://github.com/jenkinsci/configuration-as-code-plugin
 type: application
-version: 5.8.16
+version: 5.7.15

charts/kubezero-ci/charts/jenkins/README.md

@@ -5,7 +5,7 @@
 [![Releases downloads](https://img.shields.io/github/downloads/jenkinsci/helm-charts/total.svg)](https://github.com/jenkinsci/helm-charts/releases)
 [![Join the chat at https://app.gitter.im/#/room/#jenkins-ci:matrix.org](https://badges.gitter.im/badge.svg)](https://app.gitter.im/#/room/#jenkins-ci:matrix.org)
 
-[Jenkins](https://www.jenkins.io/) is the leading open source automation server, Jenkins provides over 2000 plugins to support building, deploying and automating any project.
+[Jenkins](https://www.jenkins.io/) is the leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project.
 
 This chart installs a Jenkins server which spawns agents on [Kubernetes](http://kubernetes.io) utilizing the [Jenkins Kubernetes plugin](https://plugins.jenkins.io/kubernetes/).
 

charts/kubezero-ci/charts/jenkins/VALUES.md

@@ -8,164 +8,164 @@ The following tables list the configurable parameters of the Jenkins chart and t
 
 | Key | Type | Description | Default |
 |:----|:-----|:---------|:------------|
-| [additionalAgents](./values.yaml#L1199) | object | Configure additional | `{}` |
-| [additionalClouds](./values.yaml#L1224) | object |  | `{}` |
-| [agent.TTYEnabled](./values.yaml#L1105) | bool | Allocate pseudo tty to the side container | `false` |
-| [agent.additionalContainers](./values.yaml#L1152) | list | Add additional containers to the agents | `[]` |
-| [agent.alwaysPullImage](./values.yaml#L998) | bool | Always pull agent container image before build | `false` |
-| [agent.annotations](./values.yaml#L1148) | object | Annotations to apply to the pod | `{}` |
-| [agent.args](./values.yaml#L1099) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
-| [agent.command](./values.yaml#L1097) | string | Command to execute when side container starts | `nil` |
-| [agent.componentName](./values.yaml#L966) | string |  | `"jenkins-agent"` |
-| [agent.connectTimeout](./values.yaml#L1146) | int | Timeout in seconds for an agent to be online | `100` |
-| [agent.containerCap](./values.yaml#L1107) | int | Max number of agents to launch | `10` |
-| [agent.customJenkinsLabels](./values.yaml#L963) | list | Append Jenkins labels to the agent | `[]` |
-| [agent.defaultsProviderTemplate](./values.yaml#L917) | string | The name of the pod template to use for providing default values | `""` |
-| [agent.directConnection](./values.yaml#L969) | bool |  | `false` |
-| [agent.disableDefaultAgent](./values.yaml#L1170) | bool | Disable the default Jenkins Agent configuration | `false` |
-| [agent.enabled](./values.yaml#L915) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
-| [agent.envVars](./values.yaml#L1080) | list | Environment variables for the agent Pod | `[]` |
-| [agent.garbageCollection.enabled](./values.yaml#L1114) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
-| [agent.garbageCollection.namespaces](./values.yaml#L1116) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
-| [agent.garbageCollection.timeout](./values.yaml#L1121) | int | Timeout value for orphaned pods | `300` |
-| [agent.hostNetworking](./values.yaml#L977) | bool | Enables the agent to use the host network | `false` |
-| [agent.idleMinutes](./values.yaml#L1124) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
-| [agent.image.repository](./values.yaml#L956) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
-| [agent.image.tag](./values.yaml#L958) | string | Tag of the image to pull | `"3283.v92c105e0f819-9"` |
-| [agent.imagePullSecretName](./values.yaml#L965) | string | Name of the secret to be used to pull the image | `nil` |
-| [agent.inheritYamlMergeStrategy](./values.yaml#L1144) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
-| [agent.jenkinsTunnel](./values.yaml#L933) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
-| [agent.jenkinsUrl](./values.yaml#L929) | string | Overrides the Kubernetes Jenkins URL | `nil` |
-| [agent.jnlpregistry](./values.yaml#L953) | string | Custom registry used to pull the agent jnlp image from | `nil` |
-| [agent.kubernetesConnectTimeout](./values.yaml#L939) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
-| [agent.kubernetesReadTimeout](./values.yaml#L941) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
-| [agent.livenessProbe](./values.yaml#L988) | object |  | `{}` |
-| [agent.maxRequestsPerHostStr](./values.yaml#L943) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
-| [agent.namespace](./values.yaml#L949) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
-| [agent.nodeSelector](./values.yaml#L1091) | object | Node labels for pod assignment | `{}` |
-| [agent.nodeUsageMode](./values.yaml#L961) | string |  | `"NORMAL"` |
-| [agent.podLabels](./values.yaml#L951) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
-| [agent.podName](./values.yaml#L1109) | string | Agent Pod base name | `"default"` |
-| [agent.podRetention](./values.yaml#L1007) | string |  | `"Never"` |
-| [agent.podTemplates](./values.yaml#L1180) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
-| [agent.privileged](./values.yaml#L971) | bool | Agent privileged container | `false` |
-| [agent.resources](./values.yaml#L979) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
-| [agent.restrictedPssSecurityContext](./values.yaml#L1004) | bool | Set a restricted securityContext on jnlp containers | `false` |
-| [agent.retentionTimeout](./values.yaml#L945) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
-| [agent.runAsGroup](./values.yaml#L975) | string | Configure container group | `nil` |
-| [agent.runAsUser](./values.yaml#L973) | string | Configure container user | `nil` |
-| [agent.secretEnvVars](./values.yaml#L1084) | list | Mount a secret as environment variable | `[]` |
-| [agent.serviceAccount](./values.yaml#L925) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
-| [agent.showRawYaml](./values.yaml#L1011) | bool |  | `true` |
-| [agent.sideContainerName](./values.yaml#L1101) | string | Side container name | `"jnlp"` |
-| [agent.skipTlsVerify](./values.yaml#L935) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
-| [agent.usageRestricted](./values.yaml#L937) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
-| [agent.useDefaultServiceAccount](./values.yaml#L921) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
-| [agent.volumes](./values.yaml#L1018) | list | Additional volumes | `[]` |
-| [agent.waitForPodSec](./values.yaml#L947) | int | Seconds to wait for pod to be running | `600` |
-| [agent.websocket](./values.yaml#L968) | bool | Enables agent communication via websockets | `false` |
-| [agent.workingDir](./values.yaml#L960) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
-| [agent.workspaceVolume](./values.yaml#L1053) | object | Workspace volume (defaults to EmptyDir) | `{}` |
-| [agent.yamlMergeStrategy](./values.yaml#L1142) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
-| [agent.yamlTemplate](./values.yaml#L1131) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
-| [awsSecurityGroupPolicies.enabled](./values.yaml#L1356) | bool |  | `false` |
-| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1358) | string |  | `""` |
-| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1360) | object |  | `{}` |
-| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1359) | list |  | `[]` |
-| [checkDeprecation](./values.yaml#L1353) | bool | Checks if any deprecated values are used | `true` |
+| [additionalAgents](./values.yaml#L1195) | object | Configure additional | `{}` |
+| [additionalClouds](./values.yaml#L1220) | object |  | `{}` |
+| [agent.TTYEnabled](./values.yaml#L1101) | bool | Allocate pseudo tty to the side container | `false` |
+| [agent.additionalContainers](./values.yaml#L1148) | list | Add additional containers to the agents | `[]` |
+| [agent.alwaysPullImage](./values.yaml#L994) | bool | Always pull agent container image before build | `false` |
+| [agent.annotations](./values.yaml#L1144) | object | Annotations to apply to the pod | `{}` |
+| [agent.args](./values.yaml#L1095) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
+| [agent.command](./values.yaml#L1093) | string | Command to execute when side container starts | `nil` |
+| [agent.componentName](./values.yaml#L962) | string |  | `"jenkins-agent"` |
+| [agent.connectTimeout](./values.yaml#L1142) | int | Timeout in seconds for an agent to be online | `100` |
+| [agent.containerCap](./values.yaml#L1103) | int | Max number of agents to launch | `10` |
+| [agent.customJenkinsLabels](./values.yaml#L959) | list | Append Jenkins labels to the agent | `[]` |
+| [agent.defaultsProviderTemplate](./values.yaml#L913) | string | The name of the pod template to use for providing default values | `""` |
+| [agent.directConnection](./values.yaml#L965) | bool |  | `false` |
+| [agent.disableDefaultAgent](./values.yaml#L1166) | bool | Disable the default Jenkins Agent configuration | `false` |
+| [agent.enabled](./values.yaml#L911) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
+| [agent.envVars](./values.yaml#L1076) | list | Environment variables for the agent Pod | `[]` |
+| [agent.garbageCollection.enabled](./values.yaml#L1110) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
+| [agent.garbageCollection.namespaces](./values.yaml#L1112) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
+| [agent.garbageCollection.timeout](./values.yaml#L1117) | int | Timeout value for orphaned pods | `300` |
+| [agent.hostNetworking](./values.yaml#L973) | bool | Enables the agent to use the host network | `false` |
+| [agent.idleMinutes](./values.yaml#L1120) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
+| [agent.image.repository](./values.yaml#L952) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
+| [agent.image.tag](./values.yaml#L954) | string | Tag of the image to pull | `"3273.v4cfe589b_fd83-1"` |
+| [agent.imagePullSecretName](./values.yaml#L961) | string | Name of the secret to be used to pull the image | `nil` |
+| [agent.inheritYamlMergeStrategy](./values.yaml#L1140) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
+| [agent.jenkinsTunnel](./values.yaml#L929) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
+| [agent.jenkinsUrl](./values.yaml#L925) | string | Overrides the Kubernetes Jenkins URL | `nil` |
+| [agent.jnlpregistry](./values.yaml#L949) | string | Custom registry used to pull the agent jnlp image from | `nil` |
+| [agent.kubernetesConnectTimeout](./values.yaml#L935) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
+| [agent.kubernetesReadTimeout](./values.yaml#L937) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
+| [agent.livenessProbe](./values.yaml#L984) | object |  | `{}` |
+| [agent.maxRequestsPerHostStr](./values.yaml#L939) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
+| [agent.namespace](./values.yaml#L945) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
+| [agent.nodeSelector](./values.yaml#L1087) | object | Node labels for pod assignment | `{}` |
+| [agent.nodeUsageMode](./values.yaml#L957) | string |  | `"NORMAL"` |
+| [agent.podLabels](./values.yaml#L947) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
+| [agent.podName](./values.yaml#L1105) | string | Agent Pod base name | `"default"` |
+| [agent.podRetention](./values.yaml#L1003) | string |  | `"Never"` |
+| [agent.podTemplates](./values.yaml#L1176) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
+| [agent.privileged](./values.yaml#L967) | bool | Agent privileged container | `false` |
+| [agent.resources](./values.yaml#L975) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
+| [agent.restrictedPssSecurityContext](./values.yaml#L1000) | bool | Set a restricted securityContext on jnlp containers | `false` |
+| [agent.retentionTimeout](./values.yaml#L941) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
+| [agent.runAsGroup](./values.yaml#L971) | string | Configure container group | `nil` |
+| [agent.runAsUser](./values.yaml#L969) | string | Configure container user | `nil` |
+| [agent.secretEnvVars](./values.yaml#L1080) | list | Mount a secret as environment variable | `[]` |
+| [agent.serviceAccount](./values.yaml#L921) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
+| [agent.showRawYaml](./values.yaml#L1007) | bool |  | `true` |
