ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

Compare commits

base: ZeroDownTime:main
Branches Tags
ZeroDownTime:main
ZeroDownTime:renovate/kubezero-telemetry-kubezero-telemetry-dependencies
ZeroDownTime:renovate/kubezero-ci-kubezero-ci-dependencies
ZeroDownTime:renovate/kubezero-metrics-major-kubezero-metrics-dependencies
ZeroDownTime:renovate/kubezero-storage-kubezero-storage-dependencies
ZeroDownTime:renovate/kubezero-addons-kubezero-addons-dependencies
ZeroDownTime:renovate/kubezero-cache-kubezero-cache-dependencies
ZeroDownTime:renovate/kubezero-operators-major-kubezero-operators-dependencies
ZeroDownTime:renovate/kubezero-logging-kubezero-logging-dependencies
ZeroDownTime:renovate/kubezero-argo-kubezero-argo-dependencies
ZeroDownTime:renovate/kubezero-mq-major-kubezero-mq-dependencies
ZeroDownTime:renovate/natsio-prometheus-nats-exporter-0.x
ZeroDownTime:renovate/kubezero-network-kubezero-network-dependencies
ZeroDownTime:renovate/kubezero-istio-kubezero-istio-dependencies
ZeroDownTime:renovate/kubezero-istio-gateway-kubezero-istio-gateway-dependencies
ZeroDownTime:renovate/kubezero-auth-kubezero-auth-dependencies
ZeroDownTime:release/v1.31
ZeroDownTime:renovate/kubezero-metrics-kubezero-metrics-dependencies
ZeroDownTime:renovate/manticore-major-manticore-dependencies
ZeroDownTime:renovate/kubezero-operators-kubezero-operators-dependencies
ZeroDownTime:renovate/kubezero-sql-kubezero-sql-dependencies
ZeroDownTime:renovate/ghcr.io-k8snetworkplumbingwg-multus-cni-4.x
ZeroDownTime:renovate/kubezero-falco-kubezero-falco-dependencies
ZeroDownTime:renovate/registry.k8s.io-autoscaling-cluster-autoscaler-1.x
ZeroDownTime:renovate/natsio-nats-server-config-reloader-0.x
ZeroDownTime:release/v1.30
ZeroDownTime:renovate/public.ecr.aws-zero-downtime-fluentd-concenter-1.x
ZeroDownTime:renovate/manticore-manticore-dependencies
ZeroDownTime:v1.31.6
..
compare: ZeroDownTime:renovate/kubezero-metrics-kubezero-metrics-dependencies
Branches Tags
ZeroDownTime:renovate/kubezero-telemetry-kubezero-telemetry-dependencies
ZeroDownTime:renovate/kubezero-ci-kubezero-ci-dependencies
ZeroDownTime:renovate/kubezero-metrics-major-kubezero-metrics-dependencies
ZeroDownTime:renovate/kubezero-storage-kubezero-storage-dependencies
ZeroDownTime:renovate/kubezero-addons-kubezero-addons-dependencies
ZeroDownTime:main
ZeroDownTime:renovate/kubezero-cache-kubezero-cache-dependencies
ZeroDownTime:renovate/kubezero-operators-major-kubezero-operators-dependencies
ZeroDownTime:renovate/kubezero-logging-kubezero-logging-dependencies
ZeroDownTime:renovate/kubezero-argo-kubezero-argo-dependencies
ZeroDownTime:renovate/kubezero-mq-major-kubezero-mq-dependencies
ZeroDownTime:renovate/natsio-prometheus-nats-exporter-0.x
ZeroDownTime:renovate/kubezero-network-kubezero-network-dependencies
ZeroDownTime:renovate/kubezero-istio-kubezero-istio-dependencies
ZeroDownTime:renovate/kubezero-istio-gateway-kubezero-istio-gateway-dependencies
ZeroDownTime:renovate/kubezero-auth-kubezero-auth-dependencies
ZeroDownTime:release/v1.31
ZeroDownTime:renovate/kubezero-metrics-kubezero-metrics-dependencies
ZeroDownTime:renovate/manticore-major-manticore-dependencies
ZeroDownTime:renovate/kubezero-operators-kubezero-operators-dependencies
ZeroDownTime:renovate/kubezero-sql-kubezero-sql-dependencies
ZeroDownTime:renovate/ghcr.io-k8snetworkplumbingwg-multus-cni-4.x
ZeroDownTime:renovate/kubezero-falco-kubezero-falco-dependencies
ZeroDownTime:renovate/registry.k8s.io-autoscaling-cluster-autoscaler-1.x
ZeroDownTime:renovate/natsio-nats-server-config-reloader-0.x
ZeroDownTime:release/v1.30
ZeroDownTime:renovate/public.ecr.aws-zero-downtime-fluentd-concenter-1.x
ZeroDownTime:renovate/manticore-manticore-dependencies
ZeroDownTime:v1.31.6

1 Commits
main ... renovate/k

Author SHA1 Message Date
Renovate Bot
5189a0ade1 chore(deps): update kubezero-metrics-dependencies 2025-04-10 03:03:32 +00:00
30 changed files with 204 additions and 251 deletions
Show Stats Expand all files Collapse all files

2
.ci/README.md
View File

@ -14,7 +14,7 @@ include .ci/podman.mk
Add subtree to your project: Add subtree to your project:
``` ```
git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
``` ```

3
.ci/ecr_public_lifecycle.py
View File

@ -41,8 +41,7 @@ for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
