chore(deps): update helm release gateway to v1.25.0

admin/dev_apply.sh

@@ -4,10 +4,10 @@
 set -x
 
 ARTIFACTS=($(echo $1 | tr "," "\n"))
-ACTION="${2:-apply}"
-ARGOCD="${3:-False}"
+ACTION=$2
 
 LOCAL_DEV=1
+ARGOCD="False"
 
 #VERSION="latest"
 KUBE_VERSION="$(kubectl version -o json | jq -r .serverVersion.gitVersion)"
@@ -85,7 +85,7 @@ helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $
 
 # Root KubeZero apply directly and exit
 if [ ${ARTIFACTS[0]} == "kubezero" ]; then
-  kubectl replace -f $WORKDIR/kubezero/templates $(field_manager $ARGOCD)
+  kubectl replace -f $WORKDIR/kubezero/templates
   exit $?
 
 # "catch all" apply all enabled modules
@@ -100,12 +100,12 @@ if [ "$ACTION" == "delete" ]; then
     _helm delete ${ARTIFACTS[idx]} || true
   done
 else
-  if [ "$ACTION" == "apply" -o "$ACTION" == "crds" ]; then
+  if [ "$ACTION" == "" -o "$ACTION" == "crds" ]; then
     for t in ${ARTIFACTS[@]}; do
       _helm crds $t || true
     done
   fi
   for t in ${ARTIFACTS[@]}; do
-    _helm $ACTION $t || true
+    _helm apply $t || true
   done
 fi

admin/kubezero.sh

@@ -104,9 +104,9 @@ pre_kubeadm() {
 
 # Shared steps after calling kubeadm
 post_kubeadm() {
-  # KubeZero resources - will never be applied by ArgoCD
+  # KubeZero resources
   for f in ${WORKDIR}/kubeadm/templates/resources/*.yaml; do
-    kubectl apply -f $f --server-side --force-conflicts $LOG
+    kubectl apply -f $f $LOG
   done
 }
 
@@ -115,13 +115,9 @@ post_kubeadm() {
 control_plane_upgrade() {
   CMD=$1
 
-  ARGOCD=$(argo_used)
-
   render_kubeadm upgrade
 
   if [[ "$CMD" =~ ^(cluster)$ ]]; then
-    pre_control_plane_upgrade_cluster
-
     # get current values, argo app over cm
     get_kubezero_values $ARGOCD
 
@@ -137,7 +133,7 @@ control_plane_upgrade() {
       kubectl get application kubezero -n argocd -o yaml | \
         yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
         > $WORKDIR/new-argocd-app.yaml
-        kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD)
+      kubectl replace -f $WORKDIR/new-argocd-app.yaml
     fi
 
     pre_kubeadm
@@ -151,19 +147,13 @@ control_plane_upgrade() {
     # install re-certed kubectl config for root
     cp ${HOSTFS}/etc/kubernetes/super-admin.conf ${HOSTFS}/root/.kube/config
 
-    post_control_plane_upgrade_cluster
-
     echo "Successfully upgraded KubeZero control plane to $KUBE_VERSION using kubeadm."
 
   elif [[ "$CMD" =~ ^(final)$ ]]; then
-    pre_cluster_upgrade_final
-
     # Finally upgrade addons last, with 1.32 we can ONLY call addon phase
     #_kubeadm upgrade apply phase addon all $KUBE_VERSION
     _kubeadm upgrade apply $KUBE_VERSION
 