+| [agent.sideContainerName](./values.yaml#L1097) | string | Side container name | `"jnlp"` |
+| [agent.skipTlsVerify](./values.yaml#L931) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
+| [agent.usageRestricted](./values.yaml#L933) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
+| [agent.useDefaultServiceAccount](./values.yaml#L917) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
+| [agent.volumes](./values.yaml#L1014) | list | Additional volumes | `[]` |
+| [agent.waitForPodSec](./values.yaml#L943) | int | Seconds to wait for pod to be running | `600` |
+| [agent.websocket](./values.yaml#L964) | bool | Enables agent communication via websockets | `false` |
+| [agent.workingDir](./values.yaml#L956) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
+| [agent.workspaceVolume](./values.yaml#L1049) | object | Workspace volume (defaults to EmptyDir) | `{}` |
+| [agent.yamlMergeStrategy](./values.yaml#L1138) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
+| [agent.yamlTemplate](./values.yaml#L1127) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
+| [awsSecurityGroupPolicies.enabled](./values.yaml#L1348) | bool |  | `false` |
+| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1350) | string |  | `""` |
+| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1352) | object |  | `{}` |
+| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1351) | list |  | `[]` |
+| [checkDeprecation](./values.yaml#L1345) | bool | Checks if any deprecated values are used | `true` |
 | [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` |
-| [controller.JCasC.authorizationStrategy](./values.yaml#L543) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n  allowAnonymousRead: false"` |
-| [controller.JCasC.configMapAnnotations](./values.yaml#L548) | object | Annotations for the JCasC ConfigMap | `{}` |
-| [controller.JCasC.configScripts](./values.yaml#L517) | object | List of Jenkins Config as Code scripts | `{}` |
-| [controller.JCasC.configUrls](./values.yaml#L514) | list | Remote URLs for configuration files. | `[]` |
-| [controller.JCasC.defaultConfig](./values.yaml#L508) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
-| [controller.JCasC.overwriteConfiguration](./values.yaml#L512) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
-| [controller.JCasC.security](./values.yaml#L524) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
-| [controller.JCasC.securityRealm](./values.yaml#L532) | string | Jenkins Config as Code Security Realm-section | `"local:\n  allowsSignup: false\n  enableCaptcha: false\n  users:\n  - id: \"${chart-admin-username}\"\n    name: \"Jenkins Admin\"\n    password: \"${chart-admin-password}\""` |
-| [controller.additionalExistingSecrets](./values.yaml#L469) | list | List of additional existing secrets to mount | `[]` |
-| [controller.additionalPlugins](./values.yaml#L419) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
-| [controller.additionalSecrets](./values.yaml#L478) | list | List of additional secrets to create and mount | `[]` |
+| [controller.JCasC.authorizationStrategy](./values.yaml#L539) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n  allowAnonymousRead: false"` |
+| [controller.JCasC.configMapAnnotations](./values.yaml#L544) | object | Annotations for the JCasC ConfigMap | `{}` |
+| [controller.JCasC.configScripts](./values.yaml#L513) | object | List of Jenkins Config as Code scripts | `{}` |
+| [controller.JCasC.configUrls](./values.yaml#L510) | list | Remote URLs for configuration files. | `[]` |
+| [controller.JCasC.defaultConfig](./values.yaml#L504) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
+| [controller.JCasC.overwriteConfiguration](./values.yaml#L508) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
+| [controller.JCasC.security](./values.yaml#L520) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
+| [controller.JCasC.securityRealm](./values.yaml#L528) | string | Jenkins Config as Code Security Realm-section | `"local:\n  allowsSignup: false\n  enableCaptcha: false\n  users:\n  - id: \"${chart-admin-username}\"\n    name: \"Jenkins Admin\"\n    password: \"${chart-admin-password}\""` |
+| [controller.additionalExistingSecrets](./values.yaml#L465) | list | List of additional existing secrets to mount | `[]` |
+| [controller.additionalPlugins](./values.yaml#L415) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
+| [controller.additionalSecrets](./values.yaml#L474) | list | List of additional secrets to create and mount | `[]` |
 | [controller.admin.createSecret](./values.yaml#L91) | bool | Create secret for admin user | `true` |
 | [controller.admin.existingSecret](./values.yaml#L94) | string | The name of an existing secret containing the admin credentials | `""` |
 | [controller.admin.password](./values.yaml#L81) | string | Admin password created as a secret if `controller.admin.createSecret` is true | `<random password>` |
 | [controller.admin.passwordKey](./values.yaml#L86) | string | The key in the existing admin secret containing the password | `"jenkins-admin-password"` |
 | [controller.admin.userKey](./values.yaml#L84) | string | The key in the existing admin secret containing the username | `"jenkins-admin-user"` |
 | [controller.admin.username](./values.yaml#L78) | string | Admin username created as a secret if `controller.admin.createSecret` is true | `"admin"` |
-| [controller.affinity](./values.yaml#L670) | object | Affinity settings | `{}` |
-| [controller.agentListenerEnabled](./values.yaml#L328) | bool | Create Agent listener service | `true` |
-| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L338) | string | Traffic Policy of for the agentListener service | `nil` |
-| [controller.agentListenerHostPort](./values.yaml#L332) | string | Host port to listen for agents | `nil` |
-| [controller.agentListenerLoadBalancerIP](./values.yaml#L368) | string | Static IP for the agentListener LoadBalancer | `nil` |
-| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L340) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
-| [controller.agentListenerNodePort](./values.yaml#L334) | string | Node port to listen for agents | `nil` |
-| [controller.agentListenerPort](./values.yaml#L330) | int | Listening port for agents | `50000` |
-| [controller.agentListenerServiceAnnotations](./values.yaml#L363) | object | Annotations for the agentListener service | `{}` |
-| [controller.agentListenerServiceType](./values.yaml#L360) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
-| [controller.backendconfig.annotations](./values.yaml#L773) | object | backendconfig annotations | `{}` |
-| [controller.backendconfig.apiVersion](./values.yaml#L767) | string | backendconfig API version | `"extensions/v1beta1"` |
-| [controller.backendconfig.enabled](./values.yaml#L765) | bool | Enables backendconfig | `false` |
-| [controller.backendconfig.labels](./values.yaml#L771) | object | backendconfig labels | `{}` |
-| [controller.backendconfig.name](./values.yaml#L769) | string | backendconfig name | `nil` |
-| [controller.backendconfig.spec](./values.yaml#L775) | object | backendconfig spec | `{}` |
-| [controller.cloudName](./values.yaml#L497) | string | Name of default cloud configuration. | `"kubernetes"` |
+| [controller.affinity](./values.yaml#L666) | object | Affinity settings | `{}` |
+| [controller.agentListenerEnabled](./values.yaml#L324) | bool | Create Agent listener service | `true` |
+| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L334) | string | Traffic Policy of for the agentListener service | `nil` |
+| [controller.agentListenerHostPort](./values.yaml#L328) | string | Host port to listen for agents | `nil` |
+| [controller.agentListenerLoadBalancerIP](./values.yaml#L364) | string | Static IP for the agentListener LoadBalancer | `nil` |
+| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L336) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
+| [controller.agentListenerNodePort](./values.yaml#L330) | string | Node port to listen for agents | `nil` |
+| [controller.agentListenerPort](./values.yaml#L326) | int | Listening port for agents | `50000` |
+| [controller.agentListenerServiceAnnotations](./values.yaml#L359) | object | Annotations for the agentListener service | `{}` |
+| [controller.agentListenerServiceType](./values.yaml#L356) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
+| [controller.backendconfig.annotations](./values.yaml#L769) | object | backendconfig annotations | `{}` |
+| [controller.backendconfig.apiVersion](./values.yaml#L763) | string | backendconfig API version | `"extensions/v1beta1"` |
+| [controller.backendconfig.enabled](./values.yaml#L761) | bool | Enables backendconfig | `false` |
+| [controller.backendconfig.labels](./values.yaml#L767) | object | backendconfig labels | `{}` |
+| [controller.backendconfig.name](./values.yaml#L765) | string | backendconfig name | `nil` |
+| [controller.backendconfig.spec](./values.yaml#L771) | object | backendconfig spec | `{}` |
+| [controller.cloudName](./values.yaml#L493) | string | Name of default cloud configuration. | `"kubernetes"` |
 | [controller.clusterIp](./values.yaml#L223) | string | k8s service clusterIP. Only used if serviceType is ClusterIP | `nil` |
 | [controller.componentName](./values.yaml#L34) | string | Used for label app.kubernetes.io/component | `"jenkins-controller"` |
 | [controller.containerEnv](./values.yaml#L156) | list | Environment variables for Jenkins Container | `[]` |
 | [controller.containerEnvFrom](./values.yaml#L153) | list | Environment variable sources for Jenkins Container | `[]` |
 | [controller.containerSecurityContext](./values.yaml#L211) | object | Allow controlling the securityContext for the jenkins container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` |
-| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L349) | bool | Enable the default CSRF Crumb issuer | `true` |
-| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L351) | bool | Enable proxy compatibility | `true` |
-| [controller.customInitContainers](./values.yaml#L551) | list | Custom init-container specification in raw-yaml format | `[]` |
+| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L345) | bool | Enable the default CSRF Crumb issuer | `true` |
+| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L347) | bool | Enable proxy compatibility | `true` |
+| [controller.customInitContainers](./values.yaml#L547) | list | Custom init-container specification in raw-yaml format | `[]` |
 | [controller.customJenkinsLabels](./values.yaml#L68) | list | Append Jenkins labels to the controller | `[]` |
 | [controller.disableRememberMe](./values.yaml#L59) | bool | Disable use of remember me | `false` |
-| [controller.disabledAgentProtocols](./values.yaml#L343) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
-| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L439) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
+| [controller.disabledAgentProtocols](./values.yaml#L339) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
+| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L435) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
 | [controller.enableServiceLinks](./values.yaml#L130) | bool |  | `false` |
 | [controller.executorMode](./values.yaml#L65) | string | Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" | `"NORMAL"` |
-| [controller.existingSecret](./values.yaml#L466) | string |  | `nil` |
-| [controller.extraPorts](./values.yaml#L398) | list | Optionally configure other ports to expose in the controller container | `[]` |
+| [controller.existingSecret](./values.yaml#L462) | string |  | `nil` |
+| [controller.extraPorts](./values.yaml#L394) | list | Optionally configure other ports to expose in the controller container | `[]` |
 | [controller.fsGroup](./values.yaml#L192) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
-| [controller.googlePodMonitor.enabled](./values.yaml#L836) | bool |  | `false` |
-| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L841) | string |  | `"/prometheus"` |
-| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L839) | string |  | `"60s"` |
-| [controller.healthProbes](./values.yaml#L258) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
-| [controller.hostAliases](./values.yaml#L789) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
+| [controller.googlePodMonitor.enabled](./values.yaml#L832) | bool |  | `false` |
+| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L837) | string |  | `"/prometheus"` |
+| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L835) | string |  | `"60s"` |
+| [controller.healthProbes](./values.yaml#L254) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
+| [controller.hostAliases](./values.yaml#L785) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
 | [controller.hostNetworking](./values.yaml#L70) | bool |  | `false` |
-| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L857) | bool |  | `false` |
-| [controller.httpsKeyStore.enable](./values.yaml#L848) | bool | Enables HTTPS keystore on jenkins controller | `false` |
-| [controller.httpsKeyStore.fileName](./values.yaml#L865) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
-| [controller.httpsKeyStore.httpPort](./values.yaml#L861) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
-| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L856) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
-| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L854) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
-| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L852) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
-| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L850) | string | Name of the secret that already has ssl keystore | `""` |
-| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L870) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
-| [controller.httpsKeyStore.password](./values.yaml#L867) | string | Jenkins keystore password | `"password"` |
-| [controller.httpsKeyStore.path](./values.yaml#L863) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
+| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L853) | bool |  | `false` |
+| [controller.httpsKeyStore.enable](./values.yaml#L844) | bool | Enables HTTPS keystore on jenkins controller | `false` |
+| [controller.httpsKeyStore.fileName](./values.yaml#L861) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
+| [controller.httpsKeyStore.httpPort](./values.yaml#L857) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
+| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L852) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
+| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L850) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
+| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L848) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
+| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L846) | string | Name of the secret that already has ssl keystore | `""` |
+| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L866) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
+| [controller.httpsKeyStore.password](./values.yaml#L863) | string | Jenkins keystore password | `"password"` |
+| [controller.httpsKeyStore.path](./values.yaml#L859) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
 | [controller.image.pullPolicy](./values.yaml#L47) | string | Controller image pull policy | `"Always"` |
 | [controller.image.registry](./values.yaml#L37) | string | Controller image registry | `"docker.io"` |
 | [controller.image.repository](./values.yaml#L39) | string | Controller image repository | `"jenkins/jenkins"` |
 | [controller.image.tag](./values.yaml#L42) | string | Controller image tag override; i.e., tag: "2.440.1-jdk17" | `nil` |
 | [controller.image.tagLabel](./values.yaml#L45) | string | Controller image tag label | `"jdk17"` |
 | [controller.imagePullSecretName](./values.yaml#L49) | string | Controller image pull secret | `nil` |
-| [controller.ingress.annotations](./values.yaml#L712) | object | Ingress annotations | `{}` |
-| [controller.ingress.apiVersion](./values.yaml#L708) | string | Ingress API version | `"extensions/v1beta1"` |
-| [controller.ingress.enabled](./values.yaml#L691) | bool | Enables ingress | `false` |
-| [controller.ingress.hostName](./values.yaml#L725) | string | Ingress hostname | `nil` |
-| [controller.ingress.labels](./values.yaml#L710) | object | Ingress labels | `{}` |
-| [controller.ingress.path](./values.yaml#L721) | string | Ingress path | `nil` |
-| [controller.ingress.paths](./values.yaml#L695) | list | Override for the default Ingress paths | `[]` |
-| [controller.ingress.resourceRootUrl](./values.yaml#L727) | string | Hostname to serve assets from | `nil` |
-| [controller.ingress.tls](./values.yaml#L729) | list | Ingress TLS configuration | `[]` |
-| [controller.initConfigMap](./values.yaml#L456) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
+| [controller.ingress.annotations](./values.yaml#L708) | object | Ingress annotations | `{}` |
+| [controller.ingress.apiVersion](./values.yaml#L704) | string | Ingress API version | `"extensions/v1beta1"` |
+| [controller.ingress.enabled](./values.yaml#L687) | bool | Enables ingress | `false` |
+| [controller.ingress.hostName](./values.yaml#L721) | string | Ingress hostname | `nil` |
+| [controller.ingress.labels](./values.yaml#L706) | object | Ingress labels | `{}` |
+| [controller.ingress.path](./values.yaml#L717) | string | Ingress path | `nil` |
+| [controller.ingress.paths](./values.yaml#L691) | list | Override for the default Ingress paths | `[]` |
+| [controller.ingress.resourceRootUrl](./values.yaml#L723) | string | Hostname to serve assets from | `nil` |
+| [controller.ingress.tls](./values.yaml#L725) | list | Ingress TLS configuration | `[]` |
+| [controller.initConfigMap](./values.yaml#L452) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
 | [controller.initContainerEnv](./values.yaml#L147) | list | Environment variables for Init Container | `[]` |
 | [controller.initContainerEnvFrom](./values.yaml#L143) | list | Environment variable sources for Init Container | `[]` |
 | [controller.initContainerResources](./values.yaml#L134) | object | Resources allocation (Requests and Limits) for Init Container | `{}` |
-| [controller.initScripts](./values.yaml#L452) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
-| [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
-| [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` |
-| [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
-| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4313.va_9b_4fe2a_0e34","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` |
+| [controller.initScripts](./values.yaml#L448) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
+| [controller.initializeOnce](./values.yaml#L420) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
+| [controller.installLatestPlugins](./values.yaml#L409) | bool | Download the minimum required version or latest version of all dependencies | `true` |
+| [controller.installLatestSpecifiedPlugins](./values.yaml#L412) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
+| [controller.installPlugins](./values.yaml#L401) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4296.v20a_7e4d77cf6","workflow-aggregator:600.vb_57cdd26fdd7","git:5.6.0","configuration-as-code:1897.v79281e066ea_7"]` |
 | [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` |
 | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
 | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |
@@ -175,147 +175,144 @@ The following tables list the configurable parameters of the Jenkins chart and t
 | [controller.jenkinsUrl](./values.yaml#L174) | string | Set Jenkins URL if you are not using the ingress definitions provided by the chart | `nil` |
 | [controller.jenkinsUrlProtocol](./values.yaml#L171) | string | Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise | `nil` |
 | [controller.jenkinsWar](./values.yaml#L109) | string |  | `"/usr/share/jenkins/jenkins.war"` |
-| [controller.jmxPort](./values.yaml#L395) | string | Open a port, for JMX stats | `nil` |
-| [controller.legacyRemotingSecurityEnabled](./values.yaml#L371) | bool | Whether legacy remoting security should be enabled | `false` |
+| [controller.jmxPort](./values.yaml#L391) | string | Open a port, for JMX stats | `nil` |
+| [controller.legacyRemotingSecurityEnabled](./values.yaml#L367) | bool | Whether legacy remoting security should be enabled | `false` |
 | [controller.lifecycle](./values.yaml#L51) | object | Lifecycle specification for controller-container | `{}` |
-| [controller.loadBalancerIP](./values.yaml#L386) | string | Optionally assign a known public LB IP | `nil` |
-| [controller.loadBalancerSourceRanges](./values.yaml#L382) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
-| [controller.markupFormatter](./values.yaml#L443) | string | Yaml of the markup formatter to use | `"plainText"` |
+| [controller.loadBalancerIP](./values.yaml#L382) | string | Optionally assign a known public LB IP | `nil` |
+| [controller.loadBalancerSourceRanges](./values.yaml#L378) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
+| [controller.markupFormatter](./values.yaml#L439) | string | Yaml of the markup formatter to use | `"plainText"` |
 | [controller.nodePort](./values.yaml#L229) | string | k8s node port. Only used if serviceType is NodePort | `nil` |
-| [controller.nodeSelector](./values.yaml#L657) | object | Node labels for pod assignment | `{}` |
+| [controller.nodeSelector](./values.yaml#L653) | object | Node labels for pod assignment | `{}` |
 | [controller.numExecutors](./values.yaml#L62) | int | Set Number of executors | `0` |
-| [controller.overwritePlugins](./values.yaml#L428) | bool | Overwrite installed plugins on start | `false` |
-| [controller.overwritePluginsFromImage](./values.yaml#L432) | bool | Overwrite plugins that are already installed in the controller image | `true` |
-| [controller.podAnnotations](./values.yaml#L678) | object | Annotations for controller pod | `{}` |
-| [controller.podDisruptionBudget.annotations](./values.yaml#L322) | object |  | `{}` |
-| [controller.podDisruptionBudget.apiVersion](./values.yaml#L320) | string | Policy API version | `"policy/v1beta1"` |
-| [controller.podDisruptionBudget.enabled](./values.yaml#L315) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
-| [controller.podDisruptionBudget.labels](./values.yaml#L323) | object |  | `{}` |
-| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L325) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
-| [controller.podLabels](./values.yaml#L251) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
+| [controller.overwritePlugins](./values.yaml#L424) | bool | Overwrite installed plugins on start | `false` |
+| [controller.overwritePluginsFromImage](./values.yaml#L428) | bool | Overwrite plugins that are already installed in the controller image | `true` |
+| [controller.podAnnotations](./values.yaml#L674) | object | Annotations for controller pod | `{}` |
+| [controller.podDisruptionBudget.annotations](./values.yaml#L318) | object |  | `{}` |
+| [controller.podDisruptionBudget.apiVersion](./values.yaml#L316) | string | Policy API version | `"policy/v1beta1"` |
+| [controller.podDisruptionBudget.enabled](./values.yaml#L311) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
+| [controller.podDisruptionBudget.labels](./values.yaml#L319) | object |  | `{}` |
+| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L321) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
+| [controller.podLabels](./values.yaml#L247) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
 | [controller.podSecurityContextOverride](./values.yaml#L208) | string | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` | `nil` |
-| [controller.priorityClassName](./values.yaml#L675) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
-| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L276) | int | Set the failure threshold for the liveness probe | `5` |
-| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L279) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
-| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L281) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
-| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L290) | string | Set the initial delay for the liveness probe in seconds | `nil` |
-| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L283) | int | Set the time interval between two liveness probes executions in seconds | `10` |
-| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L285) | int | Set the timeout for the liveness probe in seconds | `5` |
-| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L294) | int | Set the failure threshold for the readiness probe | `3` |
-| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L297) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
-| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L299) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
-| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L308) | string | Set the initial delay for the readiness probe in seconds | `nil` |
-| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L301) | int | Set the time interval between two readiness probes executions in seconds | `10` |
-| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L303) | int | Set the timeout for the readiness probe in seconds | `5` |
-| [controller.probes.startupProbe.failureThreshold](./values.yaml#L263) | int | Set the failure threshold for the startup probe | `12` |
-| [controller.probes.startupProbe.httpGet.path](./values.yaml#L266) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
-| [controller.probes.startupProbe.httpGet.port](./values.yaml#L268) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
-| [controller.probes.startupProbe.periodSeconds](./values.yaml#L270) | int | Set the time interval between two startup probes executions in seconds | `10` |
-| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L272) | int | Set the timeout for the startup probe in seconds | `5` |
-| [controller.projectNamingStrategy](./values.yaml#L435) | string |  | `"standard"` |
-| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L822) | object | Additional labels to add to the PrometheusRule object | `{}` |
-| [controller.prometheus.alertingrules](./values.yaml#L820) | list | Array of prometheus alerting rules | `[]` |
-| [controller.prometheus.enabled](./values.yaml#L805) | bool | Enables prometheus service monitor | `false` |
-| [controller.prometheus.metricRelabelings](./values.yaml#L832) | list |  | `[]` |
-| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L824) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
-| [controller.prometheus.relabelings](./values.yaml#L830) | list |  | `[]` |
-| [controller.prometheus.scrapeEndpoint](./values.yaml#L815) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
-| [controller.prometheus.scrapeInterval](./values.yaml#L811) | string | How often prometheus should scrape metrics | `"60s"` |
-| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L807) | object | Additional labels to add to the service monitor object | `{}` |
-| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L809) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
-| [controller.publishNotReadyAddresses](./values.yaml#L237) | string |  | `nil` |
+| [controller.priorityClassName](./values.yaml#L671) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
+| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L272) | int | Set the failure threshold for the liveness probe | `5` |
+| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L275) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
+| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L277) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
+| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L286) | string | Set the initial delay for the liveness probe in seconds | `nil` |
+| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L279) | int | Set the time interval between two liveness probes executions in seconds | `10` |
+| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L281) | int | Set the timeout for the liveness probe in seconds | `5` |
+| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L290) | int | Set the failure threshold for the readiness probe | `3` |
+| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L293) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
+| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L295) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
+| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L304) | string | Set the initial delay for the readiness probe in seconds | `nil` |
+| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L297) | int | Set the time interval between two readiness probes executions in seconds | `10` |
+| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L299) | int | Set the timeout for the readiness probe in seconds | `5` |
+| [controller.probes.startupProbe.failureThreshold](./values.yaml#L259) | int | Set the failure threshold for the startup probe | `12` |
+| [controller.probes.startupProbe.httpGet.path](./values.yaml#L262) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
+| [controller.probes.startupProbe.httpGet.port](./values.yaml#L264) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
+| [controller.probes.startupProbe.periodSeconds](./values.yaml#L266) | int | Set the time interval between two startup probes executions in seconds | `10` |
+| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L268) | int | Set the timeout for the startup probe in seconds | `5` |
+| [controller.projectNamingStrategy](./values.yaml#L431) | string |  | `"standard"` |
+| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L818) | object | Additional labels to add to the PrometheusRule object | `{}` |
+| [controller.prometheus.alertingrules](./values.yaml#L816) | list | Array of prometheus alerting rules | `[]` |
+| [controller.prometheus.enabled](./values.yaml#L801) | bool | Enables prometheus service monitor | `false` |
+| [controller.prometheus.metricRelabelings](./values.yaml#L828) | list |  | `[]` |
+| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L820) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
+| [controller.prometheus.relabelings](./values.yaml#L826) | list |  | `[]` |
+| [controller.prometheus.scrapeEndpoint](./values.yaml#L811) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
+| [controller.prometheus.scrapeInterval](./values.yaml#L807) | string | How often prometheus should scrape metrics | `"60s"` |
+| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L803) | object | Additional labels to add to the service monitor object | `{}` |
+| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L805) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
 | [controller.resources](./values.yaml#L115) | object | Resource allocation (Requests and Limits) | `{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"50m","memory":"256Mi"}}` |
-| [controller.route.annotations](./values.yaml#L784) | object | Route annotations | `{}` |
-| [controller.route.enabled](./values.yaml#L780) | bool | Enables openshift route | `false` |
-| [controller.route.labels](./values.yaml#L782) | object | Route labels | `{}` |
-| [controller.route.path](./values.yaml#L786) | string | Route path | `nil` |
+| [controller.route.annotations](./values.yaml#L780) | object | Route annotations | `{}` |
+| [controller.route.enabled](./values.yaml#L776) | bool | Enables openshift route | `false` |
+| [controller.route.labels](./values.yaml#L778) | object | Route labels | `{}` |
+| [controller.route.path](./values.yaml#L782) | string | Route path | `nil` |
 | [controller.runAsUser](./values.yaml#L189) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
-| [controller.schedulerName](./values.yaml#L653) | string | Name of the Kubernetes scheduler to use | `""` |
-| [controller.scriptApproval](./values.yaml#L447) | list | List of groovy functions to approve | `[]` |
-| [controller.secondaryingress.annotations](./values.yaml#L747) | object |  | `{}` |
-| [controller.secondaryingress.apiVersion](./values.yaml#L745) | string |  | `"extensions/v1beta1"` |
-| [controller.secondaryingress.enabled](./values.yaml#L739) | bool |  | `false` |
-| [controller.secondaryingress.hostName](./values.yaml#L754) | string |  | `nil` |
-| [controller.secondaryingress.labels](./values.yaml#L746) | object |  | `{}` |
-| [controller.secondaryingress.paths](./values.yaml#L742) | list |  | `[]` |
-| [controller.secondaryingress.tls](./values.yaml#L755) | string |  | `nil` |
-| [controller.secretClaims](./values.yaml#L490) | list | List of `SecretClaim` resources to create | `[]` |
+| [controller.schedulerName](./values.yaml#L649) | string | Name of the Kubernetes scheduler to use | `""` |
+| [controller.scriptApproval](./values.yaml#L443) | list | List of groovy functions to approve | `[]` |
+| [controller.secondaryingress.annotations](./values.yaml#L743) | object |  | `{}` |
+| [controller.secondaryingress.apiVersion](./values.yaml#L741) | string |  | `"extensions/v1beta1"` |
+| [controller.secondaryingress.enabled](./values.yaml#L735) | bool |  | `false` |
+| [controller.secondaryingress.hostName](./values.yaml#L750) | string |  | `nil` |
+| [controller.secondaryingress.labels](./values.yaml#L742) | object |  | `{}` |
+| [controller.secondaryingress.paths](./values.yaml#L738) | list |  | `[]` |
+| [controller.secondaryingress.tls](./values.yaml#L751) | string |  | `nil` |
+| [controller.secretClaims](./values.yaml#L486) | list | List of `SecretClaim` resources to create | `[]` |
 | [controller.securityContextCapabilities](./values.yaml#L198) | object |  | `{}` |
-| [controller.serviceAnnotations](./values.yaml#L240) | object | Jenkins controller service annotations | `{}` |
+| [controller.serviceAnnotations](./values.yaml#L236) | object | Jenkins controller service annotations | `{}` |
 | [controller.serviceExternalTrafficPolicy](./values.yaml#L233) | string |  | `nil` |
-| [controller.serviceLabels](./values.yaml#L246) | object | Labels for the Jenkins controller-service | `{}` |
+| [controller.serviceLabels](./values.yaml#L242) | object | Labels for the Jenkins controller-service | `{}` |
 | [controller.servicePort](./values.yaml#L225) | int | k8s service port | `8080` |
 | [controller.serviceType](./values.yaml#L220) | string | k8s service type | `"ClusterIP"` |
 | [controller.shareProcessNamespace](./values.yaml#L124) | bool |  | `false` |
-| [controller.sidecars.additionalSidecarContainers](./values.yaml#L635) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
-| [controller.sidecars.configAutoReload.additionalVolumeMounts](./values.yaml#L581) | list | Enables additional volume mounts for the config auto-reload container | `[]` |
-| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L630) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
-| [controller.sidecars.configAutoReload.enabled](./values.yaml#L564) | bool | Enables Jenkins Config as Code auto-reload | `true` |
-| [controller.sidecars.configAutoReload.env](./values.yaml#L612) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` |
-| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L610) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
-| [controller.sidecars.configAutoReload.folder](./values.yaml#L623) | string |  | `"/var/jenkins_home/casc_configs"` |
-| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L567) | string | Registry for the image that triggers the reload | `"docker.io"` |
-| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L569) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
-| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L571) | string | Tag for the image that triggers the reload | `"1.30.1"` |
-| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L572) | string |  | `"IfNotPresent"` |
-| [controller.sidecars.configAutoReload.logging](./values.yaml#L587) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
-| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L591) | bool | Enables custom log config utilizing using the settings below. | `false` |
-| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L605) | int | How many connection-related errors to retry on | `10` |
-| [controller.sidecars.configAutoReload.resources](./values.yaml#L573) | object |  | `{}` |
-| [controller.sidecars.configAutoReload.scheme](./values.yaml#L600) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
-| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L602) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
-| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L607) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
-| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L621) | int |  | `1044` |
-| [controller.statefulSetAnnotations](./values.yaml#L680) | object | Annotations for controller StatefulSet | `{}` |