_delete = True _delete = True
for tag in image["imageTags"]: for tag in image["imageTags"]:
# Look for at least one tag NOT beign a SemVer dev tag # Look for at least one tag NOT beign a SemVer dev tag
# untagged dev builds get tagged as <tag>-g<commit> if "-" not in tag:
if "-g" not in tag and "dirty" not in tag:
_delete = False _delete = False
if _delete: if _delete:
print("Deleting development image {}".format(image["imageTags"])) print("Deleting development image {}".format(image["imageTags"]))

6
.ci/podman.mk
View File

@ -8,8 +8,8 @@ SHELL := bash
.PHONY: all # All targets are accessible for user .PHONY: all # All targets are accessible for user
.DEFAULT: help # Running Make will run the help target .DEFAULT: help # Running Make will run the help target
# Parse version from latest git semver tag, use short commit otherwise # Parse version from latest git semver tag
GIT_TAG ?= $(shell git describe --tags --match v*.*.* --dirty 2>/dev/null || git describe --match="" --always --dirty 2>/dev/null) GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null) GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
TAG ::= $(GIT_TAG) TAG ::= $(GIT_TAG)
@ -85,7 +85,7 @@ rm-image:
## some useful tasks during development ## some useful tasks during development
ci-pull-upstream: ## pull latest shared .ci subtree ci-pull-upstream: ## pull latest shared .ci subtree
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash -m "Merge latest ci-tools-lib" git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
create-repo: ## create new AWS ECR public repository create-repo: ## create new AWS ECR public repository
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION) aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

4
Dockerfile
View File

@ -5,8 +5,8 @@ FROM docker.io/alpine:${ALPINE_VERSION}
ARG ALPINE_VERSION ARG ALPINE_VERSION
ARG KUBE_VERSION=1.31 ARG KUBE_VERSION=1.31
ARG SOPS_VERSION="3.10.1" ARG SOPS_VERSION="3.9.4"
ARG VALS_VERSION="0.40.1" ARG VALS_VERSION="0.39.4"
ARG HELM_SECRETS_VERSION="4.6.3" ARG HELM_SECRETS_VERSION="4.6.3"
RUN cd /etc/apk/keys && \ RUN cd /etc/apk/keys && \

16
README.md
View File

@ -19,7 +19,7 @@ KubeZero is a Kubernetes distribution providing an integrated container platform
# Version / Support Matrix # Version / Support Matrix
KubeZero releases track the same *minor* version of Kubernetes. KubeZero releases track the same *minor* version of Kubernetes.
Any 1.31.X-Y release of Kubezero supports any Kubernetes cluster 1.31.X. Any 1.30.X-Y release of Kubezero supports any Kubernetes cluster 1.30.X.
KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed. KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed.
@ -28,15 +28,15 @@ KubeZero is distributed as a collection of versioned Helm charts, allowing custo
gantt gantt
title KubeZero Support Timeline title KubeZero Support Timeline
dateFormat YYYY-MM-DD dateFormat YYYY-MM-DD
section 1.29
beta :129b, 2024-07-01, 2024-07-31
release :after 129b, 2024-11-30
section 1.30 section 1.30
beta :130b, 2024-09-01, 2024-10-31 beta :130b, 2024-09-01, 2024-10-31
release :after 130b, 2025-04-30 release :after 130b, 2025-02-28
section 1.31 section 1.31
beta :131b, 2024-12-01, 2025-02-28 beta :131b, 2024-12-01, 2025-01-30
release :after 131b, 2025-06-30 release :after 131b, 2025-04-30
section 1.32
beta :132b, 2025-04-01, 2025-05-19
release :after 132b, 2025-09-30
``` ```
[Upstream release policy](https://kubernetes.io/releases/) [Upstream release policy](https://kubernetes.io/releases/)
@ -44,7 +44,7 @@ gantt
# Components # Components
## OS ## OS
- all compute nodes are running on Alpine V3.21 - all compute nodes are running on Alpine V3.20
- 1 or 2 GB encrypted root file system - 1 or 2 GB encrypted root file system
- no external dependencies at boot time, apart from container registries - no external dependencies at boot time, apart from container registries
- focused on security and minimal footprint - focused on security and minimal footprint

2
admin/hooks-1.31.sh
View File

@ -17,7 +17,7 @@ post_control_plane_upgrade_cluster() {
# delete previous root app controlled by kubezero module # delete previous root app controlled by kubezero module
kubectl delete application kubezero-git-sync -n argocd || true kubectl delete application kubezero-git-sync -n argocd || true