-    post_cluster_upgrade_final
-
     echo "Upgraded kubeadm addons."
   fi
 
@@ -328,10 +318,7 @@ apply_module() {
   done
 
   for t in $MODULES; do
-    #_helm apply $t
-
-    # During 1.31 we change the ArgoCD tracking so replace
-    _helm replace $t
+    _helm apply $t
   done
 
   echo "Applied KubeZero modules: $MODULES"
@@ -407,10 +394,17 @@ for t in $@; do
     join) control_plane_node join;;
     restore) control_plane_node restore;;
     kubeadm_upgrade)
+      ARGOCD=$(argo_used)
+      # call hooks
+      pre_control_plane_upgrade_cluster
       control_plane_upgrade cluster
+      post_control_plane_upgrade_cluster
       ;;
     finalize_cluster_upgrade)
+      ARGOCD=$(argo_used)
+      pre_cluster_upgrade_final
       control_plane_upgrade final
+      post_cluster_upgrade_final
       ;;
     apply_*)
       ARGOCD=$(argo_used)

admin/libhelm.sh

@@ -2,10 +2,11 @@
 
 # Simulate well-known CRDs being available
 API_VERSIONS="-a monitoring.coreos.com/v1 -a snapshot.storage.k8s.io/v1 -a policy/v1/PodDisruptionBudget -a apiregistration.k8s.io/v1"
-LOCAL_DEV=${LOCAL_DEV:-""}
 
 export HELM_SECRETS_BACKEND="vals"
 
+LOCAL_DEV=${LOCAL_DEV:-""}
+
 # Waits for max 300s and retries
 function wait_for() {
   local TRIES=0
@@ -33,32 +34,6 @@ function argo_used() {
 }
 
 
-function field_manager() {
-  local argo=${1:-"False"}
-
-  if [ "$argo" == "True" ]; then
-    echo "--field-manager argo-controller"
-  else
-    echo ""
-  fi
-}
-
-
-function get_kubezero_secret() {
-  export _key="$1"
-
-  kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0
-}
-
-
-function set_kubezero_secret() {
-  local key="$1"
-  local val="$2"
-
-  kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}"
-}
-
-
 # get kubezero-values from ArgoCD if available or use in-cluster CM
 function get_kubezero_values() {
   local argo=${1:-"False"}
@@ -121,12 +96,25 @@ function waitSystemPodsRunning() {
   done
 }
 
+function argo_app_synced() {
+  APP=$1
+
+  # Ensure we are synced otherwise bail out
+  status=$(kubectl get application $APP -n argocd -o yaml | yq .status.sync.status)
+  if [ "$status" != "Synced" ]; then
+    echo "ArgoCD Application $APP not 'Synced'!"
+    return 1
+  fi
+
+  return 0
+}
+
 
 # make sure namespace exists prior to calling helm as the create-namespace options doesn't work
 function create_ns() {
   local namespace=$1
   if [ "$namespace" != "kube-system" ]; then
-    kubectl get ns $namespace > /dev/null || kubectl create ns $namespace $(field_manager $ARGOCD)
+    kubectl get ns $namespace > /dev/null || kubectl create ns $namespace
   fi
 }
 
@@ -156,7 +144,7 @@ for manifest in yaml.safe_load_all(sys.stdin):
   # Only apply if there are actually any crds
   if [ -s $WORKDIR/crds.yaml ]; then
     [ -n "$DEBUG" ] && cat $WORKDIR/crds.yaml
-    kubectl apply -f $WORKDIR/crds.yaml --server-side --force-conflicts $(field_manager $ARGOCD)
+    kubectl apply -f $WORKDIR/crds.yaml --server-side --force-conflicts
   fi
 }
 
@@ -205,7 +193,7 @@ function _helm() {
     # Allow custom CRD handling
     declare -F ${module}-crds && ${module}-crds || _crds
 
-  elif [ $action == "apply" -o $action == "replace" ]; then
+  elif [ $action == "apply" ]; then
     echo "using values to $action of module $module: "
     cat $WORKDIR/values.yaml
 
@@ -216,8 +204,7 @@ function _helm() {
     declare -F ${module}-pre && ${module}-pre
 
     render
-    [ $action == "apply" ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$?
-    [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$?
+    kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts && rc=$? || rc=$?
 