-| [controller.statefulSetLabels](./values.yaml#L242) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
+| [controller.sidecars.additionalSidecarContainers](./values.yaml#L631) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
+| [controller.sidecars.configAutoReload.additionalVolumeMounts](./values.yaml#L577) | list | Enables additional volume mounts for the config auto-reload container | `[]` |
+| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L626) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
+| [controller.sidecars.configAutoReload.enabled](./values.yaml#L560) | bool | Enables Jenkins Config as Code auto-reload | `true` |
+| [controller.sidecars.configAutoReload.env](./values.yaml#L608) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` |
+| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L606) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
+| [controller.sidecars.configAutoReload.folder](./values.yaml#L619) | string |  | `"/var/jenkins_home/casc_configs"` |
+| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L563) | string | Registry for the image that triggers the reload | `"docker.io"` |
+| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L565) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
+| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L567) | string | Tag for the image that triggers the reload | `"1.28.0"` |
+| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L568) | string |  | `"IfNotPresent"` |
+| [controller.sidecars.configAutoReload.logging](./values.yaml#L583) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
+| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L587) | bool | Enables custom log config utilizing using the settings below. | `false` |
+| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L601) | int | How many connection-related errors to retry on | `10` |
+| [controller.sidecars.configAutoReload.resources](./values.yaml#L569) | object |  | `{}` |
+| [controller.sidecars.configAutoReload.scheme](./values.yaml#L596) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
+| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L598) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
+| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L603) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
+| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L617) | int |  | `1044` |
+| [controller.statefulSetAnnotations](./values.yaml#L676) | object | Annotations for controller StatefulSet | `{}` |
+| [controller.statefulSetLabels](./values.yaml#L238) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
 | [controller.targetPort](./values.yaml#L227) | int | k8s target port | `8080` |
-| [controller.terminationGracePeriodSeconds](./values.yaml#L663) | string | Set TerminationGracePeriodSeconds | `nil` |
-| [controller.terminationMessagePath](./values.yaml#L665) | string | Set the termination message path | `nil` |
-| [controller.terminationMessagePolicy](./values.yaml#L667) | string | Set the termination message policy | `nil` |
-| [controller.testEnabled](./values.yaml#L844) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
-| [controller.tolerations](./values.yaml#L661) | list | Toleration labels for pod assignment | `[]` |
-| [controller.topologySpreadConstraints](./values.yaml#L687) | object | Topology spread constraints | `{}` |
-| [controller.updateStrategy](./values.yaml#L684) | object | Update strategy for StatefulSet | `{}` |
+| [controller.terminationGracePeriodSeconds](./values.yaml#L659) | string | Set TerminationGracePeriodSeconds | `nil` |
+| [controller.terminationMessagePath](./values.yaml#L661) | string | Set the termination message path | `nil` |
+| [controller.terminationMessagePolicy](./values.yaml#L663) | string | Set the termination message policy | `nil` |
+| [controller.testEnabled](./values.yaml#L840) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
+| [controller.tolerations](./values.yaml#L657) | list | Toleration labels for pod assignment | `[]` |
+| [controller.topologySpreadConstraints](./values.yaml#L683) | object | Topology spread constraints | `{}` |
+| [controller.updateStrategy](./values.yaml#L680) | object | Update strategy for StatefulSet | `{}` |
 | [controller.usePodSecurityContext](./values.yaml#L182) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` |
 | [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` |
 | [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` |
-| [helmtest.bats.image.registry](./values.yaml#L1369) | string | Registry of the image used to test the framework | `"docker.io"` |
-| [helmtest.bats.image.repository](./values.yaml#L1371) | string | Repository of the image used to test the framework | `"bats/bats"` |
-| [helmtest.bats.image.tag](./values.yaml#L1373) | string | Tag of the image to test the framework | `"1.11.1"` |
+| [helmtest.bats.image.registry](./values.yaml#L1361) | string | Registry of the image used to test the framework | `"docker.io"` |
+| [helmtest.bats.image.repository](./values.yaml#L1363) | string | Repository of the image used to test the framework | `"bats/bats"` |
+| [helmtest.bats.image.tag](./values.yaml#L1365) | string | Tag of the image to test the framework | `"1.11.0"` |
 | [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` |
 | [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` |
 | [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` |
-| [networkPolicy.apiVersion](./values.yaml#L1293) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
-| [networkPolicy.enabled](./values.yaml#L1288) | bool | Enable the creation of NetworkPolicy resources | `false` |
-| [networkPolicy.externalAgents.except](./values.yaml#L1307) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
-| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1305) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
-| [networkPolicy.internalAgents.allowed](./values.yaml#L1297) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
-| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1301) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
-| [networkPolicy.internalAgents.podLabels](./values.yaml#L1299) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
-| [persistence.accessMode](./values.yaml#L1263) | string | The PVC access mode | `"ReadWriteOnce"` |
-| [persistence.annotations](./values.yaml#L1259) | object | Annotations for the PVC | `{}` |
-| [persistence.dataSource](./values.yaml#L1269) | object | Existing data source to clone PVC from | `{}` |
-| [persistence.enabled](./values.yaml#L1243) | bool | Enable the use of a Jenkins PVC | `true` |
-| [persistence.existingClaim](./values.yaml#L1249) | string | Provide the name of a PVC | `nil` |
-| [persistence.labels](./values.yaml#L1261) | object | Labels for the PVC | `{}` |
-| [persistence.mounts](./values.yaml#L1281) | list | Additional mounts | `[]` |
-| [persistence.size](./values.yaml#L1265) | string | The size of the PVC | `"8Gi"` |
-| [persistence.storageClass](./values.yaml#L1257) | string | Storage class for the PVC | `nil` |
-| [persistence.subPath](./values.yaml#L1274) | string | SubPath for jenkins-home mount | `nil` |
-| [persistence.volumes](./values.yaml#L1276) | list | Additional volumes | `[]` |
-| [rbac.create](./values.yaml#L1313) | bool | Whether RBAC resources are created | `true` |
-| [rbac.readSecrets](./values.yaml#L1315) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
-| [rbac.useOpenShiftNonRootSCC](./values.yaml#L1317) | bool | Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints | `false` |
+| [networkPolicy.apiVersion](./values.yaml#L1289) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
+| [networkPolicy.enabled](./values.yaml#L1284) | bool | Enable the creation of NetworkPolicy resources | `false` |
+| [networkPolicy.externalAgents.except](./values.yaml#L1303) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
+| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1301) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
+| [networkPolicy.internalAgents.allowed](./values.yaml#L1293) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
+| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1297) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
+| [networkPolicy.internalAgents.podLabels](./values.yaml#L1295) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
+| [persistence.accessMode](./values.yaml#L1259) | string | The PVC access mode | `"ReadWriteOnce"` |
+| [persistence.annotations](./values.yaml#L1255) | object | Annotations for the PVC | `{}` |
+| [persistence.dataSource](./values.yaml#L1265) | object | Existing data source to clone PVC from | `{}` |
+| [persistence.enabled](./values.yaml#L1239) | bool | Enable the use of a Jenkins PVC | `true` |
+| [persistence.existingClaim](./values.yaml#L1245) | string | Provide the name of a PVC | `nil` |
+| [persistence.labels](./values.yaml#L1257) | object | Labels for the PVC | `{}` |
+| [persistence.mounts](./values.yaml#L1277) | list | Additional mounts | `[]` |
+| [persistence.size](./values.yaml#L1261) | string | The size of the PVC | `"8Gi"` |
+| [persistence.storageClass](./values.yaml#L1253) | string | Storage class for the PVC | `nil` |
+| [persistence.subPath](./values.yaml#L1270) | string | SubPath for jenkins-home mount | `nil` |
+| [persistence.volumes](./values.yaml#L1272) | list | Additional volumes | `[]` |
+| [rbac.create](./values.yaml#L1309) | bool | Whether RBAC resources are created | `true` |
+| [rbac.readSecrets](./values.yaml#L1311) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
+| [rbac.useOpenShiftNonRootSCC](./values.yaml#L1313) | bool | Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints | `false` |
 | [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` |
-| [serviceAccount.annotations](./values.yaml#L1327) | object | Configures annotations for the ServiceAccount | `{}` |
-| [serviceAccount.automountServiceAccountToken](./values.yaml#L1333) | bool | Auto-mount ServiceAccount token | `true` |
-| [serviceAccount.create](./values.yaml#L1321) | bool | Configures if a ServiceAccount with this name should be created | `true` |
-| [serviceAccount.extraLabels](./values.yaml#L1329) | object | Configures extra labels for the ServiceAccount | `{}` |
-| [serviceAccount.imagePullSecretName](./values.yaml#L1331) | string | Controller ServiceAccount image pull secret | `nil` |
-| [serviceAccount.name](./values.yaml#L1325) | string |  | `nil` |
-| [serviceAccountAgent.annotations](./values.yaml#L1344) | object | Configures annotations for the agent ServiceAccount | `{}` |
-| [serviceAccountAgent.automountServiceAccountToken](./values.yaml#L1350) | bool | Auto-mount ServiceAccount token | `true` |
-| [serviceAccountAgent.create](./values.yaml#L1338) | bool | Configures if an agent ServiceAccount should be created | `false` |
-| [serviceAccountAgent.extraLabels](./values.yaml#L1346) | object | Configures extra labels for the agent ServiceAccount | `{}` |
-| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1348) | string | Agent ServiceAccount image pull secret | `nil` |
-| [serviceAccountAgent.name](./values.yaml#L1342) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |
+| [serviceAccount.annotations](./values.yaml#L1323) | object | Configures annotations for the ServiceAccount | `{}` |
+| [serviceAccount.create](./values.yaml#L1317) | bool | Configures if a ServiceAccount with this name should be created | `true` |
+| [serviceAccount.extraLabels](./values.yaml#L1325) | object | Configures extra labels for the ServiceAccount | `{}` |
+| [serviceAccount.imagePullSecretName](./values.yaml#L1327) | string | Controller ServiceAccount image pull secret | `nil` |
+| [serviceAccount.name](./values.yaml#L1321) | string |  | `nil` |
+| [serviceAccountAgent.annotations](./values.yaml#L1338) | object | Configures annotations for the agent ServiceAccount | `{}` |
+| [serviceAccountAgent.create](./values.yaml#L1332) | bool | Configures if an agent ServiceAccount should be created | `false` |
+| [serviceAccountAgent.extraLabels](./values.yaml#L1340) | object | Configures extra labels for the agent ServiceAccount | `{}` |
+| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1342) | string | Agent ServiceAccount image pull secret | `nil` |
+| [serviceAccountAgent.name](./values.yaml#L1336) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |

charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl

@@ -309,7 +309,6 @@ jenkins:
   {{- /* restore root */}}
   {{- $_ := set $ "Values" $oldRoot.Values }}
   {{- end }}
-  slaveAgentPort: {{ .Values.controller.agentListenerPort }}
   {{- if .Values.controller.csrf.defaultCrumbIssuer.enabled }}
   crumbIssuer:
     standard:

charts/kubezero-ci/charts/jenkins/templates/home-pvc.yaml

@@ -34,7 +34,7 @@ spec:
 {{- if (eq "-" .Values.persistence.storageClass) }}
   storageClassName: ""
 {{- else }}
-  storageClassName: "{{ tpl .Values.persistence.storageClass . }}"
+  storageClassName: "{{ .Values.persistence.storageClass }}"
 {{- end }}
 {{- end }}
 {{- end }}

charts/kubezero-ci/charts/jenkins/templates/jenkins-controller-ingress.yaml

@@ -23,12 +23,12 @@ metadata:
 {{- end }}
 {{- if .Values.controller.ingress.annotations }}
   annotations:
-{{ tpl (toYaml .Values.controller.ingress.annotations) . | indent 4 }}
+{{ toYaml .Values.controller.ingress.annotations | indent 4 }}
 {{- end }}
   name: {{ template "jenkins.fullname" . }}
 spec:
 {{- if .Values.controller.ingress.ingressClassName }}
-  ingressClassName: {{ tpl .Values.controller.ingress.ingressClassName . | quote }}
+  ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }}
 {{- end }}
   rules:
   - http:

charts/kubezero-ci/charts/jenkins/templates/jenkins-controller-statefulset.yaml

@@ -107,7 +107,6 @@ spec:
   {{- end }}
 {{- end }}
       serviceAccountName: "{{ template "jenkins.serviceAccountName" . }}"
-      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- if .Values.controller.hostNetworking }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet

charts/kubezero-ci/charts/jenkins/templates/jenkins-controller-svc.yaml

@@ -41,9 +41,6 @@ spec:
       targetPort: {{ $port.port }}
       {{- end -}}
 {{- end }}
-  {{- if .Values.controller.publishNotReadyAddresses }}
-  publishNotReadyAddresses: true
-  {{- end }}
   selector:
     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
     "app.kubernetes.io/instance": "{{ .Release.Name }}"

charts/kubezero-ci/charts/jenkins/templates/service-account-agent.yaml

@@ -1,7 +1,6 @@
 {{ if .Values.serviceAccountAgent.create }}
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: {{ .Values.serviceAccountAgent.automountServiceAccountToken }}
 metadata:
   name: {{ include "jenkins.serviceAccountAgentName" . }}
   namespace: {{ template "jenkins.agent.namespace" . }}

charts/kubezero-ci/charts/jenkins/templates/service-account.yaml

@@ -1,7 +1,6 @@
 {{ if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "jenkins.serviceAccountName" . }}
   namespace: {{ template "jenkins.namespace" . }}

charts/kubezero-ci/charts/jenkins/values.yaml

@@ -232,10 +232,6 @@ controller:
   # but risks potentially imbalanced traffic spreading.
   serviceExternalTrafficPolicy:
 
-  # If enabled, the controller is available through its service before its pods reports ready. Makes startup screen and
-  # auto-reload on restart feature possible.
-  publishNotReadyAddresses:
-
   # -- Jenkins controller service annotations
   serviceAnnotations: {}
   # -- Jenkins controller custom labels for the StatefulSet
@@ -403,10 +399,10 @@ controller:
   # Plugins will be installed during Jenkins controller start
   # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
   installPlugins:
-    - kubernetes:4313.va_9b_4fe2a_0e34
+    - kubernetes:4296.v20a_7e4d77cf6
     - workflow-aggregator:600.vb_57cdd26fdd7
-    - git:5.7.0
-    - configuration-as-code:1932.v75cb_b_f1b_698d
+    - git:5.6.0
+    - configuration-as-code:1897.v79281e066ea_7
 
   # If set to false, Jenkins will download the minimum required version of all dependencies.
   # -- Download the minimum required version or latest version of all dependencies
@@ -568,7 +564,7 @@ controller:
         # -- Repository of the image that triggers the reload
         repository: kiwigrid/k8s-sidecar
         # -- Tag for the image that triggers the reload
-        tag: 1.30.1
+        tag: 1.28.0
       imagePullPolicy: IfNotPresent
       resources: {}
         #   limits:
@@ -955,7 +951,7 @@ agent:
     # -- Repository to pull the agent jnlp image from
     repository: "jenkins/inbound-agent"
     # -- Tag of the image to pull
-    tag: "3283.v92c105e0f819-9"
+    tag: "3273.v4cfe589b_fd83-1"
   # -- Configure working directory for default agent
   workingDir: "/home/jenkins/agent"
   nodeUsageMode: "NORMAL"
@@ -1329,8 +1325,6 @@ serviceAccount:
   extraLabels: {}
   # -- Controller ServiceAccount image pull secret
   imagePullSecretName:
-  # -- Auto-mount ServiceAccount token
-  automountServiceAccountToken: true
 
 
 serviceAccountAgent:
@@ -1346,8 +1340,6 @@ serviceAccountAgent:
   extraLabels: {}
   # -- Agent ServiceAccount image pull secret
   imagePullSecretName:
-  # -- Auto-mount ServiceAccount token
-  automountServiceAccountToken: true
 