# only patch appproject to keep SyncWindow in place # Patch appproject to keep SyncWindow in place
kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/labels"}]' || true kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/labels"}]' || true
kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
} }

40
admin/kubezero.sh
View File

@ -111,8 +111,17 @@ post_kubeadm() {
} }
# Migrate KubeZero Config to current version # Control plane upgrade
upgrade_kubezero_config() { control_plane_upgrade() {
CMD=$1
ARGOCD=$(argo_used)
render_kubeadm upgrade
if [[ "$CMD" =~ ^(cluster)$ ]]; then
pre_control_plane_upgrade_cluster
# get current values, argo app over cm # get current values, argo app over cm
get_kubezero_values $ARGOCD get_kubezero_values $ARGOCD
@ -130,22 +139,6 @@ upgrade_kubezero_config() {
> $WORKDIR/new-argocd-app.yaml > $WORKDIR/new-argocd-app.yaml
kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD) kubectl replace -f $WORKDIR/new-argocd-app.yaml $(field_manager $ARGOCD)
fi fi
}
# Control plane upgrade
kubeadm_upgrade() {
ARGOCD=$(argo_used)
render_kubeadm upgrade
# Check if we already have all controllers on the current version
OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
# run control plane upgrade
if [ "$OLD_CONTROLLERS" != "0" ]; then
pre_control_plane_upgrade_cluster
pre_kubeadm pre_kubeadm
@ -162,8 +155,7 @@ kubeadm_upgrade() {
echo "Successfully upgraded KubeZero control plane to $KUBE_VERSION using kubeadm." echo "Successfully upgraded KubeZero control plane to $KUBE_VERSION using kubeadm."
# All controllers already on current version elif [[ "$CMD" =~ ^(final)$ ]]; then
else
pre_cluster_upgrade_final pre_cluster_upgrade_final
# Finally upgrade addons last, with 1.32 we can ONLY call addon phase # Finally upgrade addons last, with 1.32 we can ONLY call addon phase
@ -419,8 +411,12 @@ for t in $@; do
bootstrap) control_plane_node bootstrap;; bootstrap) control_plane_node bootstrap;;
join) control_plane_node join;; join) control_plane_node join;;
restore) control_plane_node restore;; restore) control_plane_node restore;;
upgrade_control_plane) kubeadm_upgrade;; kubeadm_upgrade)
upgrade_kubezero) upgrade_kubezero_config;; control_plane_upgrade cluster
;;
finalize_cluster_upgrade)
control_plane_upgrade final
;;
apply_*) apply_*)
ARGOCD=$(argo_used) ARGOCD=$(argo_used)
apply_module "${t##apply_}";; apply_module "${t##apply_}";;

23
admin/libhelm.sh
View File

@ -80,19 +80,6 @@ function get_kubezero_secret() {
get_secret_val kubezero kubezero-secrets "$1" get_secret_val kubezero kubezero-secrets "$1"
} }
function ensure_kubezero_secret_key() {
local secret="$(kubectl get secret -n kubezero kubezero-secrets -o yaml)"
local key=""
local val=""
for key in $@; do
val=$(echo "$secret" | yq ".data.\"$key\"")
if [ "$val" == "null" ]; then
kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"\" }}"
fi
done
}
function set_kubezero_secret() { function set_kubezero_secret() {
local key="$1" local key="$1"
@ -353,7 +340,7 @@ EOF
} }
function admin_job() { function control_plane_upgrade() {
TASKS="$1" TASKS="$1"
[ -z "$KUBE_VERSION" ] && KUBE_VERSION="latest" [ -z "$KUBE_VERSION" ] && KUBE_VERSION="latest"
@ -363,7 +350,7 @@ function admin_job() {
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: kubezero-admin-job name: kubezero-upgrade
namespace: kube-system namespace: kube-system
labels: labels:
app: kubezero-upgrade app: kubezero-upgrade
@ -408,10 +395,10 @@ spec:
restartPolicy: Never restartPolicy: Never
EOF EOF
kubectl wait pod kubezero-admin-job -n kube-system --timeout 120s --for=condition=initialized 2>/dev/null kubectl wait pod kubezero-upgrade -n kube-system --timeout 120s --for=condition=initialized 2>/dev/null
while true; do while true; do
kubectl logs kubezero-admin-job -n kube-system -f 2>/dev/null && break kubectl logs kubezero-upgrade -n kube-system -f 2>/dev/null && break
sleep 3 sleep 3
done done
kubectl delete pod kubezero-admin-job -n kube-system kubectl delete pod kubezero-upgrade -n kube-system
} }

29
admin/upgrade_cluster.sh
View File

@ -15,28 +15,37 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
ARGOCD=$(argo_used) ARGOCD=$(argo_used)
echo "Checking that all pods in kube-system are running ..." echo "Checking that all pods in kube-system are running ..."