     # Optional post hook
     declare -F ${module}-post && ${module}-post

charts/kubeadm/TODO

@@ -1,6 +0,0 @@
-"Use of insecure cipher detected.","v":0,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384"}
-"Use of insecure cipher detected.","v":0,"cipher":"TLS_RSA_WITH_AES_128_GCM_SHA256"}
-
-
-"RuntimeConfig from runtime service failed","err":"rpc error: code = Unimplemented desc = unknown method RuntimeConfig for service runtime.v1.RuntimeService"}
-"CRI implementation should be updated to support RuntimeConfig when KubeletCgroupDriverFromCRI feature gate has been enabled. Falling back to using cgroupDriver from kubelet config."

charts/kubeadm/templates/ClusterConfiguration.yaml

@@ -2,8 +2,8 @@ apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 kubernetesVersion: {{ .Chart.Version }}
 clusterName: {{ .Values.global.clusterName }}
-featureGates:
-  ControlPlaneKubeletLocalMode: true
+#featureGates:
+#  NonGracefulFailover: true
 controlPlaneEndpoint: {{ .Values.api.endpoint }}
 networking:
   podSubnet: 10.244.0.0/16

charts/kubeadm/templates/_helpers.tpl

@@ -3,7 +3,7 @@
 {{- /* v1.28: PodAndContainerStatsFromCRI still not working */ -}}
 {{- /* v1.28: UnknownVersionInteroperabilityProxy requires StorageVersionAPI which is still alpha in 1.30 */ -}}
 {{- define "kubeadm.featuregates" }}
-{{- $gates := list "CustomCPUCFSQuotaPeriod" "AuthorizeWithSelectors" "AuthorizeNodeWithSelectors" "ConsistentListFromCache" "VolumeAttributesClass" "WatchList" }}
+{{- $gates := list "CustomCPUCFSQuotaPeriod" "AuthorizeWithSelectors" "AuthorizeNodeWithSelectors" "ConsistentListFromCache" "VolumeAttributesClass" "WatchList"}}
 {{- if eq .return "csv" }}
 {{- range $key := $gates }}
 {{- $key }}=true,

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.2.9
+version: 0.2.8
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -22,7 +22,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 7.8.9
+    version: 7.8.2
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-apps

charts/kubezero-argo/values.yaml

@@ -106,6 +106,9 @@ argo-cd:
       extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
 
     params:
+      controller.status.processors: 8
+      controller.operation.processors: 4
+      controller.kubectl.parallelism.limit: 8
       controller.resource.health.persist: "false"
       controller.diff.server.side: "true"
       controller.sync.timeout.seconds: 1800

charts/kubezero-ci/templates/gitea/istio-service.yaml

@@ -12,12 +12,14 @@ spec:
   hosts:
   - {{ .Values.gitea.istio.url }}
   http:
-  {{- if .Values.gitea.istio.blockApi }}
+  {{- if .Values.gitea.istio.authProvider }}
+  # https://github.com/go-gitea/gitea/issues/13606
   - match:
     - uri:
-        prefix: /api
-    directResponse:
-      status: 401
+        regex: ^/user/login.*
+    redirect:
+      uri: /user/oauth2/{{ .Values.gitea.istio.authProvider }}
+      redirectCode: 302
   {{- end }}
   - route:
     - destination:

charts/kubezero-ci/values.yaml

@@ -87,7 +87,6 @@ gitea:
     enabled: false
     gateway: istio-ingress/private-ingressgateway
     url: git.example.com
-    blockApi: false
 
 
 jenkins:

charts/kubezero-istio-gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio-gateway
 description: KubeZero Umbrella Chart for Istio gateways
 type: application
-version: 0.24.3
+version: 0.24.4
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -17,6 +17,6 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: gateway
-    version: 1.24.3
+    version: 1.25.0
     repository: https://istio-release.storage.googleapis.com/charts
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml

@@ -32,7 +32,6 @@ spec:
           use_remote_address: true
           normalize_path: true
           merge_slashes: true
-          preserve_external_request_id: {{ .Values.hardening.preserveExternalRequestId }}
           {{- if .Values.hardening.unescapeSlashes }}
           path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
           {{- end }}

charts/kubezero-istio-gateway/values.yaml

@@ -43,4 +43,3 @@ proxyProtocol: true
 hardening:
   rejectUnderscoresHeaders: true
   unescapeSlashes: true
-  preserveExternalRequestId: false

charts/kubezero-logging/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-logging
 description: KubeZero Umbrella Chart for complete EFK stack
 type: application
-version: 0.8.14
+version: 0.8.13
 appVersion: 1.6.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png

charts/kubezero-logging/README.md

@@ -1,6 +1,6 @@
 # kubezero-logging
 
-![Version: 0.8.14](https://img.shields.io/badge/Version-0.8.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square)
+![Version: 0.8.13](https://img.shields.io/badge/Version-0.8.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square)
 
 KubeZero Umbrella Chart for complete EFK stack
 
@@ -18,7 +18,7 @@ Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 | https://fluent.github.io/helm-charts | fluent-bit | 0.47.10 |
 | https://fluent.github.io/helm-charts | fluentd | 0.5.2 |
 
@@ -135,7 +135,7 @@ Kubernetes: `>= 1.26.0`
 | kibana.istio.enabled | bool | `false` |  |
 | kibana.istio.gateway | string | `"istio-system/ingressgateway"` |  |
 | kibana.istio.url | string | `""` |  |
-| version | string | `"7.17.7"` |  |
+| version | string | `"7.17.3"` |  |
 
 ## Resources:
 

charts/kubezero-logging/values.yaml

@@ -2,7 +2,7 @@
 # fullnameOverride: ""
 
 # Version for ElasticSearch and Kibana have to match so we define it at top-level
-version: 7.17.7
+version: 7.17.3
 
 elastic_password: "" # super_secret_elastic_password
 

charts/kubezero-metrics/values.yaml

@@ -62,8 +62,12 @@ kube-prometheus-stack:
         memory: 128Mi
 
     admissionWebhooks:
-      certManager:
-        enabled: true
+      patch:
+        tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+        nodeSelector:
+          node-role.kubernetes.io/control-plane: ""
 
   nodeExporter:
     enabled: true

charts/kubezero/templates/_app.tpl

@@ -9,10 +9,6 @@ metadata:
   namespace: argocd
   labels:
     {{- include "kubezero-lib.labels" . | nindent 4 }}
-  {{- with ( index .Values $name "annotations" ) }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
   {{- if not ( index .Values $name "retain" ) }}
   finalizers:
     - resources-finalizer.argocd.argoproj.io

charts/kubezero/templates/addons.yaml

@@ -42,8 +42,6 @@ external-dns:
     - "--aws-zone-type=public"
     - "--aws-zones-cache-duration=1h"
   env:
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
     - name: AWS_ROLE_ARN
       value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
     - name: AWS_WEB_IDENTITY_TOKEN_FILE

charts/kubezero/templates/argo.yaml

@@ -2,22 +2,10 @@
 
 argo-cd:
   enabled: {{ default "false" (index .Values "argo" "argo-cd" "enabled") }}
-
+  {{- with index .Values "argo" "argo-cd" "configs" }}
   configs:
-    {{- with index .Values "argo" "argo-cd" "configs" }}
     {{- toYaml . | nindent 4 }}
-    {{- end }}
-    params:
-    {{- if not $.Values.global.highAvailable }}
-      # Reduce load on API server on single node control plane
-      controller.status.processors: 2
-      controller.operation.processors: 1
-      controller.kubectl.parallelism.limit: 1
-    {{- else }}
-      controller.status.processors: 8
-      controller.operation.processors: 4
-      controller.kubectl.parallelism.limit: 4
-    {{- end }}
+  {{- end }}
 
   controller:
     metrics:

charts/kubezero/values.yaml

@@ -114,9 +114,7 @@ metrics:
 logging:
   enabled: false
   namespace: logging
-  targetRevision: 0.8.14
-  annotations:
-    argocd.argoproj.io/compare-options: ServerSideDiff=false
+  targetRevision: 0.8.13
 
 argo:
   enabled: false