 # -- Checks if any deprecated values are used
 checkDeprecation: true
@@ -1370,4 +1362,4 @@ helmtest:
       # -- Repository of the image used to test the framework
       repository: "bats/bats"
       # -- Tag of the image to test the framework
-      tag: "1.11.1"
+      tag: "1.11.0"

charts/kubezero-ci/values.yaml

@@ -2,7 +2,7 @@ gitea:
   enabled: false
 
   image:
-    tag: 1.23.4
+    tag: 1.22.6
     rootless: true
 
   repliaCount: 1
@@ -16,10 +16,6 @@ gitea:
     claimName: data-gitea-0
     size: 4Gi
 
-  service:
-    http:
-      port: 80
-
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -293,18 +289,12 @@ trivy:
 renovate:
   enabled: false
 
-  renovate:
-    config: |
-      {
-      }
-
   env:
     LOG_FORMAT: json
   cronjob:
     concurrencyPolicy: Forbid
-    jobBackoffLimit: 2
+    jobBackoffLimit: 3
     schedule:	"0 3 * * *"
     successfulJobsHistoryLimit: 1
-
   securityContext:
-    fsGroupChangePolicy: OnRootMismatch
+    fsGroup: 1000

charts/kubezero-falco/Chart.yaml

@@ -13,7 +13,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: falco
     version: 4.2.5

charts/kubezero-graph/Chart.yaml

@@ -13,7 +13,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.2.1"
     repository: https://cdn.zero-downtime.net/charts/
   - name: neo4j
     version: 5.26.0

charts/kubezero-istio-gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio-gateway
 description: KubeZero Umbrella Chart for Istio gateways
 type: application
-version: 0.24.3
+version: 0.24.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -14,9 +14,9 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: gateway
-    version: 1.24.3
+    version: 1.24.2
     repository: https://istio-release.storage.googleapis.com/charts
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-istio-gateway/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio-gateway
 
-![Version: 0.24.3](https://img.shields.io/badge/Version-0.24.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.24.2](https://img.shields.io/badge/Version-0.24.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio gateways
 
@@ -20,8 +20,8 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-| https://istio-release.storage.googleapis.com/charts | gateway | 1.24.3 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://istio-release.storage.googleapis.com/charts | gateway | 1.24.2 |
 
 ## Values
 
@@ -32,8 +32,8 @@ Kubernetes: `>= 1.30.0-0`
 | gateway.autoscaling.maxReplicas | int | `4` |  |
 | gateway.autoscaling.minReplicas | int | `1` |  |
 | gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| gateway.minReadySeconds | int | `10` |  |
-| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"90s\" }"` |  |
+| gateway.minReadySeconds | int | `120` |  |
+| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` |  |
 | gateway.replicaCount | int | `1` |  |
 | gateway.resources.limits.memory | string | `"512Mi"` |  |
 | gateway.resources.requests.cpu | string | `"50m"` |  |

charts/kubezero-istio-gateway/charts/gateway/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.24.3
+appVersion: 1.24.2
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ name: gateway
 sources:
 - https://github.com/istio/istio
 type: application
-version: 1.24.3
+version: 1.24.2

charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml

@@ -77,7 +77,7 @@ spec:
             allowPrivilegeEscalation: false
             privileged: false
             readOnlyRootFilesystem: true
-            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            {{- if not (eq .Values.platform "openshift") }}
             runAsUser: 1337
             runAsGroup: 1337
             {{- end }}

charts/kubezero-istio-gateway/charts/gateway/templates/zzz_profile.yaml

@@ -49,7 +49,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware
 {{- $a := mustMergeOverwrite $defaults $profile }}
 {{- end }}
 #  Flatten globals, if defined on a per-chart basis
-{{- if true }}
+{{- if false }}
 {{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
 {{- end }}
 {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}

charts/kubezero-istio/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.24.3
+version: 0.24.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -13,20 +13,16 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
-  - name: envoy-ratelimit
-    version: 0.1.2
-    repository: https://cdn.zero-downtime.net/charts/
-    condition: envoy-ratelimit.enabled
   - name: base
-    version: 1.24.3
+    version: 1.24.2
     repository: https://istio-release.storage.googleapis.com/charts
   - name: istiod
-    version: 1.24.3
+    version: 1.24.2
     repository: https://istio-release.storage.googleapis.com/charts
   - name: kiali-server
-    version: "2.6.0"
+    version: "2.5.0"
     repository: https://kiali.org/helm-charts
     condition: kiali-server.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-istio/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio
 
-![Version: 0.24.3](https://img.shields.io/badge/Version-0.24.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.24.2](https://img.shields.io/badge/Version-0.24.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio
 
@@ -20,27 +20,15 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.2 |
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-| https://istio-release.storage.googleapis.com/charts | base | 1.24.3 |
-| https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 |
-| https://kiali.org/helm-charts | kiali-server | 2.6.0 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://istio-release.storage.googleapis.com/charts | base | 1.24.2 |
+| https://istio-release.storage.googleapis.com/charts | istiod | 1.24.2 |
+| https://kiali.org/helm-charts | kiali-server | 2.5.0 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| envoy-ratelimit.descriptors.ingress[0].key | string | `"remote_address"` |  |
-| envoy-ratelimit.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
-| envoy-ratelimit.descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].key | string | `"remote_address"` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
-| envoy-ratelimit.enabled | bool | `false` |  |
-| envoy-ratelimit.failureModeDeny | bool | `false` |  |
-| envoy-ratelimit.localCacheSize | int | `1048576` |  |
-| envoy-ratelimit.log.format | string | `"json"` |  |
-| envoy-ratelimit.log.level | string | `"warn"` |  |
 | global.defaultPodDisruptionBudget.enabled | bool | `false` |  |
 | global.logAsJson | bool | `true` |  |
 | global.variant | string | `"distroless"` |  |
@@ -62,6 +50,17 @@ Kubernetes: `>= 1.30.0-0`
 | kiali-server.istio.enabled | bool | `false` |  |
 | kiali-server.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | kiali-server.server.metrics_enabled | bool | `false` |  |
+| rateLimiting.descriptors.ingress[0].key | string | `"remote_address"` |  |
+| rateLimiting.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
+| rateLimiting.descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
+| rateLimiting.descriptors.privateIngress[0].key | string | `"remote_address"` |  |
+| rateLimiting.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
+| rateLimiting.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
+| rateLimiting.enabled | bool | `false` |  |
+| rateLimiting.failureModeDeny | bool | `false` |  |
+| rateLimiting.localCacheSize | int | `1048576` |  |
+| rateLimiting.log.format | string | `"json"` |  |
+| rateLimiting.log.level | string | `"warn"` |  |
 
 ## Resources
 

charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml

@@ -0,0 +1,106 @@
+{{- if .Values.rateLimiting.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ratelimit-statsd-exporter-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    defaults:
+      ttl: 1m # Resets the metrics every minute
+    mappings:
+      - match:
+          "ratelimit.service.rate_limit.*.*.near_limit"
+        name: "ratelimit_service_rate_limit_near_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.over_limit"
+        name: "ratelimit_service_rate_limit_over_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.total_hits"
+        name: "ratelimit_service_rate_limit_total_hits"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.within_limit"
+        name: "ratelimit_service_rate_limit_within_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.near_limit"
+        name: "ratelimit_service_rate_limit_near_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.over_limit"
+        name: "ratelimit_service_rate_limit_over_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.total_hits"
+        name: "ratelimit_service_rate_limit_total_hits"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.within_limit"
+        name: "ratelimit_service_rate_limit_within_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.call.should_rate_limit.*"
+        name: "ratelimit_service_should_rate_limit_error"
+        match_metric_type: counter
+        labels:
+          err_type: "$1"
+      - match:
+          "ratelimit_server.*.total_requests"
+        name: "ratelimit_service_total_requests"
+        match_metric_type: counter
+        labels:
+          grpc_method: "$1"
+      - match:
+          "ratelimit_server.*.response_time"
+        name: "ratelimit_service_response_time_seconds"
+        timer_type: histogram
+        labels:
+          grpc_method: "$1"
+      - match:
+          "ratelimit.service.config_load_success"
+        name: "ratelimit_service_config_load_success"
+        match_metric_type: counter
+        ttl: 3m
+      - match:
+          "ratelimit.service.config_load_error"
+        name: "ratelimit_service_config_load_error"
+        match_metric_type: counter
+        ttl: 3m
+      - match: "."
+        match_type: "regex"
+        action: "drop"
+        name: "dropped"
+{{- end }}

charts/kubezero-istio/templates/ratelimit/config.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rateLimiting.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -9,9 +10,10 @@ data:
   ingress.yaml: |
     domain: ingress
     descriptors:
-    {{- toYaml .Values.descriptors.ingress | nindent 4 }}
+    {{- toYaml .Values.rateLimiting.descriptors.ingress | nindent 4 }}
 
   private-ingress.yaml: |
     domain: private-ingress
     descriptors:
-    {{- toYaml .Values.descriptors.privateIngress | nindent 4 }}
+    {{- toYaml .Values.rateLimiting.descriptors.privateIngress | nindent 4 }}
+{{- end }}

charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rateLimiting.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -26,7 +27,7 @@ spec:
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
             domain: ingress
-            failure_mode_deny: {{ .Values.failureModeDeny }}
+            failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
             timeout: 0.5s
             rate_limit_service:
               grpc_service:
@@ -84,7 +85,7 @@ spec:
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
             domain:  private-ingress
-            failure_mode_deny: {{ .Values.failureModeDeny }}
+            failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
             timeout: 0.5s
             rate_limit_service:
               grpc_service:
@@ -112,3 +113,4 @@ spec:
                      socket_address:
                       address: ratelimit.istio-system
                       port_value: 8081
+{{- end }}

charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml

@@ -0,0 +1,154 @@
+{{- if .Values.rateLimiting.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: ratelimit-redis
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: ratelimit-redis
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app: ratelimit-redis
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratelimit-redis
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ratelimit-redis
+  template:
+    metadata:
+      labels:
+        app: ratelimit-redis
+    spec:
+      containers:
+      - image: redis:6-alpine
+        imagePullPolicy: IfNotPresent
+        name: redis
+        ports:
+        - name: redis
+          containerPort: 6379
+      restartPolicy: Always
+      serviceAccountName: ""
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ratelimit
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: ratelimit
+spec:
+  ports:
+  #- name: http-port
+  #  port: 8080
+  #  targetPort: 8080
+  #  protocol: TCP
+  - name: grpc-port
+    port: 8081
+    targetPort: 8081
+    protocol: TCP
+  #- name: http-debug
+  #  port: 6070
+  #  targetPort: 6070
+  #  protocol: TCP
+  - name: http-monitoring
+    port: 9102
+    targetPort: 9102
+    protocol: TCP
+  selector:
+    app: ratelimit
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratelimit
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ratelimit
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: ratelimit
+    spec:
+      containers:
+      - image: envoyproxy/ratelimit:b42701cb # 2021/08/12
+        imagePullPolicy: IfNotPresent
+        name: ratelimit
+        command: ["/bin/ratelimit"]
+        env:
+        - name: LOG_LEVEL
+          value: {{ default "WARN" .Values.rateLimiting.log.level }}
+        - name: LOG_FORMAT
+          value: {{ default "text" .Values.rateLimiting.log.format }}
+        - name: REDIS_SOCKET_TYPE
+          value: tcp
+        - name: REDIS_URL
+          value: ratelimit-redis:6379
+        - name: USE_STATSD
+          value: "true"
+        - name: STATSD_HOST
+          value: "localhost"
+        - name: STATSD_PORT
+          value: "9125"
+        - name: RUNTIME_ROOT
+          value: /data
+        - name: RUNTIME_SUBDIRECTORY
+          value: ratelimit
+        - name: RUNTIME_WATCH_ROOT
+          value: "false"
+        - name: RUNTIME_IGNOREDOTFILES
+          value: "true"
+        - name: LOCAL_CACHE_SIZE_IN_BYTES
+          value: "{{ default 0 .Values.rateLimiting.localCacheSize | int }}"
+        ports:
+        #- containerPort: 8080
+        - containerPort: 8081
+        #- containerPort: 6070
+        volumeMounts:
+        - name: ratelimit-config
+          mountPath: /data/ratelimit/config
+        resources:
+          requests:
+            cpu: 50m
+            memory: 32Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+      - name: statsd-exporter
+        image: docker.io/prom/statsd-exporter:v0.21.0
+        imagePullPolicy: Always
+        args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
+        ports:
+          - containerPort: 9125
+        #  - containerPort: 9102
+        resources:
+          requests:
+            cpu: 50m
+            memory: 32Mi
+          limits:
+            cpu: 200m
+            memory: 64Mi
+        volumeMounts:
+          - name: statsd-exporter-config
+            mountPath: /etc/statsd-exporter
+      volumes:
+      - name: ratelimit-config
+        configMap:
+          name: ratelimit-config
+      - name: statsd-exporter-config
+        configMap:
+          name: ratelimit-statsd-exporter-config
+{{- end }}

charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.metrics.enabled }}
+{{- if and .Values.istiod.telemetry.enabled .Values.rateLimiting.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:

charts/kubezero-istio/values.yaml

@@ -56,7 +56,29 @@ kiali-server:
     #url: "kiali.example.com"
 
 
-# for available options see envoy-ratelimit chart
-envoy-ratelimit:
+rateLimiting:
   enabled: false
 
+  log:
+    level: warn
+    format: json
+
+  # 1MB local cache for already reached limits to reduce calls to Redis
+  localCacheSize: 1048576
+
+  # Wether to block requests if ratelimiting is down
+  failureModeDeny: false
+
+  # rate limit descriptors for each domain, examples 10 req/s per sourceIP
+  descriptors:
+    ingress:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10
+
+    privateIngress:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10

charts/kubezero-lib/Chart.yaml

@@ -10,4 +10,4 @@ keywords:
 maintainers:
   - name: Stefan Reimer
     email: stefan@zero-downtime.net
-kubeVersion: ">= 1.30.0-0"
+kubeVersion: ">= 1.30.0"

charts/kubezero-logging/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: fluentd
     version: 0.5.2

charts/kubezero-metrics/Chart.yaml

@@ -16,7 +16,7 @@ maintainers:
 # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: kube-prometheus-stack
     version: 69.2.3

charts/kubezero-mq/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: nats
     version: 1.2.2

charts/kubezero-network/Chart.yaml

@@ -16,7 +16,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: cilium
     version: 1.16.6

charts/kubezero-operators/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: opensearch-operator
     version: 2.7.0

charts/kubezero-operators/templates/cloudnative-pg/ClusterImageCatalog-bookworm.yaml

@@ -1,4 +1,3 @@
-{{- if index .Values "cloudnative-pg" "enabled" }}
 apiVersion: postgresql.cnpg.io/v1
 kind: ClusterImageCatalog
 metadata:
@@ -15,4 +14,3 @@ spec:
       image: ghcr.io/cloudnative-pg/postgresql:16.6-33-bookworm@sha256:7dfda49485274b61ada9bb347caffac01dee442ffd119eb19317a2692347657b
     - major: 17
       image: ghcr.io/cloudnative-pg/postgresql:17.2-33-bookworm@sha256:52b78e8e4a297e268be168c7e107a2117072dc38f4a11d9d056ff0cc13d4007f
-{{- end }}

charts/kubezero-sql/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: mariadb-galera
     version: 14.0.10

charts/kubezero-storage/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: lvm-localpv
     version: 1.6.2

charts/kubezero-telemetry/Chart.yaml

@@ -16,7 +16,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: opentelemetry-collector
     version: 0.108.0

charts/kubezero/Chart.yaml

@@ -13,6 +13,6 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.2.1"
     repository: https://cdn.zero-downtime.net/charts
 kubeVersion: ">= 1.31.0-0"

charts/kubezero/docs/app.yaml

@@ -0,0 +1,30 @@
+# Skeleton template to put into each cluster git folder
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubezero
+  namespace: argocd
+spec:
+  project: kubezero
+  source:
+    repoURL: https://cdn.zero-downtime.net/charts
+    chart: kubezero
+    targetRevision: {{ .Values.kubezero.version }}
+
+    helm:
+      parameters:
+      # We use this to detect if we are called from ArgoCD
+      - name: argocdAppName
+        value: $ARGOCD_APP_NAME
+      # This breaks the recursion, otherwise we install another kubezero project and app
+      - name: installKubeZero
+        value: "false"
+      values: |
+        {{- toYaml .Values | nindent 8 }}
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true

charts/kubezero/templates/_app.tpl

@@ -33,14 +33,14 @@ spec:
     server: {{ .Values.kubezero.server }}
     namespace: {{ default "kube-system" ( index .Values $name "namespace" ) }}
 
-  revisionHistoryLimit: 2
   syncPolicy:
-    automated:
-      prune: true
     syncOptions:
       - ServerSideApply=true
       - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
+    {{- with .Values.kubezero.syncPolicy }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
 {{- include (print $name "-argo") $ }}
 {{- end }}
 

charts/kubezero/templates/argo.yaml

@@ -61,8 +61,7 @@ argocd-apps:
         namespace: argocd
 
       syncPolicy:
-        automated:
-          prune: true
+        {{- toYaml (default dict .Values.kubezero.syncPolicy) | nindent 8 }}
 
 argocd-image-updater:
   enabled: {{ default "false" (index .Values "argo" "argocd-image-updater" "enabled") }}

charts/kubezero/templates/cert-manager.yaml

@@ -49,7 +49,7 @@ cert-manager:
   {{- if eq .Values.global.platform "gke" }}
   serviceAccount:
     annotations:
-      iam.gke.io/gcp-service-account: "dns01-solver-cert-manager@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com"
+      iam.gke.io/gcp-service-account: "dns01-solver@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com"
   {{- end }}
 
   prometheus:

charts/kubezero/templates/istio.yaml

@@ -28,8 +28,8 @@ kiali-server:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 
-{{- with index .Values "istio" "envoy-ratelimit" }}
-envoy-ratelimit:
+{{- with .Values.istio.rateLimiting }}
+rateLimiting:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}

charts/kubezero/values.yaml

@@ -64,13 +64,13 @@ storage:
 istio:
   enabled: false
   namespace: istio-system
-  targetRevision: 0.24.3
+  targetRevision: 0.24.2
 
 istio-ingress:
   enabled: false
   chart: kubezero-istio-gateway
   namespace: istio-ingress
-  targetRevision: 0.24.3
+  targetRevision: 0.24.2
   gateway:
     service: {}
 
@@ -78,7 +78,7 @@ istio-private-ingress:
   enabled: false
   chart: kubezero-istio-gateway
   namespace: istio-ingress
-  targetRevision: 0.24.3
+  targetRevision: 0.24.2
   gateway:
     service: {}
 

charts/manticore/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.4"
     repository: https://cdn.zero-downtime.net/charts
   - name: manticoresearch
     version: "5.0.25"

charts/uptime-kuma/Chart.yaml

@@ -14,6 +14,6 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.5"
     repository: https://cdn.zero-downtime.net/charts/
 kubeVersion: ">= 1.20.0"