waitSystemPodsRunning #waitSystemPodsRunning
[ "$ARGOCD" == "true" ] && disable_argo [ "$ARGOCD" == "true" ] && disable_argo
admin_job "upgrade_control_plane, upgrade_kubezero" # Check if we already have all controllers on the current version
#OLD_CONTROLLERS=$(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" --no-headers=true | grep -cv $KUBE_VERSION || true)
if [ "$OLD_CONTROLLERS" == "0" ]; then
# All controllers already on current version
control_plane_upgrade finalize_cluster_upgrade
else
# Otherwise run control plane upgrade
control_plane_upgrade kubeadm_upgrade
fi
echo "<Return> to continue"
read -r
#echo "Adjust kubezero values as needed:" #echo "Adjust kubezero values as needed:"
# shellcheck disable=SC2015 # shellcheck disable=SC2015
#[ "$ARGOCD" == "true" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero #[ "$ARGOCD" == "true" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero
#echo "<Return> to continue"
#read -r
# upgrade modules # upgrade modules
admin_job "apply_kubezero, apply_network, apply_addons, apply_storage, apply_operators" control_plane_upgrade "apply_kubezero, apply_network, apply_addons, apply_storage, apply_operators"
echo "Checking that all pods in kube-system are running ..." echo "Checking that all pods in kube-system are running ..."
waitSystemPodsRunning waitSystemPodsRunning
echo "Applying remaining KubeZero modules..." echo "Applying remaining KubeZero modules..."
admin_job "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo" control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"
# we replace the project during v1.31 so disable again # we replace the project during v1.31 so disable again
[ "$ARGOCD" == "true" ] && disable_argo [ "$ARGOCD" == "true" ] && disable_argo
@ -51,12 +60,6 @@ while true; do
sleep 1 sleep 1
done done
echo "Once all controller nodes are running on $KUBE_VERSION, <return> to continue"
read -r
# Final control plane upgrades
admin_job "upgrade_control_plane"
echo "Please commit $ARGO_APP as the updated kubezero/application.yaml for your cluster." echo "Please commit $ARGO_APP as the updated kubezero/application.yaml for your cluster."
echo "Then head over to ArgoCD for this cluster and sync all KubeZero modules to apply remaining upgrades." echo "Then head over to ArgoCD for this cluster and sync all KubeZero modules to apply remaining upgrades."

2
charts/kubezero-addons/Chart.yaml
View File

@ -3,7 +3,7 @@ name: kubezero-addons
description: KubeZero umbrella chart for various optional cluster addons description: KubeZero umbrella chart for various optional cluster addons
type: application type: application
version: 0.8.13 version: 0.8.13
appVersion: v1.31 appVersion: v1.30
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

6
charts/kubezero-argo/README.md
View File

@ -54,25 +54,21 @@ Kubernetes: `>= 1.30.0-0`
| argo-cd.dex.enabled | bool | `false` | | | argo-cd.dex.enabled | bool | `false` | |
| argo-cd.enabled | bool | `false` | | | argo-cd.enabled | bool | `false` | |
| argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | | | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | |
| argo-cd.global.image.tag | string | `"v2.14.9-1"` | | | argo-cd.global.image.tag | string | `"v2.14.9"` | |
| argo-cd.global.logging.format | string | `"json"` | | | argo-cd.global.logging.format | string | `"json"` | |
| argo-cd.global.networkPolicy.create | bool | `true` | | | argo-cd.global.networkPolicy.create | bool | `true` | |
| argo-cd.istio.enabled | bool | `false` | | | argo-cd.istio.enabled | bool | `false` | |
| argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` | | | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` | |
| argo-cd.istio.ipBlocks | list | `[]` | | | argo-cd.istio.ipBlocks | list | `[]` | |
| argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App | | argo-cd.kubezero.bootstrap | bool | `false` | deploy the KubeZero Project and GitSync Root App |
| argo-cd.kubezero.password | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password"` | |
| argo-cd.kubezero.path | string | `"/"` | | | argo-cd.kubezero.path | string | `"/"` | |
| argo-cd.kubezero.repoUrl | string | `""` | | | argo-cd.kubezero.repoUrl | string | `""` | |
| argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` | | | argo-cd.kubezero.sshPrivateKey | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey"` | |
| argo-cd.kubezero.targetRevision | string | `"HEAD"` | | | argo-cd.kubezero.targetRevision | string | `"HEAD"` | |
| argo-cd.kubezero.username | string | `"secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username"` | |
| argo-cd.notifications.enabled | bool | `false` | | | argo-cd.notifications.enabled | bool | `false` | |
| argo-cd.redisSecretInit.enabled | bool | `false` | | | argo-cd.redisSecretInit.enabled | bool | `false` | |
| argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | |
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` | |
| argo-cd.repoServer.volumes[0].name | string | `"cmp-tmp"` | |
| argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.enabled | bool | `false` | |
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |

9
charts/kubezero-argo/hooks.d/pre-install.sh
View File

@ -18,9 +18,12 @@ if [ -z "$PW" ]; then
set_kubezero_secret argo-cd.adminPassword "$NEW_PW" set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
fi fi
# GitSync privateKey
GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey)
if [ -z "$GITKEY" ]; then
set_kubezero_secret argo-cd.kubezero.sshPrivateKey "Insert ssh Private Key from your git server"
fi
# Redis secret # Redis secret
kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \ kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
--from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo) --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
# required keys in kubezero-secrets, as --ignore-missing-values in helm-secrets doesnt work with vals ;-(
ensure_kubezero_secret_key argo-cd.kubezero.username argo-cd.kubezero.password argo-cd.kubezero.sshPrivateKey

9
charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-app.yaml
View File

@ -1,4 +1,4 @@
{{- if index .Values "argo-cd" "kubezero" "bootstrap" }} {{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
@ -19,15 +19,12 @@ spec:
targetRevision: {{ .targetRevision }} targetRevision: {{ .targetRevision }}
path: {{ .path }} path: {{ .path }}
{{- end }} {{- end }}
plugin: directory:
name: kubezero-git-sync recurse: true
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
syncOptions: syncOptions:
- ServerSideApply=true - ServerSideApply=true
- ApplyOutOfSyncOnly=true - ApplyOutOfSyncOnly=true
info:
- name: "Source:"
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/"
{{- end }} {{- end }}

7
charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
View File

@ -1,4 +1,4 @@
{{- if index .Values "argo-cd" "kubezero" "repoUrl" }} {{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -12,10 +12,5 @@ stringData:
name: kubezero-git-sync name: kubezero-git-sync
type: git type: git
url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }} url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
{{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
username: {{ index .Values "argo-cd" "kubezero" "username" }}
password: {{ index .Values "argo-cd" "kubezero" "password" }}
{{- else }}
sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }} sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
{{- end }}
{{- end }} {{- end }}

2
charts/kubezero-argo/templates/argo-cd/kubezero-project.yaml
View File

@ -1,4 +1,4 @@
{{- if index .Values "argo-cd" "kubezero" "bootstrap" }} {{- if and (index .Values "argo-cd" "kubezero" "bootstrap") (index .Values "argo-cd" "kubezero" "repoUrl") }}
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: AppProject kind: AppProject
metadata: metadata:

34
charts/kubezero-argo/values.yaml
View File

@ -25,7 +25,7 @@ argo-events:
# do NOT use -alpine tag as the entrypoint differs # do NOT use -alpine tag as the entrypoint differs
versions: versions:
- version: 2.10.11 - version: 2.10.11
natsImage: nats:2.11.1-scratch natsImage: nats:2.10.11-scratch
metricsExporterImage: natsio/prometheus-nats-exporter:0.16.0 metricsExporterImage: natsio/prometheus-nats-exporter:0.16.0
configReloaderImage: natsio/nats-server-config-reloader:0.14.1 configReloaderImage: natsio/nats-server-config-reloader:0.14.1
startCommand: /nats-server startCommand: /nats-server
@ -38,7 +38,7 @@ argo-cd:
format: json format: json
image: image:
repository: public.ecr.aws/zero-downtime/zdt-argocd repository: public.ecr.aws/zero-downtime/zdt-argocd
tag: v2.14.9-1 tag: v2.14.9
networkPolicy: networkPolicy:
create: true create: true
@ -125,34 +125,6 @@ argo-cd:
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "watch", "list"] verbs: ["get", "watch", "list"]
# cmp kubezero-git-sync plugin
# @ignored
extraContainers:
- name: cmp-kubezero-git-sync
image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
command: ["/var/run/argocd/argocd-cmp-server"]
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 999
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
volumes:
- name: cmp-tmp
emptyDir: {}
server: server:
# Rename former https port to grpc, works with istio + insecure # Rename former https port to grpc, works with istio + insecure
service: service:
@ -192,8 +164,6 @@ argo-cd:
path: "/" path: "/"
targetRevision: HEAD targetRevision: HEAD
sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password
argocd-image-updater: argocd-image-updater:
enabled: false enabled: false

6
charts/kubezero-cache/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-cache name: kubezero-cache
description: KubeZero Cache module description: KubeZero Cache module
type: application type: application
version: 0.1.1 version: 0.1.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -17,11 +17,11 @@ dependencies:
version: 0.2.1 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: redis - name: redis
version: 20.11.5 version: 20.0.3
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
condition: redis.enabled condition: redis.enabled
- name: redis-cluster - name: redis-cluster
version: 11.5.0 version: 11.0.2
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
condition: redis-cluster.enabled condition: redis-cluster.enabled

4
charts/kubezero-graph/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-graph name: kubezero-graph
description: KubeZero GraphQL and GraphDB description: KubeZero GraphQL and GraphDB
type: application type: application
version: 0.1.1 version: 0.1.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,7 +16,7 @@ dependencies:
version: 0.2.1 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: neo4j - name: neo4j
version: 2025.3.0 version: 5.26.0
repository: https://helm.neo4j.com/neo4j repository: https://helm.neo4j.com/neo4j
condition: neo4j.enabled condition: neo4j.enabled

8
charts/kubezero-graph/README.md
View File

@ -1,6 +1,6 @@
# kubezero-graph # kubezero-graph
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero GraphQL and GraphDB KubeZero GraphQL and GraphDB
@ -18,8 +18,8 @@ Kubernetes: `>= 1.29.0-0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.2.1 |
| https://helm.neo4j.com/neo4j | neo4j | 2025.3.0 | | https://helm.neo4j.com/neo4j | neo4j | 5.26.0 |
## Values ## Values
@ -28,8 +28,6 @@ Kubernetes: `>= 1.29.0-0`
| neo4j.disableLookups | bool | `true` | | | neo4j.disableLookups | bool | `true` | |
| neo4j.enabled | bool | `false` | | | neo4j.enabled | bool | `false` | |
| neo4j.neo4j.name | string | `"test-db"` | | | neo4j.neo4j.name | string | `"test-db"` | |
| neo4j.neo4j.password | string | `"secret"` | |
| neo4j.neo4j.passwordFromSecret | string | `"neo4j-admin"` | |
| neo4j.serviceMonitor.enabled | bool | `false` | | | neo4j.serviceMonitor.enabled | bool | `false` | |
| neo4j.services.neo4j.enabled | bool | `false` | | | neo4j.services.neo4j.enabled | bool | `false` | |
| neo4j.volumes.data.mode | string | `"defaultStorageClass"` | | | neo4j.volumes.data.mode | string | `"defaultStorageClass"` | |

8
charts/kubezero-metrics/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-metrics name: kubezero-metrics
description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
type: application type: application
version: 0.11.0 version: 0.11.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -19,14 +19,14 @@ dependencies:
version: 0.2.1 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: kube-prometheus-stack - name: kube-prometheus-stack
version: 69.2.3 version: 69.8.2
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
- name: prometheus-adapter - name: prometheus-adapter
version: 4.11.0 version: 4.14.1
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
condition: prometheus-adapter.enabled condition: prometheus-adapter.enabled
- name: prometheus-pushgateway - name: prometheus-pushgateway
version: 3.0.0 version: 3.1.0
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
condition: prometheus-pushgateway.enabled condition: prometheus-pushgateway.enabled
kubeVersion: ">= 1.30.0-0" kubeVersion: ">= 1.30.0-0"

6
charts/kubezero-mq/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-mq name: kubezero-mq
description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
type: application type: application
version: 0.3.11 version: 0.3.10
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -17,11 +17,11 @@ dependencies:
version: 0.2.1 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: nats - name: nats
version: 1.3.3 version: 1.2.2
repository: https://nats-io.github.io/k8s/helm/charts/ repository: https://nats-io.github.io/k8s/helm/charts/
condition: nats.enabled condition: nats.enabled
- name: rabbitmq - name: rabbitmq
version: 14.7.0 version: 14.6.6
repository: https://charts.bitnami.com/bitnami repository: https://charts.bitnami.com/bitnami
condition: rabbitmq.enabled condition: rabbitmq.enabled
kubeVersion: ">= 1.26.0" kubeVersion: ">= 1.26.0"

15
charts/kubezero-mq/README.md
View File

@ -1,6 +1,6 @@
# kubezero-mq # kubezero-mq
![Version: 0.3.11](https://img.shields.io/badge/Version-0.3.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.3.10](https://img.shields.io/badge/Version-0.3.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero umbrella chart for MQ systems like NATS, RabbitMQ KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
@ -18,9 +18,9 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://charts.bitnami.com/bitnami | rabbitmq | 14.7.0 | | https://charts.bitnami.com/bitnami | rabbitmq | 14.6.6 |
| https://nats-io.github.io/k8s/helm/charts/ | nats | 1.3.3 | | https://nats-io.github.io/k8s/helm/charts/ | nats | 1.2.2 |
## Values ## Values
@ -34,6 +34,13 @@ Kubernetes: `>= 1.26.0`
| nats.natsBox.enabled | bool | `false` | | | nats.natsBox.enabled | bool | `false` | |
| nats.promExporter.enabled | bool | `false` | | | nats.promExporter.enabled | bool | `false` | |
| nats.promExporter.podMonitor.enabled | bool | `false` | | | nats.promExporter.podMonitor.enabled | bool | `false` | |
| rabbitmq-cluster-operator.clusterOperator.metrics.enabled | bool | `false` | |
| rabbitmq-cluster-operator.clusterOperator.metrics.serviceMonitor.enabled | bool | `true` | |
| rabbitmq-cluster-operator.enabled | bool | `false` | |
| rabbitmq-cluster-operator.msgTopologyOperator.metrics.enabled | bool | `false` | |
| rabbitmq-cluster-operator.msgTopologyOperator.metrics.serviceMonitor.enabled | bool | `true` | |
| rabbitmq-cluster-operator.rabbitmqImage.tag | string | `"3.11.4-debian-11-r0"` | |
| rabbitmq-cluster-operator.useCertManager | bool | `true` | |
| rabbitmq.auth.existingErlangSecret | string | `"rabbitmq"` | | | rabbitmq.auth.existingErlangSecret | string | `"rabbitmq"` | |
| rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq"` | | | rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq"` | |
| rabbitmq.auth.tls.enabled | bool | `false` | | | rabbitmq.auth.tls.enabled | bool | `false` | |

2
charts/kubezero-mq/templates/nats/grafana-dashboards.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.nats.promExporter.podMonitor.enabled }} {{- if .Values.nats.exporter.serviceMonitor.enabled }}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:

6
charts/kubezero-mq/values.yaml
View File

@ -6,12 +6,6 @@ nats:
jetstream: jetstream:
enabled: true enabled: true
podTemplate:
topologySpreadConstraints:
kubernetes.io/hostname:
maxSkew: 1
whenUnsatisfiable: DoNotSchedule
natsBox: natsBox:
enabled: false enabled: false

3
charts/kubezero/templates/_app.tpl
View File

@ -42,9 +42,6 @@ spec:
- ServerSideApply=true - ServerSideApply=true
- CreateNamespace=true - CreateNamespace=true
- ApplyOutOfSyncOnly=true - ApplyOutOfSyncOnly=true
info:
- name: "Source:"
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"
{{- include (print $name "-argo") $ }} {{- include (print $name "-argo") $ }}
{{- end }} {{- end }}

30
charts/kubezero/templates/_aws.tpl
View File

@ -1,30 +0,0 @@
{{- define "aws-iam-env" -}}
- name: AWS_ROLE_ARN
value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: "regional"
- name: METADATA_TRIES
value: "0"
- name: AWS_REGION
value: {{ $.Values.global.aws.region }}
{{- end }}
{{- define "aws-iam-volumes" -}}
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
{{- end }}
{{- define "aws-iam-volumemounts" -}}
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }}

61
charts/kubezero/templates/addons.yaml
View File

@ -1,6 +1,6 @@
{{- define "addons-values" }} {{- define "addons-values" }}
clusterBackup: clusterBackup:
enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.clusterBackup.enabled) }} enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.clusterBackup.enabled) }}
{{- with omit .Values.addons.clusterBackup "enabled" }} {{- with omit .Values.addons.clusterBackup "enabled" }}
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
@ -14,7 +14,7 @@ clusterBackup:
{{- end }} {{- end }}
forseti: forseti:
enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") .Values.addons.forseti.enabled) }} enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") .Values.addons.forseti.enabled) }}
{{- with omit .Values.addons.forseti "enabled" }} {{- with omit .Values.addons.forseti "enabled" }}
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
@ -28,7 +28,7 @@ forseti:
{{- end }} {{- end }}
external-dns: external-dns:
enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "external-dns" "enabled")) }} enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "external-dns" "enabled")) }}
{{- with omit (index .Values "addons" "external-dns") "enabled" }} {{- with omit (index .Values "addons" "external-dns") "enabled" }}
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
@ -42,15 +42,32 @@ external-dns:
- "--aws-zone-type=public" - "--aws-zone-type=public"
- "--aws-zones-cache-duration=1h" - "--aws-zones-cache-duration=1h"
env: env:
{{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }} - name: AWS_REGION
value: {{ .Values.global.aws.region }}
- name: AWS_ROLE_ARN
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: "regional"
- name: METADATA_TRIES
value: "0"
extraVolumes: extraVolumes:
{{- include "aws-iam-volumes" . | nindent 4 }} - name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
extraVolumeMounts: extraVolumeMounts:
{{- include "aws-iam-volumemounts" . | nindent 4 }} - name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }} {{- end }}
cluster-autoscaler: cluster-autoscaler:
enabled: {{ ternary "true" "false" (or (eq .Values.global.platform "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }} enabled: {{ ternary "true" "false" (or (hasKey .Values.global.aws "region") (index .Values "addons" "cluster-autoscaler" "enabled")) }}
autoDiscovery: autoDiscovery:
clusterName: {{ .Values.global.clusterName }} clusterName: {{ .Values.global.clusterName }}
@ -81,9 +98,17 @@ cluster-autoscaler:
AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
AWS_STS_REGIONAL_ENDPOINTS: "regional" AWS_STS_REGIONAL_ENDPOINTS: "regional"
extraVolumes: extraVolumes:
{{- include "aws-iam-volumes" . | nindent 4 }} - name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
extraVolumeMounts: extraVolumeMounts:
{{- include "aws-iam-volumemounts" . | nindent 4 }} - name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }} {{- end }}
{{- with .Values.addons.fuseDevicePlugin }} {{- with .Values.addons.fuseDevicePlugin }}
@ -130,7 +155,14 @@ aws-node-termination-handler:
queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth" queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}" managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
extraEnv: extraEnv:
{{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }} - name: AWS_ROLE_ARN
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: "regional"
- name: METADATA_TRIES
value: "0"
aws-eks-asg-rolling-update-handler: aws-eks-asg-rolling-update-handler:
enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }} enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@ -140,9 +172,10 @@ aws-eks-asg-rolling-update-handler:
{{- end }} {{- end }}
environmentVars: environmentVars:
{{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
- name: CLUSTER_NAME - name: CLUSTER_NAME
value: {{ .Values.global.clusterName }} value: {{ .Values.global.clusterName }}
- name: AWS_REGION
value: {{ .Values.global.aws.region }}
- name: EXECUTION_INTERVAL - name: EXECUTION_INTERVAL
value: "60" value: "60"
- name: METRICS - name: METRICS
@ -151,6 +184,12 @@ aws-eks-asg-rolling-update-handler:
value: "true" value: "true"
- name: SLOW_MODE - name: SLOW_MODE
value: "true" value: "true"
- name: AWS_ROLE_ARN
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: "regional"
{{- with (index .Values "addons" "neuron-helm-chart") }} {{- with (index .Values "addons" "neuron-helm-chart") }}
neuron-helm-chart: neuron-helm-chart:

84
charts/kubezero/templates/argo.yaml
View File

@ -23,51 +23,38 @@ argo-cd:
metrics: metrics:
enabled: {{ .Values.metrics.enabled }} enabled: {{ .Values.metrics.enabled }}
repoServer: repoServer:
{{- with index .Values "argo" "argo-cd" "repoServer" }}
{{- toYaml . | nindent 4 }}
{{- end }}
metrics: metrics:
enabled: {{ .Values.metrics.enabled }} enabled: {{ .Values.metrics.enabled }}
volumes:
- name: cmp-tmp
emptyDir: {}
{{- if eq .Values.global.platform "aws" }} {{- if eq .Values.global.platform "aws" }}
{{- include "aws-iam-volumes" . | nindent 6 }}
env: env:
{{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }} - name: AWS_ROLE_ARN
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-repo-server"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: "regional"
- name: METADATA_TRIES
value: "0"
- name: AWS_REGION
value: {{ .Values.global.aws.region }}
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
volumeMounts: volumeMounts:
{{- include "aws-iam-volumemounts" . | nindent 6 }} - name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
extraContainers: readOnly: true
- name: cmp-kubezero-git-sync
image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
command: ["/var/run/argocd/argocd-cmp-server"]
env:
{{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
{{- include "aws-iam-volumemounts" . | nindent 10 }}
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 999
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
{{- end }} {{- end }}
{{- with index .Values "argo" "argo-cd" "repoServer" }}
{{- toYaml . | nindent 4 }}
{{- end }}
server: server:
metrics: metrics:
enabled: {{ .Values.metrics.enabled }} enabled: {{ .Values.metrics.enabled }}
@ -93,11 +80,28 @@ argocd-image-updater:
{{- if eq .Values.global.platform "aws" }} {{- if eq .Values.global.platform "aws" }}
extraEnv: extraEnv:
{{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }} - name: AWS_ROLE_ARN
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: "regional"
- name: METADATA_TRIES
value: "0"
- name: AWS_REGION
value: {{ .Values.global.aws.region }}
volumes: volumes:
{{- include "aws-iam-volumes" . | nindent 4 }} - name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
volumeMounts: volumeMounts:
{{- include "aws-iam-volumemounts" . | nindent 4 }} - name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }} {{- end }}
metrics: metrics:

2
charts/kubezero/templates/metrics.yaml
View File

@ -1,6 +1,6 @@
{{- define "_kube-prometheus-stack" }} {{- define "_kube-prometheus-stack" }}
{{- if eq .global.platform "aws" }} {{- if .global.aws.region }}
alertmanager: alertmanager:
alertmanagerSpec: alertmanagerSpec:
podMetadata: podMetadata:

4
charts/kubezero/values.yaml
View File

@ -6,9 +6,7 @@ global:
highAvailable: false highAvailable: false
aws: aws: {}
accountId: "123456789012"
region: the-moon
gcp: {} gcp: {}
addons: addons: