chore(deps): update kubezero-mq-dependencies

Dockerfile

@@ -5,8 +5,8 @@ FROM docker.io/alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
 ARG KUBE_VERSION=1.31
 
-ARG SOPS_VERSION="3.9.4"
-ARG VALS_VERSION="0.39.1"
+ARG SOPS_VERSION="3.9.1"
+ARG VALS_VERSION="0.37.6"
 ARG HELM_SECRETS_VERSION="4.6.2"
 
 RUN cd /etc/apk/keys && \

admin/dev_apply.sh

@@ -49,6 +49,7 @@ function cert-manager-post() {
     wait_for "kubectl get deployment -n $namespace cert-manager-webhook"
     kubectl rollout status deployment -n $namespace cert-manager-webhook
     wait_for 'kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0"'
+    apply
   fi
 
   wait_for "kubectl get ClusterIssuer -n $namespace kubezero-local-ca-issuer"
@@ -81,11 +82,11 @@ function metrics-pre() {
 get_kubezero_values $ARGOCD
 
 # Always use embedded kubezero chart
-helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --name-template kubezero --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
+helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
 
 # Root KubeZero apply directly and exit
 if [ ${ARTIFACTS[0]} == "kubezero" ]; then
-  kubectl replace -f $WORKDIR/kubezero/templates
+  kubectl apply --server-side --force-conflicts -f $WORKDIR/kubezero/templates
   exit $?
 
 # "catch all" apply all enabled modules

admin/hooks-1.31.sh

@@ -7,8 +7,8 @@ pre_control_plane_upgrade_cluster() {
     kubectl label node $n 'node.kubernetes.io/kubezero.version=v1.30.6' || true
   done
 
-  # patch aws-iam-authenticator DS to NOT run pods on 1.31 controllers
-  kubectl patch ds aws-iam-authenticator -n kube-system -p '{"spec": {"template": {"spec": {"nodeSelector": {"node.kubernetes.io/kubezero.version": "v1.30.6"}}}}}' || true
+  # patch aws-iam-authentiator DS to NOT run pods on 1.31 controllers
+  kubectl patch ds aws-iam-authentiator -p '{"spec": {"template": {"spec": {"nodeSelector": {"node.kubernetes.io/kubezero.version": "v1.30.6"}}}}}' || true
 }
 
 
@@ -20,28 +20,20 @@ post_control_plane_upgrade_cluster() {
 
 # All things AFTER all contollers are on the new version
 pre_cluster_upgrade_final() {
-  set +e
 
   if [ "$PLATFORM" == "aws" ];then
-    # cleanup aws-iam-authenticator
-    kubectl delete clusterrolebinding aws-iam-authenticator
-    kubectl delete clusterrole aws-iam-authenticator
-    kubectl delete serviceaccount aws-iam-authenticator -n kube-system
-    kubectl delete cm aws-iam-authenticator -n kube-system
-    kubectl delete ds aws-iam-authenticator -n kube-system
-    kubectl delete IAMIdentityMapping kubezero-worker-nodes
-    kubectl delete IAMIdentityMapping kubernetes-admin
-    kubectl delete crd iamidentitymappings.iamauthenticator.k8s.aws
-    kubectl delete secret aws-iam-certs -n kube-system
+    # cleanup aws-iam-authentiator
+    kubectl delete clusterrolebinding aws-iam-authentiator || true
+    kubectl delete clusterrole aws-iam-authentiator || true
+    kubectl delete serviceaccount aws-iam-authentiator -n kube-system || true
+    kubectl delete cm aws-iam-authentiator -n kube-system || true
+    kubectl delete ds aws-iam-authentiator -n kube-system || true
+    kubectl delete IAMIdentityMapping kubezero-worker-nodes || true
+    kubectl delete IAMIdentityMapping kubernetes-admin || true
+    kubectl delete crd iamidentitymappings.iamauthenticator.k8s.aws || true
+
+    kubectl delete secret aws-iam-certs -n kube-system || true
   fi
-
-  # Remove any helm hook related resources
-  kubectl delete rolebinding argo-argocd-redis-secret-init -n argocd
-  kubectl delete sa argo-argocd-redis-secret-init -n argocd
-  kubectl delete role argo-argocd-redis-secret-init -n argocd
-  kubectl delete job argo-argocd-redis-secret-init -n argocd
-
-  set -e
 }
 
 

admin/kubezero.sh

@@ -97,7 +97,6 @@ pre_kubeadm() {
   cp -r ${WORKDIR}/kubeadm/templates/apiserver ${HOSTFS}/etc/kubernetes
 
   # copy patches to host to make --rootfs of kubeadm work
-  rm -f ${HOSTFS}/etc/kubernetes/patches/*
   cp -r ${WORKDIR}/kubeadm/templates/patches ${HOSTFS}/etc/kubernetes
 }
 
@@ -133,7 +132,10 @@ control_plane_upgrade() {
       kubectl get application kubezero -n argocd -o yaml | \
         yq ".spec.source.helm.valuesObject |= load(\"$WORKDIR/kubezero-values.yaml\") | .spec.source.targetRevision = strenv(kubezero_chart_version)" \
         > $WORKDIR/new-argocd-app.yaml
-      kubectl replace -f $WORKDIR/new-argocd-app.yaml
+      kubectl apply --server-side --force-conflicts -f $WORKDIR/new-argocd-app.yaml
+
+      # finally remove annotation to allow argo to sync again
+      kubectl patch app kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
     fi
 
     pre_kubeadm

admin/libhelm.sh

@@ -50,7 +50,7 @@ function get_kubezero_values() {
 function update_kubezero_cm() {
   kubectl get cm -n kubezero kubezero-values -o=yaml | \
     yq e ".data.\"values.yaml\" |= load_str(\"$WORKDIR/kubezero-values.yaml\")" | \
-    kubectl replace -f -
+    kubectl apply --server-side --force-conflicts -f -
 }
 
 # sync kubezero-values CM from ArgoCD app

admin/migrate_argo_values.py

@@ -8,13 +8,6 @@ import yaml
 def migrate(values):
     """Actual changes here"""
 
-    # remove syncOptions from root app
-    try:
-        if values["kubezero"]["syncPolicy"]:
-            values["kubezero"].pop("syncPolicy")
-    except KeyError:
-        pass
-
     return values
 
 

charts/clamav/Chart.yaml

@@ -14,6 +14,6 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
 kubeVersion: ">= 1.26.0"

charts/envoy-ratelimit/.gitignore

@@ -1,3 +0,0 @@
-istioctl
-istio
-istio.zdt

charts/envoy-ratelimit/.helmignore

@@ -1,32 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
-
-README.md.gotmpl
-*.patch
-*.sh
-*.py
-
-istioctl
-istio
-istio.zdt

charts/envoy-ratelimit/Chart.yaml

@@ -1,19 +0,0 @@
-apiVersion: v2
-name: envoy-ratelimit
-description: Envoy gobal ratelimiting service - part of KubeZero
-type: application
-version: 0.1.2
-home: https://kubezero.com
-icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
-keywords:
-  - kubezero
-  - envoy
-  - istio
-maintainers:
-  - name: Stefan Reimer
-    email: stefan@zero-downtime.net
-dependencies:
-  - name: kubezero-lib
-    version: 0.2.1
-    repository: https://cdn.zero-downtime.net/charts/
-kubeVersion: ">= 1.31.0-0"

charts/envoy-ratelimit/README.md

@@ -1,37 +0,0 @@
-# envoy-ratelimit
-
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
-
-Envoy gobal ratelimiting service - part of KubeZero
-
-**Homepage:** <https://kubezero.com>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| Stefan Reimer | <stefan@zero-downtime.net> |  |
-
-## Requirements
-
-Kubernetes: `>= 1.31.0-0`
-
-| Repository | Name | Version |
-|------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| descriptors.ingress[0].key | string | `"remote_address"` |  |
-| descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
-| descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
-| descriptors.privateIngress[0].key | string | `"remote_address"` |  |
-| descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
-| descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
-| failureModeDeny | bool | `false` |  |
-| localCacheSize | int | `1048576` |  |
-| log.format | string | `"json"` |  |
-| log.level | string | `"warn"` |  |
-| metrics.enabled | bool | `true` |  |

charts/envoy-ratelimit/README.md.gotmpl

@@ -1,16 +0,0 @@
-{{ template "chart.header" . }}
-{{ template "chart.deprecationWarning" . }}
-
-{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
-
-{{ template "chart.description" . }}
-
-{{ template "chart.homepageLine" . }}
-
-{{ template "chart.maintainersSection" . }}
-
-{{ template "chart.sourcesSection" . }}
-
-{{ template "chart.requirementsSection" . }}
-
-{{ template "chart.valuesSection" . }}

charts/envoy-ratelimit/templates/deployment.yaml

@@ -1,63 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ratelimit
-  namespace: {{ .Release.Namespace }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ratelimit
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: ratelimit
-    spec:
-      containers:
-      - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-        imagePullPolicy: IfNotPresent
-        name: ratelimit
-        command: ["/bin/ratelimit"]
-        env:
-        - name: LOG_LEVEL
-          value: {{ default "WARN" .Values.log.level }}
-        - name: LOG_FORMAT
-          value: {{ default "text" .Values.log.format }}
-        - name: REDIS_SOCKET_TYPE
-          value: tcp
-        - name: REDIS_URL
-          value: ratelimit-valkey:6379
-        - name: USE_PROMETHEUS
-          value: "true"
-        - name: USE_STATSD
-          value: "false"
-        - name: RUNTIME_ROOT
-          value: /data
-        - name: RUNTIME_SUBDIRECTORY
-          value: ratelimit
-        - name: RUNTIME_WATCH_ROOT
-          value: "false"
-        - name: RUNTIME_IGNOREDOTFILES
-          value: "true"
-        - name: LOCAL_CACHE_SIZE_IN_BYTES
-          value: "{{ default 0 .Values.localCacheSize | int }}"
-        ports:
-        - containerPort: 8081
-        #- containerPort: 8080
-        #- containerPort: 6070
-        volumeMounts:
-        - name: ratelimit-config
-          mountPath: /data/ratelimit/config
-        resources:
-          requests:
-            cpu: 50m
-            memory: 32Mi
-          limits:
-            cpu: 1
-            memory: 256Mi
-      volumes:
-      - name: ratelimit-config
-        configMap:
-          name: ratelimit-config

charts/envoy-ratelimit/templates/service.yaml

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: ratelimit
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: ratelimit
-spec:
-  ports:
-  #- name: http-port
-  #  port: 8080
-  #  targetPort: 8080
-  #  protocol: TCP
-  - name: grpc-port
-    port: 8081
-    targetPort: 8081
-    protocol: TCP
-  #- name: http-debug
-  #  port: 6070
-  #  targetPort: 6070
-  #  protocol: TCP
-  - name: http-monitoring
-    port: 9090
-    targetPort: 9090
-    protocol: TCP
-  selector:
-    app: ratelimit

charts/envoy-ratelimit/templates/valkey-deployment.yaml

@@ -1,24 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ratelimit-valkey
-  namespace: {{ .Release.Namespace }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ratelimit-valkey
-  template:
-    metadata:
-      labels:
-        app: ratelimit-valkey
-    spec:
-      containers:
-      - image: valkey/valkey:8.1-alpine3.21
-        imagePullPolicy: IfNotPresent
-        name: valkey
-        ports:
-        - name: valkey
-          containerPort: 6379
-      restartPolicy: Always
-      serviceAccountName: ""

charts/envoy-ratelimit/templates/valkey-service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: ratelimit-valkey
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: ratelimit-valkey
-spec:
-  ports:
-  - name: valkey
-    port: 6379
-  selector:
-    app: ratelimit-valkey

charts/envoy-ratelimit/update.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-set -ex
-
-. ../../scripts/lib-update.sh
-
-#login_ecr_public
-update_helm
-
-update_docs

charts/envoy-ratelimit/values.yaml

@@ -1,38 +0,0 @@
-image:
-  repository: envoyproxy/ratelimit
-  # see: https://hub.docker.com/r/envoyproxy/ratelimit/tags
-  tag: 80b15778
-
-log:
-  level: warn
-  format: json
-
-# 1MB local cache for already reached limits to reduce calls to Redis
-localCacheSize: 1048576
-
-# Wether to block requests if ratelimiting is down
-failureModeDeny: false
-
-# rate limit descriptors for each domain
-# - slow: 1 req/s over a minute per sourceIP
-descriptors:
-  ingress:
-  - key: speed
-    value: slow
-    descriptors:
-    - key: remote_address
-      rate_limit:
-        unit: minute
-        requests_per_unit: 60
-
-  privateIngress:
-  - key: speed
-    value: slow
-    descriptors:
-    - key: remote_address
-      rate_limit:
-        unit: minute
-        requests_per_unit: 60
-
-metrics:
-  enabled: false

charts/kubeadm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm cluster config
 type: application
-version: 1.31.6
+version: 1.31.5
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -11,4 +11,4 @@ keywords:
 maintainers:
   - name: Stefan Reimer
     email: stefan@zero-downtime.net
-kubeVersion: ">= 1.31.0-0"
+kubeVersion: ">= 1.26.0"

charts/kubezero-addons/README.md

@@ -14,7 +14,7 @@ KubeZero umbrella chart for various optional cluster addons
 
 ## Requirements
 
-Kubernetes: `>= 1.30.0-0`
+Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
@@ -94,8 +94,9 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | aws-node-termination-handler.managedTag | string | `"zdt:kubezero:nth:${ClusterName}"` | "zdt:kubezero:nth:${ClusterName}" |
 | aws-node-termination-handler.metadataTries | int | `0` |  |
 | aws-node-termination-handler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
+| aws-node-termination-handler.podMonitor.create | bool | `false` |  |
 | aws-node-termination-handler.queueURL | string | `""` | https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/${ClusterName}_Nth |
-| aws-node-termination-handler.serviceMonitor.create | bool | `false` |  |
+| aws-node-termination-handler.rbac.pspEnabled | bool | `false` |  |
 | aws-node-termination-handler.taintNode | bool | `true` |  |
 | aws-node-termination-handler.tolerations[0].effect | string | `"NoSchedule"` |  |
 | aws-node-termination-handler.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
@@ -109,7 +110,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | cluster-autoscaler.extraArgs.scan-interval | string | `"30s"` |  |
 | cluster-autoscaler.extraArgs.skip-nodes-with-local-storage | bool | `false` |  |
 | cluster-autoscaler.image.repository | string | `"registry.k8s.io/autoscaling/cluster-autoscaler"` |  |
-| cluster-autoscaler.image.tag | string | `"v1.31.1"` |  |
+| cluster-autoscaler.image.tag | string | `"v1.30.2"` |  |
 | cluster-autoscaler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | cluster-autoscaler.podDisruptionBudget | bool | `false` |  |
 | cluster-autoscaler.prometheusRule.enabled | bool | `false` |  |
@@ -158,9 +159,6 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
 | neuron-helm-chart.enabled | bool | `false` |  |
 | neuron-helm-chart.npd.enabled | bool | `false` |  |
 | nvidia-device-plugin.cdi.nvidiaHookPath | string | `"/usr/bin"` |  |
-| nvidia-device-plugin.config.default | string | `"default"` |  |
-| nvidia-device-plugin.config.map.default | string | `"version: v1\nflags:\n  migStrategy: none"` |  |
-| nvidia-device-plugin.config.map.time-slice-4x | string | `"version: v1\nflags:\n  migStrategy: none\nsharing:\n  timeSlicing:\n    resources:\n    - name: nvidia.com/gpu\n      replicas: 4"` |  |
 | nvidia-device-plugin.deviceDiscoveryStrategy | string | `"nvml"` |  |
 | nvidia-device-plugin.enabled | bool | `false` |  |
 | nvidia-device-plugin.runtimeClassName | string | `"nvidia"` |  |

charts/kubezero-addons/values.yaml

@@ -185,22 +185,6 @@ neuron-helm-chart:
 nvidia-device-plugin:
   enabled: false
 
-  config:
-    default: "default"
-    map:
-      default: |-
-        version: v1
-        flags:
-          migStrategy: none
-      time-slice-4x: |-
-        version: v1
-        flags:
-          migStrategy: none
-        sharing:
-          timeSlicing:
-            resources:
-            - name: nvidia.com/gpu
-              replicas: 4
   cdi:
     nvidiaHookPath: /usr/bin
   deviceDiscoveryStrategy: nvml

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.2.8
+version: 0.2.7
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -15,14 +15,14 @@ maintainers:
 # Url: https://github.com/argoproj/argo-helm/tree/main/charts
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: argo-events
-    version: 2.4.13
+    version: 2.4.9
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 7.8.2
+    version: 7.7.7
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-apps
@@ -30,7 +30,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-image-updater
-    version: 0.12.0
+    version: 0.11.2
     repository: https://argoproj.github.io/argo-helm
     condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.26.0-0"

charts/kubezero-argo/README.md

@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.2.8](https://img.shields.io/badge/Version-0.2.8-informational?style=flat-square)
+![Version: 0.2.7](https://img.shields.io/badge/Version-0.2.7-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,17 +18,16 @@ Kubernetes: `>= 1.26.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.2 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.13 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.7.7 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.9 |
 | https://argoproj.github.io/argo-helm | argocd-apps | 2.0.2 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.11.2 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| argo-cd.configs.cm."application.instanceLabelKey" | string | `nil` |  |
 | argo-cd.configs.cm."application.resourceTrackingMethod" | string | `"annotation"` |  |
 | argo-cd.configs.cm."resource.customizations" | string | `"cert-manager.io/Certificate:\n  # Lua script for customizing the health status assessment\n  health.lua: |\n    hs = {}\n    if obj.status ~= nil then\n      if obj.status.conditions ~= nil then\n        for i, condition in ipairs(obj.status.conditions) do\n          if condition.type == \"Ready\" and condition.status == \"False\" then\n            hs.status = \"Degraded\"\n            hs.message = condition.message\n            return hs\n          end\n          if condition.type == \"Ready\" and condition.status == \"True\" then\n            hs.status = \"Healthy\"\n            hs.message = condition.message\n            return hs\n          end\n        end\n      end\n    end\n    hs.status = \"Progressing\"\n    hs.message = \"Waiting for certificate\"\n    return hs\n"` |  |
 | argo-cd.configs.cm."timeout.reconciliation" | string | `"300s"` |  |
@@ -36,7 +35,6 @@ Kubernetes: `>= 1.26.0-0`
 | argo-cd.configs.cm."ui.bannerpermanent" | string | `"true"` |  |
 | argo-cd.configs.cm."ui.bannerposition" | string | `"bottom"` |  |
 | argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.31"` |  |
-| argo-cd.configs.cm.installationID | string | `"KubeZero-ArgoCD"` |  |
 | argo-cd.configs.cm.url | string | `"https://argocd.example.com"` |  |
 | argo-cd.configs.params."controller.diff.server.side" | string | `"true"` |  |
 | argo-cd.configs.params."controller.operation.processors" | string | `"5"` |  |
@@ -96,7 +94,7 @@ Kubernetes: `>= 1.26.0-0`
 | argo-events.configs.jetstream.streamConfig.maxMsgs | int | `1000000` | Maximum number of messages before expiring oldest message |
 | argo-events.configs.jetstream.streamConfig.replicas | int | `1` | Number of replicas, defaults to 3 and requires minimal 3 |
 | argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.14.1"` |  |
-| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.16.0"` |  |
+| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.14.0"` |  |
 | argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.10.11-scratch"` |  |
 | argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` |  |
 | argo-events.configs.jetstream.versions[0].version | string | `"2.10.11"` |  |

charts/kubezero-argo/values.yaml

@@ -45,7 +45,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.2
+      tag: v2.13.1
     networkPolicy:
       create: true
 
@@ -106,12 +106,9 @@ argo-cd:
       extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7UgK7Z4dDcuIW1uMOsuwhrqdkJCvYG/ZjHtLM7WaKFxVRnzNnNkQJNncWIGNDUQ1xxrbsoSNRZDtk0NlOjNtx2aApSWl4iWghkpXELvsZtOZ7I9FSC/E6ImLC3KWfK7P0mhZaF6kHPfpu8Y6pjUyLBTpV1AaVwr0I8onyqGazJOVotTFaBFEi/sT0O2FUk7agwZYfj61w3JGOy3c+fmBcK3lXf/QM90tosOpJNuJ7n5Vk5FDDLkl9rO4XR/+mXHFvITiWb8F5C50YAwjYcy36yWSSryUAAHAuqpgotwh65vSG6fZvFhmEwO2BrCkOV5+k8iRfhy/yZODJzZ5V/5cbMbdZrY6lm/p5/S1wv8BEyPekBGdseqQjEO0IQiQHcMrfgTrrQ7ndbZzVZRByZI+wbGFkBCzNSJcNsoiHjs2EblxYyuW0qUvvrBxLnySvaxyPm4BOukSAZAOEaUrajpQlnHdnY1CGcgbwxw0LNv3euKQ3tDJSUlKO0Wd8d85PRv1THW4Ui9Lhsmv+BPA2vJZDOkx/n0oyPFAB0oyd5JNM38eFxLCmPC2OE63gDP+WmzVO61YCVTnvhpQjEOLawEWVFsk0y25R5z5BboDqJaOFnZF6i517O96cn17z3Ls4hxw3+0rlKczYRoyfUHs7KQENa4mY8YlJweNTBgld//RMUQ=="
 
     params:
-      controller.status.processors: 8
-      controller.operation.processors: 4
-      controller.kubectl.parallelism.limit: 8
-      controller.resource.health.persist: "false"
+      controller.status.processors: "10"
+      controller.operation.processors: "5"
       controller.diff.server.side: "true"
-      controller.sync.timeout.seconds: 1800
 
       server.insecure: true
       server.enable.gzip: true
@@ -180,9 +177,6 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
-  redisSecretInit:
-    enabled: false
-
   # redis:
   # We might want to try to keep redis close to the controller
   #   affinity:

charts/kubezero-auth/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: keycloak
     repository: "oci://registry-1.docker.io/bitnamicharts"

charts/kubezero-cache/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.2.1"
     repository: https://cdn.zero-downtime.net/charts/
   - name: redis
     version: 20.0.3

charts/kubezero-cert-manager/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-cert-manager
 description: KubeZero Umbrella Chart for cert-manager
 type: application
-version: 0.9.12
+version: 0.9.11
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -13,9 +13,9 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: cert-manager
-    version: v1.17.1
+    version: v1.17.0
     repository: https://charts.jetstack.io
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-cert-manager/README.md

@@ -1,6 +1,6 @@
 # kubezero-cert-manager
 
-![Version: 0.9.12](https://img.shields.io/badge/Version-0.9.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.9.11](https://img.shields.io/badge/Version-0.9.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for cert-manager
 
@@ -14,12 +14,12 @@ KubeZero Umbrella Chart for cert-manager
 
 ## Requirements
 
-Kubernetes: `>= 1.30.0-0`
+Kubernetes: `>= 1.26.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://charts.jetstack.io | cert-manager | v1.17.1 |
+| https://charts.jetstack.io | cert-manager | v1.17.0 |
 
 ## AWS - OIDC IAM roles
 

charts/kubezero-cert-manager/jsonnetfile.lock.json

@@ -18,7 +18,7 @@
           "subdir": "contrib/mixin"
         }
       },
-      "version": "eb7607bd8b3665d14aa40d50435ae8c9002d620c",
+      "version": "c0e7e8c873a6067f9ae9076c3c243a20fa713a58",
       "sum": "XmXkOCriQIZmXwlIIFhqlJMa0e6qGWdxZD+ZDYaN0Po="
     },
     {
@@ -78,7 +78,7 @@
           "subdir": "grafana-builder"
         }
       },
-      "version": "ef841d571a704013b689368fe51e437810b6c935",
+      "version": "d6c38bb26f576b128cadca4137d73a037afdd872",
       "sum": "yxqWcq/N3E/a/XreeU6EuE6X7kYPnG0AspAQFKOjASo="
     },
     {
@@ -118,8 +118,8 @@
           "subdir": ""
         }
       },
-      "version": "4ff562d5e8145940cf355f62cf2308895c4dca81",
-      "sum": "kiL19fTbXOtNglsmT62kOzIf/Xpu+YwoiMPAApDXhkE="
+      "version": "e27267571be06c2bdc3d2fd8dbd70161cd709cb4",
+      "sum": "je1RPCp2aFNefYs5Q57Q5wDm93p8pL4pdBtA5rC7jLA="
     },
     {
       "source": {
@@ -128,7 +128,7 @@
           "subdir": "jsonnet/kube-state-metrics"
         }
       },
-      "version": "350a7c472e1801a2e13b9895ec8ef38876c96dd0",
+      "version": "2a95d4649b2fea55799032fb9c0b571c4ba7f776",
       "sum": "3bioG7CfTfY9zeu5xU4yon6Zt3kYvNkyl492nOhQxnM="
     },
     {
@@ -138,7 +138,7 @@
           "subdir": "jsonnet/kube-state-metrics-mixin"
         }
       },
-      "version": "350a7c472e1801a2e13b9895ec8ef38876c96dd0",
+      "version": "2a95d4649b2fea55799032fb9c0b571c4ba7f776",
       "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
     },
     {
@@ -158,7 +158,7 @@
           "subdir": "jsonnet/mixin"
         }
       },
-      "version": "7deab71d6d5921eeaf8c79e3ae8e31efe63783a9",
+      "version": "4da36fdd2377362c285aee3a96f7b0516f6e41bf",
       "sum": "gi+knjdxs2T715iIQIntrimbHRgHnpM8IFBJDD1gYfs=",
       "name": "prometheus-operator-mixin"
     },
@@ -169,8 +169,8 @@
           "subdir": "jsonnet/prometheus-operator"
         }
       },
-      "version": "7deab71d6d5921eeaf8c79e3ae8e31efe63783a9",
-      "sum": "LctDdofQostvviE5y8vpRKWGGO1ZKO3dgJe7P9xifW0="
+      "version": "4da36fdd2377362c285aee3a96f7b0516f6e41bf",
+      "sum": "tb5PzIT75Hv4m3kbOHXvmrlcplg+EbS4++NfTttDNOk="
     },
     {
       "source": {
@@ -190,8 +190,8 @@
           "subdir": "docs/node-mixin"
         }
       },
-      "version": "02afa5c53c36123611533f2defea6ccd4546a9bb",
-      "sum": "8dNyJ4vpnKVBbCFN9YLsugp1IjlZjDCwdKMjKi0KTG4="
+      "version": "11365f97bef6cb0e6259d536a7e21c49e3f5c065",
+      "sum": "xYj6VYFT/eafsbleNlC+Z2VfLy1CndyYrJs9BcTmnX8="
     },
     {
       "source": {
@@ -200,7 +200,7 @@
           "subdir": "documentation/prometheus-mixin"
         }
       },
-      "version": "a5ffa83be83be22e2ec9fd1d4765299d8d16119e",
+      "version": "906f6a33b60cec2596018ac8cc97ac41b16b06b7",
       "sum": "2c+wttfee9TwuQJZIkNV7Tekem74Qgc7iZ842P28rNw=",
       "name": "prometheus"
     },

charts/kubezero-ci/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.8.20
+version: 0.8.19
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -15,22 +15,22 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: gitea
     version: 10.6.0
     repository: https://dl.gitea.io/charts/
     condition: gitea.enabled
   - name: jenkins
-    version: 5.8.16
+    version: 5.7.15
     repository: https://charts.jenkins.io
     condition: jenkins.enabled
   - name: trivy
-    version: 0.11.1
+    version: 0.9.0
     repository: https://aquasecurity.github.io/helm-charts/
     condition: trivy.enabled
   - name: renovate
-    version: 39.180.2
+    version: 39.33.1
     repository: https://docs.renovatebot.com/helm-charts
     condition: renovate.enabled
 kubeVersion: ">= 1.25.0"

charts/kubezero-ci/README.md

@@ -1,6 +1,6 @@
 # kubezero-ci
 
-![Version: 0.8.20](https://img.shields.io/badge/Version-0.8.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.8.19](https://img.shields.io/badge/Version-0.8.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for all things CI
 
@@ -18,11 +18,11 @@ Kubernetes: `>= 1.25.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://aquasecurity.github.io/helm-charts/ | trivy | 0.11.1 |
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.1.6 |
-| https://charts.jenkins.io | jenkins | 5.8.16 |
+| https://aquasecurity.github.io/helm-charts/ | trivy | 0.9.0 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://charts.jenkins.io | jenkins | 5.7.15 |
 | https://dl.gitea.io/charts/ | gitea | 10.6.0 |
-| https://docs.renovatebot.com/helm-charts | renovate | 39.180.2 |
+| https://docs.renovatebot.com/helm-charts | renovate | 39.33.1 |
 
 # Jenkins
 - default build retention 10 builds, 32days
@@ -68,7 +68,7 @@ Kubernetes: `>= 1.25.0`
 | gitea.gitea.metrics.enabled | bool | `false` |  |
 | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` |  |
 | gitea.image.rootless | bool | `true` |  |
-| gitea.image.tag | string | `"1.23.4"` |  |
+| gitea.image.tag | string | `"1.22.3"` |  |
 | gitea.istio.enabled | bool | `false` |  |
 | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | gitea.istio.url | string | `"git.example.com"` |  |
@@ -90,7 +90,6 @@ Kubernetes: `>= 1.25.0`
 | jenkins.agent.containerCap | int | `2` |  |
 | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` |  |
 | jenkins.agent.defaultsProviderTemplate | string | `"podman-aws"` |  |
-| jenkins.agent.garbageCollection.enabled | bool | `true` |  |
 | jenkins.agent.idleMinutes | int | `30` |  |
 | jenkins.agent.image.repository | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` |  |
 | jenkins.agent.image.tag | string | `"v0.7.0"` |  |
@@ -161,8 +160,7 @@ Kubernetes: `>= 1.25.0`
 | renovate.cronjob.successfulJobsHistoryLimit | int | `1` |  |
 | renovate.enabled | bool | `false` |  |
 | renovate.env.LOG_FORMAT | string | `"json"` |  |
-| renovate.renovate.config | string | `"{\n}\n"` |  |
-| renovate.securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
+| renovate.securityContext.fsGroup | int | `1000` |  |
 | trivy.enabled | bool | `false` |  |
 | trivy.persistence.enabled | bool | `true` |  |
 | trivy.persistence.size | string | `"1Gi"` |  |

charts/kubezero-ci/charts/jenkins/CHANGELOG.md

@@ -12,122 +12,6 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0.
 The changelog until v1.5.7 was auto-generated based on git commits.
 Those entries include a reference to the git commit to be able to get more details.
 
-## 5.8.16
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`
-
-## 5.8.15
-
-Update `kubernetes` to version `4313.va_9b_4fe2a_0e34`
-
-## 5.8.14
-
-Update `jenkins/inbound-agent` to version `3283.v92c105e0f819-9`
-
-## 5.8.13
-
-Fix `agentListenerPort` not being updated in `config.xml` when set via Helm values.
-
-## 5.8.12
-
-Update plugin count.
-
-## 5.8.11
-
-Update `jenkins/inbound-agent` to version `3283.v92c105e0f819-8`
-
-## 5.8.10
-
-Update `jenkins/jenkins` to version `2.492.1-jdk17`
-
-## 5.8.9
-
-Update `configuration-as-code` to version `1932.v75cb_b_f1b_698d`
-
-## 5.8.8
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.0`
-
-## 5.8.7
-
-Update `configuration-as-code` to version `1929.v036b_5a_e1f123`
-
-## 5.8.6
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.29.1`
-
-## 5.8.5
-
-Update `jenkins/inbound-agent` to version `3283.v92c105e0f819-7`
-
-## 5.8.4
-
-Allow setting [automountServiceAccountToken](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting)
-
-## 5.8.3
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.29.0`
-
-## 5.8.2
-
-Update `jenkins/jenkins` to version `2.479.3-jdk17`
-
-## 5.8.1
-
-Update `configuration-as-code` to version `1915.vcdd0a_d0d2625`
-
-## 5.8.0
-
-Add option to publish not-ready addresses in controller service.
-
-## 5.7.27
-
-Update `git` to version `5.7.0`
-
-## 5.7.26
-
-Update `configuration-as-code` to version `1909.vb_b_f59a_27d013`
-
-## 5.7.25
-
-Update `kubernetes` to version `4306.vc91e951ea_eb_d`
-
-## 5.7.24
-
-Update `kubernetes` to version `4304.v1b_39d4f98210`
-
-## 5.7.23
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.28.4`
-
-## 5.7.22
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.28.3`
-
-## 5.7.21
-
-Update `docker.io/kiwigrid/k8s-sidecar` to version `1.28.1`
-
-## 5.7.20
-
-Update `kubernetes` to version `4302.va_756e4b_67715`
-
-## 5.7.19
-
-Update `configuration-as-code` to version `1903.v004d55388f30`
-
-## 5.7.18
-
-Update `kubernetes` to version `4300.vd82c5692b_3a_e`
-
-## 5.7.17
-
-Update `docker.io/bats/bats` to version `1.11.1`
-
-## 5.7.16
-
-Add tpl support for persistence.storageClassName in home-pvc.yaml  and tpl support in controller.ingress parameters(ingressClassName, annotations, hostname) in jenkins-controller-ingress.yaml
-
 ## 5.7.15
 
 Update `jenkins/jenkins` to version `2.479.2-jdk17`

charts/kubezero-ci/charts/jenkins/Chart.yaml

@@ -1,14 +1,14 @@
 annotations:
   artifacthub.io/category: integration-delivery
   artifacthub.io/changes: |
-    - Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`
+    - Update `jenkins/jenkins` to version `2.479.2-jdk17`
   artifacthub.io/images: |
     - name: jenkins
-      image: docker.io/jenkins/jenkins:2.492.1-jdk17
+      image: docker.io/jenkins/jenkins:2.479.2-jdk17
     - name: k8s-sidecar
-      image: docker.io/kiwigrid/k8s-sidecar:1.30.1
+      image: docker.io/kiwigrid/k8s-sidecar:1.28.0
     - name: inbound-agent
-      image: jenkins/inbound-agent:3283.v92c105e0f819-9
+      image: jenkins/inbound-agent:3273.v4cfe589b_fd83-1
   artifacthub.io/license: Apache-2.0
   artifacthub.io/links: |
     - name: Chart Source
@@ -18,9 +18,9 @@ annotations:
     - name: support
       url: https://github.com/jenkinsci/helm-charts/issues
 apiVersion: v2
-appVersion: 2.492.1
+appVersion: 2.479.2
 description: 'Jenkins - Build great things at any scale! As the leading open source
-  automation server, Jenkins provides over 2000 plugins to support building, deploying
+  automation server, Jenkins provides over 1800 plugins to support building, deploying
   and automating any project. '
 home: https://www.jenkins.io/
 icon: https://get.jenkins.io/art/jenkins-logo/logo.svg
@@ -46,4 +46,4 @@ sources:
 - https://github.com/maorfr/kube-tasks
 - https://github.com/jenkinsci/configuration-as-code-plugin
 type: application
-version: 5.8.16
+version: 5.7.15

charts/kubezero-ci/charts/jenkins/README.md

@@ -5,7 +5,7 @@
 [![Releases downloads](https://img.shields.io/github/downloads/jenkinsci/helm-charts/total.svg)](https://github.com/jenkinsci/helm-charts/releases)
 [![Join the chat at https://app.gitter.im/#/room/#jenkins-ci:matrix.org](https://badges.gitter.im/badge.svg)](https://app.gitter.im/#/room/#jenkins-ci:matrix.org)
 
-[Jenkins](https://www.jenkins.io/) is the leading open source automation server, Jenkins provides over 2000 plugins to support building, deploying and automating any project.
+[Jenkins](https://www.jenkins.io/) is the leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project.
 
 This chart installs a Jenkins server which spawns agents on [Kubernetes](http://kubernetes.io) utilizing the [Jenkins Kubernetes plugin](https://plugins.jenkins.io/kubernetes/).
 

charts/kubezero-ci/charts/jenkins/VALUES.md

@@ -8,164 +8,164 @@ The following tables list the configurable parameters of the Jenkins chart and t
 
 | Key | Type | Description | Default |
 |:----|:-----|:---------|:------------|
-| [additionalAgents](./values.yaml#L1199) | object | Configure additional | `{}` |
-| [additionalClouds](./values.yaml#L1224) | object |  | `{}` |
-| [agent.TTYEnabled](./values.yaml#L1105) | bool | Allocate pseudo tty to the side container | `false` |
-| [agent.additionalContainers](./values.yaml#L1152) | list | Add additional containers to the agents | `[]` |
-| [agent.alwaysPullImage](./values.yaml#L998) | bool | Always pull agent container image before build | `false` |
-| [agent.annotations](./values.yaml#L1148) | object | Annotations to apply to the pod | `{}` |
-| [agent.args](./values.yaml#L1099) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
-| [agent.command](./values.yaml#L1097) | string | Command to execute when side container starts | `nil` |
-| [agent.componentName](./values.yaml#L966) | string |  | `"jenkins-agent"` |
-| [agent.connectTimeout](./values.yaml#L1146) | int | Timeout in seconds for an agent to be online | `100` |
-| [agent.containerCap](./values.yaml#L1107) | int | Max number of agents to launch | `10` |
-| [agent.customJenkinsLabels](./values.yaml#L963) | list | Append Jenkins labels to the agent | `[]` |
-| [agent.defaultsProviderTemplate](./values.yaml#L917) | string | The name of the pod template to use for providing default values | `""` |
-| [agent.directConnection](./values.yaml#L969) | bool |  | `false` |
-| [agent.disableDefaultAgent](./values.yaml#L1170) | bool | Disable the default Jenkins Agent configuration | `false` |
-| [agent.enabled](./values.yaml#L915) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
-| [agent.envVars](./values.yaml#L1080) | list | Environment variables for the agent Pod | `[]` |
-| [agent.garbageCollection.enabled](./values.yaml#L1114) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
-| [agent.garbageCollection.namespaces](./values.yaml#L1116) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
-| [agent.garbageCollection.timeout](./values.yaml#L1121) | int | Timeout value for orphaned pods | `300` |
-| [agent.hostNetworking](./values.yaml#L977) | bool | Enables the agent to use the host network | `false` |
-| [agent.idleMinutes](./values.yaml#L1124) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
-| [agent.image.repository](./values.yaml#L956) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
-| [agent.image.tag](./values.yaml#L958) | string | Tag of the image to pull | `"3283.v92c105e0f819-9"` |
-| [agent.imagePullSecretName](./values.yaml#L965) | string | Name of the secret to be used to pull the image | `nil` |
-| [agent.inheritYamlMergeStrategy](./values.yaml#L1144) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
-| [agent.jenkinsTunnel](./values.yaml#L933) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
-| [agent.jenkinsUrl](./values.yaml#L929) | string | Overrides the Kubernetes Jenkins URL | `nil` |
-| [agent.jnlpregistry](./values.yaml#L953) | string | Custom registry used to pull the agent jnlp image from | `nil` |
-| [agent.kubernetesConnectTimeout](./values.yaml#L939) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
-| [agent.kubernetesReadTimeout](./values.yaml#L941) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
-| [agent.livenessProbe](./values.yaml#L988) | object |  | `{}` |
-| [agent.maxRequestsPerHostStr](./values.yaml#L943) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
-| [agent.namespace](./values.yaml#L949) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
-| [agent.nodeSelector](./values.yaml#L1091) | object | Node labels for pod assignment | `{}` |
-| [agent.nodeUsageMode](./values.yaml#L961) | string |  | `"NORMAL"` |
-| [agent.podLabels](./values.yaml#L951) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
-| [agent.podName](./values.yaml#L1109) | string | Agent Pod base name | `"default"` |
-| [agent.podRetention](./values.yaml#L1007) | string |  | `"Never"` |
-| [agent.podTemplates](./values.yaml#L1180) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
-| [agent.privileged](./values.yaml#L971) | bool | Agent privileged container | `false` |
-| [agent.resources](./values.yaml#L979) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
-| [agent.restrictedPssSecurityContext](./values.yaml#L1004) | bool | Set a restricted securityContext on jnlp containers | `false` |
-| [agent.retentionTimeout](./values.yaml#L945) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
-| [agent.runAsGroup](./values.yaml#L975) | string | Configure container group | `nil` |
-| [agent.runAsUser](./values.yaml#L973) | string | Configure container user | `nil` |
-| [agent.secretEnvVars](./values.yaml#L1084) | list | Mount a secret as environment variable | `[]` |
-| [agent.serviceAccount](./values.yaml#L925) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
-| [agent.showRawYaml](./values.yaml#L1011) | bool |  | `true` |
-| [agent.sideContainerName](./values.yaml#L1101) | string | Side container name | `"jnlp"` |
-| [agent.skipTlsVerify](./values.yaml#L935) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
-| [agent.usageRestricted](./values.yaml#L937) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
-| [agent.useDefaultServiceAccount](./values.yaml#L921) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
-| [agent.volumes](./values.yaml#L1018) | list | Additional volumes | `[]` |
-| [agent.waitForPodSec](./values.yaml#L947) | int | Seconds to wait for pod to be running | `600` |
-| [agent.websocket](./values.yaml#L968) | bool | Enables agent communication via websockets | `false` |
-| [agent.workingDir](./values.yaml#L960) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
-| [agent.workspaceVolume](./values.yaml#L1053) | object | Workspace volume (defaults to EmptyDir) | `{}` |
-| [agent.yamlMergeStrategy](./values.yaml#L1142) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
-| [agent.yamlTemplate](./values.yaml#L1131) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
-| [awsSecurityGroupPolicies.enabled](./values.yaml#L1356) | bool |  | `false` |
-| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1358) | string |  | `""` |
-| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1360) | object |  | `{}` |
-| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1359) | list |  | `[]` |
-| [checkDeprecation](./values.yaml#L1353) | bool | Checks if any deprecated values are used | `true` |
+| [additionalAgents](./values.yaml#L1195) | object | Configure additional | `{}` |
+| [additionalClouds](./values.yaml#L1220) | object |  | `{}` |
+| [agent.TTYEnabled](./values.yaml#L1101) | bool | Allocate pseudo tty to the side container | `false` |
+| [agent.additionalContainers](./values.yaml#L1148) | list | Add additional containers to the agents | `[]` |
+| [agent.alwaysPullImage](./values.yaml#L994) | bool | Always pull agent container image before build | `false` |
+| [agent.annotations](./values.yaml#L1144) | object | Annotations to apply to the pod | `{}` |
+| [agent.args](./values.yaml#L1095) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
+| [agent.command](./values.yaml#L1093) | string | Command to execute when side container starts | `nil` |
+| [agent.componentName](./values.yaml#L962) | string |  | `"jenkins-agent"` |
+| [agent.connectTimeout](./values.yaml#L1142) | int | Timeout in seconds for an agent to be online | `100` |
+| [agent.containerCap](./values.yaml#L1103) | int | Max number of agents to launch | `10` |
+| [agent.customJenkinsLabels](./values.yaml#L959) | list | Append Jenkins labels to the agent | `[]` |
+| [agent.defaultsProviderTemplate](./values.yaml#L913) | string | The name of the pod template to use for providing default values | `""` |
+| [agent.directConnection](./values.yaml#L965) | bool |  | `false` |
+| [agent.disableDefaultAgent](./values.yaml#L1166) | bool | Disable the default Jenkins Agent configuration | `false` |
+| [agent.enabled](./values.yaml#L911) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
+| [agent.envVars](./values.yaml#L1076) | list | Environment variables for the agent Pod | `[]` |
+| [agent.garbageCollection.enabled](./values.yaml#L1110) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
+| [agent.garbageCollection.namespaces](./values.yaml#L1112) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
+| [agent.garbageCollection.timeout](./values.yaml#L1117) | int | Timeout value for orphaned pods | `300` |
+| [agent.hostNetworking](./values.yaml#L973) | bool | Enables the agent to use the host network | `false` |
+| [agent.idleMinutes](./values.yaml#L1120) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
+| [agent.image.repository](./values.yaml#L952) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
+| [agent.image.tag](./values.yaml#L954) | string | Tag of the image to pull | `"3273.v4cfe589b_fd83-1"` |
+| [agent.imagePullSecretName](./values.yaml#L961) | string | Name of the secret to be used to pull the image | `nil` |
+| [agent.inheritYamlMergeStrategy](./values.yaml#L1140) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
+| [agent.jenkinsTunnel](./values.yaml#L929) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
+| [agent.jenkinsUrl](./values.yaml#L925) | string | Overrides the Kubernetes Jenkins URL | `nil` |
+| [agent.jnlpregistry](./values.yaml#L949) | string | Custom registry used to pull the agent jnlp image from | `nil` |
+| [agent.kubernetesConnectTimeout](./values.yaml#L935) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
+| [agent.kubernetesReadTimeout](./values.yaml#L937) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
+| [agent.livenessProbe](./values.yaml#L984) | object |  | `{}` |
+| [agent.maxRequestsPerHostStr](./values.yaml#L939) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
+| [agent.namespace](./values.yaml#L945) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
+| [agent.nodeSelector](./values.yaml#L1087) | object | Node labels for pod assignment | `{}` |
+| [agent.nodeUsageMode](./values.yaml#L957) | string |  | `"NORMAL"` |
+| [agent.podLabels](./values.yaml#L947) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
+| [agent.podName](./values.yaml#L1105) | string | Agent Pod base name | `"default"` |
+| [agent.podRetention](./values.yaml#L1003) | string |  | `"Never"` |
+| [agent.podTemplates](./values.yaml#L1176) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
+| [agent.privileged](./values.yaml#L967) | bool | Agent privileged container | `false` |
+| [agent.resources](./values.yaml#L975) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
+| [agent.restrictedPssSecurityContext](./values.yaml#L1000) | bool | Set a restricted securityContext on jnlp containers | `false` |
+| [agent.retentionTimeout](./values.yaml#L941) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
+| [agent.runAsGroup](./values.yaml#L971) | string | Configure container group | `nil` |
+| [agent.runAsUser](./values.yaml#L969) | string | Configure container user | `nil` |
+| [agent.secretEnvVars](./values.yaml#L1080) | list | Mount a secret as environment variable | `[]` |
+| [agent.serviceAccount](./values.yaml#L921) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
+| [agent.showRawYaml](./values.yaml#L1007) | bool |  | `true` |
+| [agent.sideContainerName](./values.yaml#L1097) | string | Side container name | `"jnlp"` |
+| [agent.skipTlsVerify](./values.yaml#L931) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
+| [agent.usageRestricted](./values.yaml#L933) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
+| [agent.useDefaultServiceAccount](./values.yaml#L917) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
+| [agent.volumes](./values.yaml#L1014) | list | Additional volumes | `[]` |
+| [agent.waitForPodSec](./values.yaml#L943) | int | Seconds to wait for pod to be running | `600` |
+| [agent.websocket](./values.yaml#L964) | bool | Enables agent communication via websockets | `false` |
+| [agent.workingDir](./values.yaml#L956) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
+| [agent.workspaceVolume](./values.yaml#L1049) | object | Workspace volume (defaults to EmptyDir) | `{}` |
+| [agent.yamlMergeStrategy](./values.yaml#L1138) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
+| [agent.yamlTemplate](./values.yaml#L1127) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
+| [awsSecurityGroupPolicies.enabled](./values.yaml#L1348) | bool |  | `false` |
+| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1350) | string |  | `""` |
+| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1352) | object |  | `{}` |
+| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1351) | list |  | `[]` |
+| [checkDeprecation](./values.yaml#L1345) | bool | Checks if any deprecated values are used | `true` |
 | [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` |
-| [controller.JCasC.authorizationStrategy](./values.yaml#L543) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n  allowAnonymousRead: false"` |
-| [controller.JCasC.configMapAnnotations](./values.yaml#L548) | object | Annotations for the JCasC ConfigMap | `{}` |
-| [controller.JCasC.configScripts](./values.yaml#L517) | object | List of Jenkins Config as Code scripts | `{}` |
-| [controller.JCasC.configUrls](./values.yaml#L514) | list | Remote URLs for configuration files. | `[]` |
-| [controller.JCasC.defaultConfig](./values.yaml#L508) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
-| [controller.JCasC.overwriteConfiguration](./values.yaml#L512) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
-| [controller.JCasC.security](./values.yaml#L524) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
-| [controller.JCasC.securityRealm](./values.yaml#L532) | string | Jenkins Config as Code Security Realm-section | `"local:\n  allowsSignup: false\n  enableCaptcha: false\n  users:\n  - id: \"${chart-admin-username}\"\n    name: \"Jenkins Admin\"\n    password: \"${chart-admin-password}\""` |
-| [controller.additionalExistingSecrets](./values.yaml#L469) | list | List of additional existing secrets to mount | `[]` |
-| [controller.additionalPlugins](./values.yaml#L419) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
-| [controller.additionalSecrets](./values.yaml#L478) | list | List of additional secrets to create and mount | `[]` |
+| [controller.JCasC.authorizationStrategy](./values.yaml#L539) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n  allowAnonymousRead: false"` |
+| [controller.JCasC.configMapAnnotations](./values.yaml#L544) | object | Annotations for the JCasC ConfigMap | `{}` |
+| [controller.JCasC.configScripts](./values.yaml#L513) | object | List of Jenkins Config as Code scripts | `{}` |
+| [controller.JCasC.configUrls](./values.yaml#L510) | list | Remote URLs for configuration files. | `[]` |
+| [controller.JCasC.defaultConfig](./values.yaml#L504) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
+| [controller.JCasC.overwriteConfiguration](./values.yaml#L508) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
+| [controller.JCasC.security](./values.yaml#L520) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
+| [controller.JCasC.securityRealm](./values.yaml#L528) | string | Jenkins Config as Code Security Realm-section | `"local:\n  allowsSignup: false\n  enableCaptcha: false\n  users:\n  - id: \"${chart-admin-username}\"\n    name: \"Jenkins Admin\"\n    password: \"${chart-admin-password}\""` |
+| [controller.additionalExistingSecrets](./values.yaml#L465) | list | List of additional existing secrets to mount | `[]` |
+| [controller.additionalPlugins](./values.yaml#L415) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
+| [controller.additionalSecrets](./values.yaml#L474) | list | List of additional secrets to create and mount | `[]` |
 | [controller.admin.createSecret](./values.yaml#L91) | bool | Create secret for admin user | `true` |
 | [controller.admin.existingSecret](./values.yaml#L94) | string | The name of an existing secret containing the admin credentials | `""` |
 | [controller.admin.password](./values.yaml#L81) | string | Admin password created as a secret if `controller.admin.createSecret` is true | `<random password>` |
 | [controller.admin.passwordKey](./values.yaml#L86) | string | The key in the existing admin secret containing the password | `"jenkins-admin-password"` |
 | [controller.admin.userKey](./values.yaml#L84) | string | The key in the existing admin secret containing the username | `"jenkins-admin-user"` |
 | [controller.admin.username](./values.yaml#L78) | string | Admin username created as a secret if `controller.admin.createSecret` is true | `"admin"` |
-| [controller.affinity](./values.yaml#L670) | object | Affinity settings | `{}` |
-| [controller.agentListenerEnabled](./values.yaml#L328) | bool | Create Agent listener service | `true` |
-| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L338) | string | Traffic Policy of for the agentListener service | `nil` |
-| [controller.agentListenerHostPort](./values.yaml#L332) | string | Host port to listen for agents | `nil` |
-| [controller.agentListenerLoadBalancerIP](./values.yaml#L368) | string | Static IP for the agentListener LoadBalancer | `nil` |
-| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L340) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
-| [controller.agentListenerNodePort](./values.yaml#L334) | string | Node port to listen for agents | `nil` |
-| [controller.agentListenerPort](./values.yaml#L330) | int | Listening port for agents | `50000` |
-| [controller.agentListenerServiceAnnotations](./values.yaml#L363) | object | Annotations for the agentListener service | `{}` |
-| [controller.agentListenerServiceType](./values.yaml#L360) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
-| [controller.backendconfig.annotations](./values.yaml#L773) | object | backendconfig annotations | `{}` |
-| [controller.backendconfig.apiVersion](./values.yaml#L767) | string | backendconfig API version | `"extensions/v1beta1"` |
-| [controller.backendconfig.enabled](./values.yaml#L765) | bool | Enables backendconfig | `false` |
-| [controller.backendconfig.labels](./values.yaml#L771) | object | backendconfig labels | `{}` |
-| [controller.backendconfig.name](./values.yaml#L769) | string | backendconfig name | `nil` |
-| [controller.backendconfig.spec](./values.yaml#L775) | object | backendconfig spec | `{}` |
-| [controller.cloudName](./values.yaml#L497) | string | Name of default cloud configuration. | `"kubernetes"` |
+| [controller.affinity](./values.yaml#L666) | object | Affinity settings | `{}` |
+| [controller.agentListenerEnabled](./values.yaml#L324) | bool | Create Agent listener service | `true` |
+| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L334) | string | Traffic Policy of for the agentListener service | `nil` |
+| [controller.agentListenerHostPort](./values.yaml#L328) | string | Host port to listen for agents | `nil` |
+| [controller.agentListenerLoadBalancerIP](./values.yaml#L364) | string | Static IP for the agentListener LoadBalancer | `nil` |
+| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L336) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
+| [controller.agentListenerNodePort](./values.yaml#L330) | string | Node port to listen for agents | `nil` |
+| [controller.agentListenerPort](./values.yaml#L326) | int | Listening port for agents | `50000` |
+| [controller.agentListenerServiceAnnotations](./values.yaml#L359) | object | Annotations for the agentListener service | `{}` |
+| [controller.agentListenerServiceType](./values.yaml#L356) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
+| [controller.backendconfig.annotations](./values.yaml#L769) | object | backendconfig annotations | `{}` |
+| [controller.backendconfig.apiVersion](./values.yaml#L763) | string | backendconfig API version | `"extensions/v1beta1"` |
+| [controller.backendconfig.enabled](./values.yaml#L761) | bool | Enables backendconfig | `false` |
+| [controller.backendconfig.labels](./values.yaml#L767) | object | backendconfig labels | `{}` |
+| [controller.backendconfig.name](./values.yaml#L765) | string | backendconfig name | `nil` |
+| [controller.backendconfig.spec](./values.yaml#L771) | object | backendconfig spec | `{}` |
+| [controller.cloudName](./values.yaml#L493) | string | Name of default cloud configuration. | `"kubernetes"` |
 | [controller.clusterIp](./values.yaml#L223) | string | k8s service clusterIP. Only used if serviceType is ClusterIP | `nil` |
 | [controller.componentName](./values.yaml#L34) | string | Used for label app.kubernetes.io/component | `"jenkins-controller"` |
 | [controller.containerEnv](./values.yaml#L156) | list | Environment variables for Jenkins Container | `[]` |
 | [controller.containerEnvFrom](./values.yaml#L153) | list | Environment variable sources for Jenkins Container | `[]` |
 | [controller.containerSecurityContext](./values.yaml#L211) | object | Allow controlling the securityContext for the jenkins container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` |
-| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L349) | bool | Enable the default CSRF Crumb issuer | `true` |
-| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L351) | bool | Enable proxy compatibility | `true` |
-| [controller.customInitContainers](./values.yaml#L551) | list | Custom init-container specification in raw-yaml format | `[]` |
+| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L345) | bool | Enable the default CSRF Crumb issuer | `true` |
+| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L347) | bool | Enable proxy compatibility | `true` |
+| [controller.customInitContainers](./values.yaml#L547) | list | Custom init-container specification in raw-yaml format | `[]` |
 | [controller.customJenkinsLabels](./values.yaml#L68) | list | Append Jenkins labels to the controller | `[]` |
 | [controller.disableRememberMe](./values.yaml#L59) | bool | Disable use of remember me | `false` |
-| [controller.disabledAgentProtocols](./values.yaml#L343) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
-| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L439) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
+| [controller.disabledAgentProtocols](./values.yaml#L339) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
+| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L435) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
 | [controller.enableServiceLinks](./values.yaml#L130) | bool |  | `false` |
 | [controller.executorMode](./values.yaml#L65) | string | Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" | `"NORMAL"` |
-| [controller.existingSecret](./values.yaml#L466) | string |  | `nil` |
-| [controller.extraPorts](./values.yaml#L398) | list | Optionally configure other ports to expose in the controller container | `[]` |
+| [controller.existingSecret](./values.yaml#L462) | string |  | `nil` |
+| [controller.extraPorts](./values.yaml#L394) | list | Optionally configure other ports to expose in the controller container | `[]` |
 | [controller.fsGroup](./values.yaml#L192) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
-| [controller.googlePodMonitor.enabled](./values.yaml#L836) | bool |  | `false` |
-| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L841) | string |  | `"/prometheus"` |
-| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L839) | string |  | `"60s"` |
-| [controller.healthProbes](./values.yaml#L258) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
-| [controller.hostAliases](./values.yaml#L789) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
+| [controller.googlePodMonitor.enabled](./values.yaml#L832) | bool |  | `false` |
+| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L837) | string |  | `"/prometheus"` |
+| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L835) | string |  | `"60s"` |
+| [controller.healthProbes](./values.yaml#L254) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
+| [controller.hostAliases](./values.yaml#L785) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
 | [controller.hostNetworking](./values.yaml#L70) | bool |  | `false` |
-| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L857) | bool |  | `false` |
-| [controller.httpsKeyStore.enable](./values.yaml#L848) | bool | Enables HTTPS keystore on jenkins controller | `false` |
-| [controller.httpsKeyStore.fileName](./values.yaml#L865) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
-| [controller.httpsKeyStore.httpPort](./values.yaml#L861) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
-| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L856) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
-| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L854) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
-| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L852) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
-| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L850) | string | Name of the secret that already has ssl keystore | `""` |
-| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L870) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
-| [controller.httpsKeyStore.password](./values.yaml#L867) | string | Jenkins keystore password | `"password"` |
-| [controller.httpsKeyStore.path](./values.yaml#L863) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
+| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L853) | bool |  | `false` |
+| [controller.httpsKeyStore.enable](./values.yaml#L844) | bool | Enables HTTPS keystore on jenkins controller | `false` |
+| [controller.httpsKeyStore.fileName](./values.yaml#L861) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
+| [controller.httpsKeyStore.httpPort](./values.yaml#L857) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
+| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L852) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
+| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L850) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
+| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L848) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
+| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L846) | string | Name of the secret that already has ssl keystore | `""` |
+| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L866) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
+| [controller.httpsKeyStore.password](./values.yaml#L863) | string | Jenkins keystore password | `"password"` |
+| [controller.httpsKeyStore.path](./values.yaml#L859) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
 | [controller.image.pullPolicy](./values.yaml#L47) | string | Controller image pull policy | `"Always"` |
 | [controller.image.registry](./values.yaml#L37) | string | Controller image registry | `"docker.io"` |
 | [controller.image.repository](./values.yaml#L39) | string | Controller image repository | `"jenkins/jenkins"` |
 | [controller.image.tag](./values.yaml#L42) | string | Controller image tag override; i.e., tag: "2.440.1-jdk17" | `nil` |
 | [controller.image.tagLabel](./values.yaml#L45) | string | Controller image tag label | `"jdk17"` |
 | [controller.imagePullSecretName](./values.yaml#L49) | string | Controller image pull secret | `nil` |
-| [controller.ingress.annotations](./values.yaml#L712) | object | Ingress annotations | `{}` |
-| [controller.ingress.apiVersion](./values.yaml#L708) | string | Ingress API version | `"extensions/v1beta1"` |
-| [controller.ingress.enabled](./values.yaml#L691) | bool | Enables ingress | `false` |
-| [controller.ingress.hostName](./values.yaml#L725) | string | Ingress hostname | `nil` |
-| [controller.ingress.labels](./values.yaml#L710) | object | Ingress labels | `{}` |
-| [controller.ingress.path](./values.yaml#L721) | string | Ingress path | `nil` |
-| [controller.ingress.paths](./values.yaml#L695) | list | Override for the default Ingress paths | `[]` |
-| [controller.ingress.resourceRootUrl](./values.yaml#L727) | string | Hostname to serve assets from | `nil` |
-| [controller.ingress.tls](./values.yaml#L729) | list | Ingress TLS configuration | `[]` |
-| [controller.initConfigMap](./values.yaml#L456) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
+| [controller.ingress.annotations](./values.yaml#L708) | object | Ingress annotations | `{}` |
+| [controller.ingress.apiVersion](./values.yaml#L704) | string | Ingress API version | `"extensions/v1beta1"` |
+| [controller.ingress.enabled](./values.yaml#L687) | bool | Enables ingress | `false` |
+| [controller.ingress.hostName](./values.yaml#L721) | string | Ingress hostname | `nil` |
+| [controller.ingress.labels](./values.yaml#L706) | object | Ingress labels | `{}` |
+| [controller.ingress.path](./values.yaml#L717) | string | Ingress path | `nil` |
+| [controller.ingress.paths](./values.yaml#L691) | list | Override for the default Ingress paths | `[]` |
+| [controller.ingress.resourceRootUrl](./values.yaml#L723) | string | Hostname to serve assets from | `nil` |
+| [controller.ingress.tls](./values.yaml#L725) | list | Ingress TLS configuration | `[]` |
+| [controller.initConfigMap](./values.yaml#L452) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
 | [controller.initContainerEnv](./values.yaml#L147) | list | Environment variables for Init Container | `[]` |
 | [controller.initContainerEnvFrom](./values.yaml#L143) | list | Environment variable sources for Init Container | `[]` |
 | [controller.initContainerResources](./values.yaml#L134) | object | Resources allocation (Requests and Limits) for Init Container | `{}` |
-| [controller.initScripts](./values.yaml#L452) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
-| [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
-| [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` |
-| [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
-| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4313.va_9b_4fe2a_0e34","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` |
+| [controller.initScripts](./values.yaml#L448) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
+| [controller.initializeOnce](./values.yaml#L420) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
+| [controller.installLatestPlugins](./values.yaml#L409) | bool | Download the minimum required version or latest version of all dependencies | `true` |
+| [controller.installLatestSpecifiedPlugins](./values.yaml#L412) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
+| [controller.installPlugins](./values.yaml#L401) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4296.v20a_7e4d77cf6","workflow-aggregator:600.vb_57cdd26fdd7","git:5.6.0","configuration-as-code:1897.v79281e066ea_7"]` |
 | [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` |
 | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
 | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |
@@ -175,147 +175,144 @@ The following tables list the configurable parameters of the Jenkins chart and t
 | [controller.jenkinsUrl](./values.yaml#L174) | string | Set Jenkins URL if you are not using the ingress definitions provided by the chart | `nil` |
 | [controller.jenkinsUrlProtocol](./values.yaml#L171) | string | Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise | `nil` |
 | [controller.jenkinsWar](./values.yaml#L109) | string |  | `"/usr/share/jenkins/jenkins.war"` |
-| [controller.jmxPort](./values.yaml#L395) | string | Open a port, for JMX stats | `nil` |
-| [controller.legacyRemotingSecurityEnabled](./values.yaml#L371) | bool | Whether legacy remoting security should be enabled | `false` |
+| [controller.jmxPort](./values.yaml#L391) | string | Open a port, for JMX stats | `nil` |
+| [controller.legacyRemotingSecurityEnabled](./values.yaml#L367) | bool | Whether legacy remoting security should be enabled | `false` |
 | [controller.lifecycle](./values.yaml#L51) | object | Lifecycle specification for controller-container | `{}` |
-| [controller.loadBalancerIP](./values.yaml#L386) | string | Optionally assign a known public LB IP | `nil` |
-| [controller.loadBalancerSourceRanges](./values.yaml#L382) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
-| [controller.markupFormatter](./values.yaml#L443) | string | Yaml of the markup formatter to use | `"plainText"` |
+| [controller.loadBalancerIP](./values.yaml#L382) | string | Optionally assign a known public LB IP | `nil` |
+| [controller.loadBalancerSourceRanges](./values.yaml#L378) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
+| [controller.markupFormatter](./values.yaml#L439) | string | Yaml of the markup formatter to use | `"plainText"` |
 | [controller.nodePort](./values.yaml#L229) | string | k8s node port. Only used if serviceType is NodePort | `nil` |
-| [controller.nodeSelector](./values.yaml#L657) | object | Node labels for pod assignment | `{}` |
+| [controller.nodeSelector](./values.yaml#L653) | object | Node labels for pod assignment | `{}` |
 | [controller.numExecutors](./values.yaml#L62) | int | Set Number of executors | `0` |
-| [controller.overwritePlugins](./values.yaml#L428) | bool | Overwrite installed plugins on start | `false` |
-| [controller.overwritePluginsFromImage](./values.yaml#L432) | bool | Overwrite plugins that are already installed in the controller image | `true` |
-| [controller.podAnnotations](./values.yaml#L678) | object | Annotations for controller pod | `{}` |
-| [controller.podDisruptionBudget.annotations](./values.yaml#L322) | object |  | `{}` |
-| [controller.podDisruptionBudget.apiVersion](./values.yaml#L320) | string | Policy API version | `"policy/v1beta1"` |
-| [controller.podDisruptionBudget.enabled](./values.yaml#L315) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
-| [controller.podDisruptionBudget.labels](./values.yaml#L323) | object |  | `{}` |
-| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L325) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
-| [controller.podLabels](./values.yaml#L251) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
+| [controller.overwritePlugins](./values.yaml#L424) | bool | Overwrite installed plugins on start | `false` |
+| [controller.overwritePluginsFromImage](./values.yaml#L428) | bool | Overwrite plugins that are already installed in the controller image | `true` |
+| [controller.podAnnotations](./values.yaml#L674) | object | Annotations for controller pod | `{}` |
+| [controller.podDisruptionBudget.annotations](./values.yaml#L318) | object |  | `{}` |
+| [controller.podDisruptionBudget.apiVersion](./values.yaml#L316) | string | Policy API version | `"policy/v1beta1"` |
+| [controller.podDisruptionBudget.enabled](./values.yaml#L311) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
+| [controller.podDisruptionBudget.labels](./values.yaml#L319) | object |  | `{}` |
+| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L321) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
+| [controller.podLabels](./values.yaml#L247) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
 | [controller.podSecurityContextOverride](./values.yaml#L208) | string | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` | `nil` |
-| [controller.priorityClassName](./values.yaml#L675) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
-| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L276) | int | Set the failure threshold for the liveness probe | `5` |
-| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L279) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
-| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L281) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
-| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L290) | string | Set the initial delay for the liveness probe in seconds | `nil` |
-| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L283) | int | Set the time interval between two liveness probes executions in seconds | `10` |
-| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L285) | int | Set the timeout for the liveness probe in seconds | `5` |
-| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L294) | int | Set the failure threshold for the readiness probe | `3` |
-| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L297) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
-| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L299) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
-| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L308) | string | Set the initial delay for the readiness probe in seconds | `nil` |
-| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L301) | int | Set the time interval between two readiness probes executions in seconds | `10` |
-| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L303) | int | Set the timeout for the readiness probe in seconds | `5` |
-| [controller.probes.startupProbe.failureThreshold](./values.yaml#L263) | int | Set the failure threshold for the startup probe | `12` |
-| [controller.probes.startupProbe.httpGet.path](./values.yaml#L266) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
-| [controller.probes.startupProbe.httpGet.port](./values.yaml#L268) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
-| [controller.probes.startupProbe.periodSeconds](./values.yaml#L270) | int | Set the time interval between two startup probes executions in seconds | `10` |
-| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L272) | int | Set the timeout for the startup probe in seconds | `5` |
-| [controller.projectNamingStrategy](./values.yaml#L435) | string |  | `"standard"` |
-| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L822) | object | Additional labels to add to the PrometheusRule object | `{}` |
-| [controller.prometheus.alertingrules](./values.yaml#L820) | list | Array of prometheus alerting rules | `[]` |
-| [controller.prometheus.enabled](./values.yaml#L805) | bool | Enables prometheus service monitor | `false` |
-| [controller.prometheus.metricRelabelings](./values.yaml#L832) | list |  | `[]` |
-| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L824) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
-| [controller.prometheus.relabelings](./values.yaml#L830) | list |  | `[]` |
-| [controller.prometheus.scrapeEndpoint](./values.yaml#L815) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
-| [controller.prometheus.scrapeInterval](./values.yaml#L811) | string | How often prometheus should scrape metrics | `"60s"` |
-| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L807) | object | Additional labels to add to the service monitor object | `{}` |
-| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L809) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
-| [controller.publishNotReadyAddresses](./values.yaml#L237) | string |  | `nil` |
+| [controller.priorityClassName](./values.yaml#L671) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
+| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L272) | int | Set the failure threshold for the liveness probe | `5` |
+| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L275) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
+| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L277) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
+| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L286) | string | Set the initial delay for the liveness probe in seconds | `nil` |
+| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L279) | int | Set the time interval between two liveness probes executions in seconds | `10` |
+| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L281) | int | Set the timeout for the liveness probe in seconds | `5` |
+| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L290) | int | Set the failure threshold for the readiness probe | `3` |
+| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L293) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
+| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L295) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
+| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L304) | string | Set the initial delay for the readiness probe in seconds | `nil` |
+| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L297) | int | Set the time interval between two readiness probes executions in seconds | `10` |
+| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L299) | int | Set the timeout for the readiness probe in seconds | `5` |
+| [controller.probes.startupProbe.failureThreshold](./values.yaml#L259) | int | Set the failure threshold for the startup probe | `12` |
+| [controller.probes.startupProbe.httpGet.path](./values.yaml#L262) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
+| [controller.probes.startupProbe.httpGet.port](./values.yaml#L264) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
+| [controller.probes.startupProbe.periodSeconds](./values.yaml#L266) | int | Set the time interval between two startup probes executions in seconds | `10` |
+| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L268) | int | Set the timeout for the startup probe in seconds | `5` |
+| [controller.projectNamingStrategy](./values.yaml#L431) | string |  | `"standard"` |
+| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L818) | object | Additional labels to add to the PrometheusRule object | `{}` |
+| [controller.prometheus.alertingrules](./values.yaml#L816) | list | Array of prometheus alerting rules | `[]` |
+| [controller.prometheus.enabled](./values.yaml#L801) | bool | Enables prometheus service monitor | `false` |
+| [controller.prometheus.metricRelabelings](./values.yaml#L828) | list |  | `[]` |
+| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L820) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
+| [controller.prometheus.relabelings](./values.yaml#L826) | list |  | `[]` |
+| [controller.prometheus.scrapeEndpoint](./values.yaml#L811) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
+| [controller.prometheus.scrapeInterval](./values.yaml#L807) | string | How often prometheus should scrape metrics | `"60s"` |
+| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L803) | object | Additional labels to add to the service monitor object | `{}` |
+| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L805) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
 | [controller.resources](./values.yaml#L115) | object | Resource allocation (Requests and Limits) | `{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"50m","memory":"256Mi"}}` |
-| [controller.route.annotations](./values.yaml#L784) | object | Route annotations | `{}` |
-| [controller.route.enabled](./values.yaml#L780) | bool | Enables openshift route | `false` |
-| [controller.route.labels](./values.yaml#L782) | object | Route labels | `{}` |
-| [controller.route.path](./values.yaml#L786) | string | Route path | `nil` |
+| [controller.route.annotations](./values.yaml#L780) | object | Route annotations | `{}` |
+| [controller.route.enabled](./values.yaml#L776) | bool | Enables openshift route | `false` |
+| [controller.route.labels](./values.yaml#L778) | object | Route labels | `{}` |
+| [controller.route.path](./values.yaml#L782) | string | Route path | `nil` |
 | [controller.runAsUser](./values.yaml#L189) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
-| [controller.schedulerName](./values.yaml#L653) | string | Name of the Kubernetes scheduler to use | `""` |
-| [controller.scriptApproval](./values.yaml#L447) | list | List of groovy functions to approve | `[]` |
-| [controller.secondaryingress.annotations](./values.yaml#L747) | object |  | `{}` |
-| [controller.secondaryingress.apiVersion](./values.yaml#L745) | string |  | `"extensions/v1beta1"` |
-| [controller.secondaryingress.enabled](./values.yaml#L739) | bool |  | `false` |
-| [controller.secondaryingress.hostName](./values.yaml#L754) | string |  | `nil` |
-| [controller.secondaryingress.labels](./values.yaml#L746) | object |  | `{}` |
-| [controller.secondaryingress.paths](./values.yaml#L742) | list |  | `[]` |
-| [controller.secondaryingress.tls](./values.yaml#L755) | string |  | `nil` |
-| [controller.secretClaims](./values.yaml#L490) | list | List of `SecretClaim` resources to create | `[]` |
+| [controller.schedulerName](./values.yaml#L649) | string | Name of the Kubernetes scheduler to use | `""` |
+| [controller.scriptApproval](./values.yaml#L443) | list | List of groovy functions to approve | `[]` |
+| [controller.secondaryingress.annotations](./values.yaml#L743) | object |  | `{}` |
+| [controller.secondaryingress.apiVersion](./values.yaml#L741) | string |  | `"extensions/v1beta1"` |
+| [controller.secondaryingress.enabled](./values.yaml#L735) | bool |  | `false` |
+| [controller.secondaryingress.hostName](./values.yaml#L750) | string |  | `nil` |
+| [controller.secondaryingress.labels](./values.yaml#L742) | object |  | `{}` |
+| [controller.secondaryingress.paths](./values.yaml#L738) | list |  | `[]` |
+| [controller.secondaryingress.tls](./values.yaml#L751) | string |  | `nil` |
+| [controller.secretClaims](./values.yaml#L486) | list | List of `SecretClaim` resources to create | `[]` |
 | [controller.securityContextCapabilities](./values.yaml#L198) | object |  | `{}` |
-| [controller.serviceAnnotations](./values.yaml#L240) | object | Jenkins controller service annotations | `{}` |
+| [controller.serviceAnnotations](./values.yaml#L236) | object | Jenkins controller service annotations | `{}` |
 | [controller.serviceExternalTrafficPolicy](./values.yaml#L233) | string |  | `nil` |
-| [controller.serviceLabels](./values.yaml#L246) | object | Labels for the Jenkins controller-service | `{}` |
+| [controller.serviceLabels](./values.yaml#L242) | object | Labels for the Jenkins controller-service | `{}` |
 | [controller.servicePort](./values.yaml#L225) | int | k8s service port | `8080` |
 | [controller.serviceType](./values.yaml#L220) | string | k8s service type | `"ClusterIP"` |
 | [controller.shareProcessNamespace](./values.yaml#L124) | bool |  | `false` |
-| [controller.sidecars.additionalSidecarContainers](./values.yaml#L635) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
-| [controller.sidecars.configAutoReload.additionalVolumeMounts](./values.yaml#L581) | list | Enables additional volume mounts for the config auto-reload container | `[]` |
-| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L630) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
-| [controller.sidecars.configAutoReload.enabled](./values.yaml#L564) | bool | Enables Jenkins Config as Code auto-reload | `true` |
-| [controller.sidecars.configAutoReload.env](./values.yaml#L612) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` |
-| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L610) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
-| [controller.sidecars.configAutoReload.folder](./values.yaml#L623) | string |  | `"/var/jenkins_home/casc_configs"` |
-| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L567) | string | Registry for the image that triggers the reload | `"docker.io"` |
-| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L569) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
-| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L571) | string | Tag for the image that triggers the reload | `"1.30.1"` |
-| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L572) | string |  | `"IfNotPresent"` |
-| [controller.sidecars.configAutoReload.logging](./values.yaml#L587) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
-| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L591) | bool | Enables custom log config utilizing using the settings below. | `false` |
-| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L605) | int | How many connection-related errors to retry on | `10` |
-| [controller.sidecars.configAutoReload.resources](./values.yaml#L573) | object |  | `{}` |
-| [controller.sidecars.configAutoReload.scheme](./values.yaml#L600) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
-| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L602) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
-| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L607) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
-| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L621) | int |  | `1044` |
-| [controller.statefulSetAnnotations](./values.yaml#L680) | object | Annotations for controller StatefulSet | `{}` |
-| [controller.statefulSetLabels](./values.yaml#L242) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
+| [controller.sidecars.additionalSidecarContainers](./values.yaml#L631) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
+| [controller.sidecars.configAutoReload.additionalVolumeMounts](./values.yaml#L577) | list | Enables additional volume mounts for the config auto-reload container | `[]` |
+| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L626) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
+| [controller.sidecars.configAutoReload.enabled](./values.yaml#L560) | bool | Enables Jenkins Config as Code auto-reload | `true` |
+| [controller.sidecars.configAutoReload.env](./values.yaml#L608) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` |
+| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L606) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
+| [controller.sidecars.configAutoReload.folder](./values.yaml#L619) | string |  | `"/var/jenkins_home/casc_configs"` |
+| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L563) | string | Registry for the image that triggers the reload | `"docker.io"` |
+| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L565) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
+| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L567) | string | Tag for the image that triggers the reload | `"1.28.0"` |
+| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L568) | string |  | `"IfNotPresent"` |
+| [controller.sidecars.configAutoReload.logging](./values.yaml#L583) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
+| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L587) | bool | Enables custom log config utilizing using the settings below. | `false` |
+| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L601) | int | How many connection-related errors to retry on | `10` |
+| [controller.sidecars.configAutoReload.resources](./values.yaml#L569) | object |  | `{}` |
+| [controller.sidecars.configAutoReload.scheme](./values.yaml#L596) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
+| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L598) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
+| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L603) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
+| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L617) | int |  | `1044` |
+| [controller.statefulSetAnnotations](./values.yaml#L676) | object | Annotations for controller StatefulSet | `{}` |
+| [controller.statefulSetLabels](./values.yaml#L238) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
 | [controller.targetPort](./values.yaml#L227) | int | k8s target port | `8080` |
-| [controller.terminationGracePeriodSeconds](./values.yaml#L663) | string | Set TerminationGracePeriodSeconds | `nil` |
-| [controller.terminationMessagePath](./values.yaml#L665) | string | Set the termination message path | `nil` |
-| [controller.terminationMessagePolicy](./values.yaml#L667) | string | Set the termination message policy | `nil` |
-| [controller.testEnabled](./values.yaml#L844) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
-| [controller.tolerations](./values.yaml#L661) | list | Toleration labels for pod assignment | `[]` |
-| [controller.topologySpreadConstraints](./values.yaml#L687) | object | Topology spread constraints | `{}` |
-| [controller.updateStrategy](./values.yaml#L684) | object | Update strategy for StatefulSet | `{}` |
+| [controller.terminationGracePeriodSeconds](./values.yaml#L659) | string | Set TerminationGracePeriodSeconds | `nil` |
+| [controller.terminationMessagePath](./values.yaml#L661) | string | Set the termination message path | `nil` |
+| [controller.terminationMessagePolicy](./values.yaml#L663) | string | Set the termination message policy | `nil` |
+| [controller.testEnabled](./values.yaml#L840) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
+| [controller.tolerations](./values.yaml#L657) | list | Toleration labels for pod assignment | `[]` |
+| [controller.topologySpreadConstraints](./values.yaml#L683) | object | Topology spread constraints | `{}` |
+| [controller.updateStrategy](./values.yaml#L680) | object | Update strategy for StatefulSet | `{}` |
 | [controller.usePodSecurityContext](./values.yaml#L182) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` |
 | [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` |
 | [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` |
-| [helmtest.bats.image.registry](./values.yaml#L1369) | string | Registry of the image used to test the framework | `"docker.io"` |
-| [helmtest.bats.image.repository](./values.yaml#L1371) | string | Repository of the image used to test the framework | `"bats/bats"` |
-| [helmtest.bats.image.tag](./values.yaml#L1373) | string | Tag of the image to test the framework | `"1.11.1"` |
+| [helmtest.bats.image.registry](./values.yaml#L1361) | string | Registry of the image used to test the framework | `"docker.io"` |
+| [helmtest.bats.image.repository](./values.yaml#L1363) | string | Repository of the image used to test the framework | `"bats/bats"` |
+| [helmtest.bats.image.tag](./values.yaml#L1365) | string | Tag of the image to test the framework | `"1.11.0"` |
 | [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` |
 | [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` |
 | [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` |
-| [networkPolicy.apiVersion](./values.yaml#L1293) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
-| [networkPolicy.enabled](./values.yaml#L1288) | bool | Enable the creation of NetworkPolicy resources | `false` |
-| [networkPolicy.externalAgents.except](./values.yaml#L1307) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
-| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1305) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
-| [networkPolicy.internalAgents.allowed](./values.yaml#L1297) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
-| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1301) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
-| [networkPolicy.internalAgents.podLabels](./values.yaml#L1299) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
-| [persistence.accessMode](./values.yaml#L1263) | string | The PVC access mode | `"ReadWriteOnce"` |
-| [persistence.annotations](./values.yaml#L1259) | object | Annotations for the PVC | `{}` |
-| [persistence.dataSource](./values.yaml#L1269) | object | Existing data source to clone PVC from | `{}` |
-| [persistence.enabled](./values.yaml#L1243) | bool | Enable the use of a Jenkins PVC | `true` |
-| [persistence.existingClaim](./values.yaml#L1249) | string | Provide the name of a PVC | `nil` |
-| [persistence.labels](./values.yaml#L1261) | object | Labels for the PVC | `{}` |
-| [persistence.mounts](./values.yaml#L1281) | list | Additional mounts | `[]` |
-| [persistence.size](./values.yaml#L1265) | string | The size of the PVC | `"8Gi"` |
-| [persistence.storageClass](./values.yaml#L1257) | string | Storage class for the PVC | `nil` |
-| [persistence.subPath](./values.yaml#L1274) | string | SubPath for jenkins-home mount | `nil` |
-| [persistence.volumes](./values.yaml#L1276) | list | Additional volumes | `[]` |
-| [rbac.create](./values.yaml#L1313) | bool | Whether RBAC resources are created | `true` |
-| [rbac.readSecrets](./values.yaml#L1315) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
-| [rbac.useOpenShiftNonRootSCC](./values.yaml#L1317) | bool | Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints | `false` |
+| [networkPolicy.apiVersion](./values.yaml#L1289) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
+| [networkPolicy.enabled](./values.yaml#L1284) | bool | Enable the creation of NetworkPolicy resources | `false` |
+| [networkPolicy.externalAgents.except](./values.yaml#L1303) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
+| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1301) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
+| [networkPolicy.internalAgents.allowed](./values.yaml#L1293) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
+| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1297) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
+| [networkPolicy.internalAgents.podLabels](./values.yaml#L1295) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
+| [persistence.accessMode](./values.yaml#L1259) | string | The PVC access mode | `"ReadWriteOnce"` |
+| [persistence.annotations](./values.yaml#L1255) | object | Annotations for the PVC | `{}` |
+| [persistence.dataSource](./values.yaml#L1265) | object | Existing data source to clone PVC from | `{}` |
+| [persistence.enabled](./values.yaml#L1239) | bool | Enable the use of a Jenkins PVC | `true` |
+| [persistence.existingClaim](./values.yaml#L1245) | string | Provide the name of a PVC | `nil` |
+| [persistence.labels](./values.yaml#L1257) | object | Labels for the PVC | `{}` |
+| [persistence.mounts](./values.yaml#L1277) | list | Additional mounts | `[]` |
+| [persistence.size](./values.yaml#L1261) | string | The size of the PVC | `"8Gi"` |
+| [persistence.storageClass](./values.yaml#L1253) | string | Storage class for the PVC | `nil` |
+| [persistence.subPath](./values.yaml#L1270) | string | SubPath for jenkins-home mount | `nil` |
+| [persistence.volumes](./values.yaml#L1272) | list | Additional volumes | `[]` |
+| [rbac.create](./values.yaml#L1309) | bool | Whether RBAC resources are created | `true` |
+| [rbac.readSecrets](./values.yaml#L1311) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
+| [rbac.useOpenShiftNonRootSCC](./values.yaml#L1313) | bool | Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints | `false` |
 | [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` |
-| [serviceAccount.annotations](./values.yaml#L1327) | object | Configures annotations for the ServiceAccount | `{}` |
-| [serviceAccount.automountServiceAccountToken](./values.yaml#L1333) | bool | Auto-mount ServiceAccount token | `true` |
-| [serviceAccount.create](./values.yaml#L1321) | bool | Configures if a ServiceAccount with this name should be created | `true` |
-| [serviceAccount.extraLabels](./values.yaml#L1329) | object | Configures extra labels for the ServiceAccount | `{}` |
-| [serviceAccount.imagePullSecretName](./values.yaml#L1331) | string | Controller ServiceAccount image pull secret | `nil` |
-| [serviceAccount.name](./values.yaml#L1325) | string |  | `nil` |
-| [serviceAccountAgent.annotations](./values.yaml#L1344) | object | Configures annotations for the agent ServiceAccount | `{}` |
-| [serviceAccountAgent.automountServiceAccountToken](./values.yaml#L1350) | bool | Auto-mount ServiceAccount token | `true` |
-| [serviceAccountAgent.create](./values.yaml#L1338) | bool | Configures if an agent ServiceAccount should be created | `false` |
-| [serviceAccountAgent.extraLabels](./values.yaml#L1346) | object | Configures extra labels for the agent ServiceAccount | `{}` |
-| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1348) | string | Agent ServiceAccount image pull secret | `nil` |
-| [serviceAccountAgent.name](./values.yaml#L1342) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |
+| [serviceAccount.annotations](./values.yaml#L1323) | object | Configures annotations for the ServiceAccount | `{}` |
+| [serviceAccount.create](./values.yaml#L1317) | bool | Configures if a ServiceAccount with this name should be created | `true` |
+| [serviceAccount.extraLabels](./values.yaml#L1325) | object | Configures extra labels for the ServiceAccount | `{}` |
+| [serviceAccount.imagePullSecretName](./values.yaml#L1327) | string | Controller ServiceAccount image pull secret | `nil` |
+| [serviceAccount.name](./values.yaml#L1321) | string |  | `nil` |
+| [serviceAccountAgent.annotations](./values.yaml#L1338) | object | Configures annotations for the agent ServiceAccount | `{}` |
+| [serviceAccountAgent.create](./values.yaml#L1332) | bool | Configures if an agent ServiceAccount should be created | `false` |
+| [serviceAccountAgent.extraLabels](./values.yaml#L1340) | object | Configures extra labels for the agent ServiceAccount | `{}` |
+| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1342) | string | Agent ServiceAccount image pull secret | `nil` |
+| [serviceAccountAgent.name](./values.yaml#L1336) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |

charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl

@@ -309,7 +309,6 @@ jenkins:
   {{- /* restore root */}}
   {{- $_ := set $ "Values" $oldRoot.Values }}
   {{- end }}
-  slaveAgentPort: {{ .Values.controller.agentListenerPort }}
   {{- if .Values.controller.csrf.defaultCrumbIssuer.enabled }}
   crumbIssuer:
     standard:

charts/kubezero-ci/charts/jenkins/templates/home-pvc.yaml

@@ -34,7 +34,7 @@ spec:
 {{- if (eq "-" .Values.persistence.storageClass) }}
   storageClassName: ""
 {{- else }}
-  storageClassName: "{{ tpl .Values.persistence.storageClass . }}"
+  storageClassName: "{{ .Values.persistence.storageClass }}"
 {{- end }}
 {{- end }}
 {{- end }}

charts/kubezero-ci/charts/jenkins/templates/jenkins-controller-ingress.yaml

@@ -23,12 +23,12 @@ metadata:
 {{- end }}
 {{- if .Values.controller.ingress.annotations }}
   annotations:
-{{ tpl (toYaml .Values.controller.ingress.annotations) . | indent 4 }}
+{{ toYaml .Values.controller.ingress.annotations | indent 4 }}
 {{- end }}
   name: {{ template "jenkins.fullname" . }}
 spec:
 {{- if .Values.controller.ingress.ingressClassName }}
-  ingressClassName: {{ tpl .Values.controller.ingress.ingressClassName . | quote }}
+  ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }}
 {{- end }}
   rules:
   - http:

charts/kubezero-ci/charts/jenkins/templates/jenkins-controller-statefulset.yaml

@@ -107,7 +107,6 @@ spec:
   {{- end }}
 {{- end }}
       serviceAccountName: "{{ template "jenkins.serviceAccountName" . }}"
-      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- if .Values.controller.hostNetworking }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet

charts/kubezero-ci/charts/jenkins/templates/jenkins-controller-svc.yaml

@@ -41,9 +41,6 @@ spec:
       targetPort: {{ $port.port }}
       {{- end -}}
 {{- end }}
-  {{- if .Values.controller.publishNotReadyAddresses }}
-  publishNotReadyAddresses: true
-  {{- end }}
   selector:
     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
     "app.kubernetes.io/instance": "{{ .Release.Name }}"

charts/kubezero-ci/charts/jenkins/templates/service-account-agent.yaml

@@ -1,7 +1,6 @@
 {{ if .Values.serviceAccountAgent.create }}
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: {{ .Values.serviceAccountAgent.automountServiceAccountToken }}
 metadata:
   name: {{ include "jenkins.serviceAccountAgentName" . }}
   namespace: {{ template "jenkins.agent.namespace" . }}

charts/kubezero-ci/charts/jenkins/templates/service-account.yaml

@@ -1,7 +1,6 @@
 {{ if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "jenkins.serviceAccountName" . }}
   namespace: {{ template "jenkins.namespace" . }}

charts/kubezero-ci/charts/jenkins/values.yaml

@@ -232,10 +232,6 @@ controller:
   # but risks potentially imbalanced traffic spreading.
   serviceExternalTrafficPolicy:
 
-  # If enabled, the controller is available through its service before its pods reports ready. Makes startup screen and
-  # auto-reload on restart feature possible.
-  publishNotReadyAddresses:
-
   # -- Jenkins controller service annotations
   serviceAnnotations: {}
   # -- Jenkins controller custom labels for the StatefulSet
@@ -403,10 +399,10 @@ controller:
   # Plugins will be installed during Jenkins controller start
   # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
   installPlugins:
-    - kubernetes:4313.va_9b_4fe2a_0e34
+    - kubernetes:4296.v20a_7e4d77cf6
     - workflow-aggregator:600.vb_57cdd26fdd7
-    - git:5.7.0
-    - configuration-as-code:1932.v75cb_b_f1b_698d
+    - git:5.6.0
+    - configuration-as-code:1897.v79281e066ea_7
 
   # If set to false, Jenkins will download the minimum required version of all dependencies.
   # -- Download the minimum required version or latest version of all dependencies
@@ -568,7 +564,7 @@ controller:
         # -- Repository of the image that triggers the reload
         repository: kiwigrid/k8s-sidecar
         # -- Tag for the image that triggers the reload
-        tag: 1.30.1
+        tag: 1.28.0
       imagePullPolicy: IfNotPresent
       resources: {}
         #   limits:
@@ -955,7 +951,7 @@ agent:
     # -- Repository to pull the agent jnlp image from
     repository: "jenkins/inbound-agent"
     # -- Tag of the image to pull
-    tag: "3283.v92c105e0f819-9"
+    tag: "3273.v4cfe589b_fd83-1"
   # -- Configure working directory for default agent
   workingDir: "/home/jenkins/agent"
   nodeUsageMode: "NORMAL"
@@ -1329,8 +1325,6 @@ serviceAccount:
   extraLabels: {}
   # -- Controller ServiceAccount image pull secret
   imagePullSecretName:
-  # -- Auto-mount ServiceAccount token
-  automountServiceAccountToken: true
 
 
 serviceAccountAgent:
@@ -1346,8 +1340,6 @@ serviceAccountAgent:
   extraLabels: {}
   # -- Agent ServiceAccount image pull secret
   imagePullSecretName:
-  # -- Auto-mount ServiceAccount token
-  automountServiceAccountToken: true
 
 # -- Checks if any deprecated values are used
 checkDeprecation: true
@@ -1370,4 +1362,4 @@ helmtest:
       # -- Repository of the image used to test the framework
       repository: "bats/bats"
       # -- Tag of the image to test the framework
-      tag: "1.11.1"
+      tag: "1.11.0"

charts/kubezero-ci/values.yaml

@@ -2,7 +2,7 @@ gitea:
   enabled: false
 
   image:
-    tag: 1.23.4
+    tag: 1.22.6
     rootless: true
 
   repliaCount: 1
@@ -16,10 +16,6 @@ gitea:
     claimName: data-gitea-0
     size: 4Gi
 
-  service:
-    http:
-      port: 80
-
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -293,18 +289,12 @@ trivy:
 renovate:
   enabled: false
 
-  renovate:
-    config: |
-      {
-      }
-
   env:
     LOG_FORMAT: json
   cronjob:
     concurrencyPolicy: Forbid
-    jobBackoffLimit: 2
+    jobBackoffLimit: 3
     schedule:	"0 3 * * *"
     successfulJobsHistoryLimit: 1
-
   securityContext:
-    fsGroupChangePolicy: OnRootMismatch
+    fsGroup: 1000

charts/kubezero-falco/Chart.yaml

@@ -13,7 +13,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: falco
     version: 4.2.5

charts/kubezero-graph/Chart.yaml

@@ -13,7 +13,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.2.1"
     repository: https://cdn.zero-downtime.net/charts/
   - name: neo4j
     version: 5.26.0

charts/kubezero-istio-gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio-gateway
 description: KubeZero Umbrella Chart for Istio gateways
 type: application
-version: 0.24.3
+version: 0.24.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -14,9 +14,9 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: gateway
-    version: 1.24.3
+    version: 1.24.2
     repository: https://istio-release.storage.googleapis.com/charts
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-istio-gateway/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio-gateway
 
-![Version: 0.24.3](https://img.shields.io/badge/Version-0.24.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.24.2](https://img.shields.io/badge/Version-0.24.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio gateways
 
@@ -20,8 +20,8 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-| https://istio-release.storage.googleapis.com/charts | gateway | 1.24.3 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://istio-release.storage.googleapis.com/charts | gateway | 1.24.2 |
 
 ## Values
 
@@ -32,8 +32,8 @@ Kubernetes: `>= 1.30.0-0`
 | gateway.autoscaling.maxReplicas | int | `4` |  |
 | gateway.autoscaling.minReplicas | int | `1` |  |
 | gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| gateway.minReadySeconds | int | `10` |  |
-| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"90s\" }"` |  |
+| gateway.minReadySeconds | int | `120` |  |
+| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` |  |
 | gateway.replicaCount | int | `1` |  |
 | gateway.resources.limits.memory | string | `"512Mi"` |  |
 | gateway.resources.requests.cpu | string | `"50m"` |  |

charts/kubezero-istio-gateway/charts/gateway/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.24.3
+appVersion: 1.24.2
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ name: gateway
 sources:
 - https://github.com/istio/istio
 type: application
-version: 1.24.3
+version: 1.24.2

charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml

@@ -77,7 +77,7 @@ spec:
             allowPrivilegeEscalation: false
             privileged: false
             readOnlyRootFilesystem: true
-            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            {{- if not (eq .Values.platform "openshift") }}
             runAsUser: 1337
             runAsGroup: 1337
             {{- end }}

charts/kubezero-istio-gateway/charts/gateway/templates/zzz_profile.yaml

@@ -49,7 +49,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware
 {{- $a := mustMergeOverwrite $defaults $profile }}
 {{- end }}
 #  Flatten globals, if defined on a per-chart basis
-{{- if true }}
+{{- if false }}
 {{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
 {{- end }}
 {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}

charts/kubezero-istio/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.24.3
+version: 0.24.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -13,20 +13,16 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
-  - name: envoy-ratelimit
-    version: 0.1.2
-    repository: https://cdn.zero-downtime.net/charts/
-    condition: envoy-ratelimit.enabled
   - name: base
-    version: 1.24.3
+    version: 1.24.2
     repository: https://istio-release.storage.googleapis.com/charts
   - name: istiod
-    version: 1.24.3
+    version: 1.24.2
     repository: https://istio-release.storage.googleapis.com/charts
   - name: kiali-server
-    version: "2.6.0"
+    version: "1.89.7"
     repository: https://kiali.org/helm-charts
     condition: kiali-server.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-istio/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio
 
-![Version: 0.24.3](https://img.shields.io/badge/Version-0.24.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.24.2](https://img.shields.io/badge/Version-0.24.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio
 
@@ -20,27 +20,15 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.2 |
-| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
-| https://istio-release.storage.googleapis.com/charts | base | 1.24.3 |
-| https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 |
-| https://kiali.org/helm-charts | kiali-server | 2.6.0 |
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://istio-release.storage.googleapis.com/charts | base | 1.24.2 |
+| https://istio-release.storage.googleapis.com/charts | istiod | 1.24.2 |
+| https://kiali.org/helm-charts | kiali-server | 1.89.7 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| envoy-ratelimit.descriptors.ingress[0].key | string | `"remote_address"` |  |
-| envoy-ratelimit.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
-| envoy-ratelimit.descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].key | string | `"remote_address"` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
-| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
-| envoy-ratelimit.enabled | bool | `false` |  |
-| envoy-ratelimit.failureModeDeny | bool | `false` |  |
-| envoy-ratelimit.localCacheSize | int | `1048576` |  |
-| envoy-ratelimit.log.format | string | `"json"` |  |
-| envoy-ratelimit.log.level | string | `"warn"` |  |
 | global.defaultPodDisruptionBudget.enabled | bool | `false` |  |
 | global.logAsJson | bool | `true` |  |
 | global.variant | string | `"distroless"` |  |
@@ -62,6 +50,17 @@ Kubernetes: `>= 1.30.0-0`
 | kiali-server.istio.enabled | bool | `false` |  |
 | kiali-server.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | kiali-server.server.metrics_enabled | bool | `false` |  |
+| rateLimiting.descriptors.ingress[0].key | string | `"remote_address"` |  |
+| rateLimiting.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
+| rateLimiting.descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
+| rateLimiting.descriptors.privateIngress[0].key | string | `"remote_address"` |  |
+| rateLimiting.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
+| rateLimiting.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
+| rateLimiting.enabled | bool | `false` |  |
+| rateLimiting.failureModeDeny | bool | `false` |  |
+| rateLimiting.localCacheSize | int | `1048576` |  |
+| rateLimiting.log.format | string | `"json"` |  |
+| rateLimiting.log.level | string | `"warn"` |  |
 
 ## Resources
 

charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml

@@ -0,0 +1,106 @@
+{{- if .Values.rateLimiting.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ratelimit-statsd-exporter-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    defaults:
+      ttl: 1m # Resets the metrics every minute
+    mappings:
+      - match:
+          "ratelimit.service.rate_limit.*.*.near_limit"
+        name: "ratelimit_service_rate_limit_near_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.over_limit"
+        name: "ratelimit_service_rate_limit_over_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.total_hits"
+        name: "ratelimit_service_rate_limit_total_hits"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.within_limit"
+        name: "ratelimit_service_rate_limit_within_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.near_limit"
+        name: "ratelimit_service_rate_limit_near_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.over_limit"
+        name: "ratelimit_service_rate_limit_over_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.total_hits"
+        name: "ratelimit_service_rate_limit_total_hits"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.within_limit"
+        name: "ratelimit_service_rate_limit_within_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.call.should_rate_limit.*"
+        name: "ratelimit_service_should_rate_limit_error"
+        match_metric_type: counter
+        labels:
+          err_type: "$1"
+      - match:
+          "ratelimit_server.*.total_requests"
+        name: "ratelimit_service_total_requests"
+        match_metric_type: counter
+        labels:
+          grpc_method: "$1"
+      - match:
+          "ratelimit_server.*.response_time"
+        name: "ratelimit_service_response_time_seconds"
+        timer_type: histogram
+        labels:
+          grpc_method: "$1"
+      - match:
+          "ratelimit.service.config_load_success"
+        name: "ratelimit_service_config_load_success"
+        match_metric_type: counter
+        ttl: 3m
+      - match:
+          "ratelimit.service.config_load_error"
+        name: "ratelimit_service_config_load_error"
+        match_metric_type: counter
+        ttl: 3m
+      - match: "."
+        match_type: "regex"
+        action: "drop"
+        name: "dropped"
+{{- end }}

charts/kubezero-istio/templates/ratelimit/config.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rateLimiting.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -9,9 +10,10 @@ data:
   ingress.yaml: |
     domain: ingress
     descriptors:
-    {{- toYaml .Values.descriptors.ingress | nindent 4 }}
+    {{- toYaml .Values.rateLimiting.descriptors.ingress | nindent 4 }}
 
   private-ingress.yaml: |
     domain: private-ingress
     descriptors:
-    {{- toYaml .Values.descriptors.privateIngress | nindent 4 }}
+    {{- toYaml .Values.rateLimiting.descriptors.privateIngress | nindent 4 }}
+{{- end }}

charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rateLimiting.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -26,7 +27,7 @@ spec:
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
             domain: ingress
-            failure_mode_deny: {{ .Values.failureModeDeny }}
+            failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
             timeout: 0.5s
             rate_limit_service:
               grpc_service:
@@ -84,7 +85,7 @@ spec:
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
             domain:  private-ingress
-            failure_mode_deny: {{ .Values.failureModeDeny }}
+            failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
             timeout: 0.5s
             rate_limit_service:
               grpc_service:
@@ -112,3 +113,4 @@ spec:
                      socket_address:
                       address: ratelimit.istio-system
                       port_value: 8081
+{{- end }}

charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml

@@ -0,0 +1,154 @@
+{{- if .Values.rateLimiting.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: ratelimit-redis
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: ratelimit-redis
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app: ratelimit-redis
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratelimit-redis
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ratelimit-redis
+  template:
+    metadata:
+      labels:
+        app: ratelimit-redis
+    spec:
+      containers:
+      - image: redis:6-alpine
+        imagePullPolicy: IfNotPresent
+        name: redis
+        ports:
+        - name: redis
+          containerPort: 6379
+      restartPolicy: Always
+      serviceAccountName: ""
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ratelimit
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: ratelimit
+spec:
+  ports:
+  #- name: http-port
+  #  port: 8080
+  #  targetPort: 8080
+  #  protocol: TCP
+  - name: grpc-port
+    port: 8081
+    targetPort: 8081
+    protocol: TCP
+  #- name: http-debug
+  #  port: 6070
+  #  targetPort: 6070
+  #  protocol: TCP
+  - name: http-monitoring
+    port: 9102
+    targetPort: 9102
+    protocol: TCP
+  selector:
+    app: ratelimit
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratelimit
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ratelimit
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: ratelimit
+    spec:
+      containers:
+      - image: envoyproxy/ratelimit:b42701cb # 2021/08/12
+        imagePullPolicy: IfNotPresent
+        name: ratelimit
+        command: ["/bin/ratelimit"]
+        env:
+        - name: LOG_LEVEL
+          value: {{ default "WARN" .Values.rateLimiting.log.level }}
+        - name: LOG_FORMAT
+          value: {{ default "text" .Values.rateLimiting.log.format }}
+        - name: REDIS_SOCKET_TYPE
+          value: tcp
+        - name: REDIS_URL
+          value: ratelimit-redis:6379
+        - name: USE_STATSD
+          value: "true"
+        - name: STATSD_HOST
+          value: "localhost"
+        - name: STATSD_PORT
+          value: "9125"
+        - name: RUNTIME_ROOT
+          value: /data
+        - name: RUNTIME_SUBDIRECTORY
+          value: ratelimit
+        - name: RUNTIME_WATCH_ROOT
+          value: "false"
+        - name: RUNTIME_IGNOREDOTFILES
+          value: "true"
+        - name: LOCAL_CACHE_SIZE_IN_BYTES
+          value: "{{ default 0 .Values.rateLimiting.localCacheSize | int }}"
+        ports:
+        #- containerPort: 8080
+        - containerPort: 8081
+        #- containerPort: 6070
+        volumeMounts:
+        - name: ratelimit-config
+          mountPath: /data/ratelimit/config
+        resources:
+          requests:
+            cpu: 50m
+            memory: 32Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+      - name: statsd-exporter
+        image: docker.io/prom/statsd-exporter:v0.21.0
+        imagePullPolicy: Always
+        args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
+        ports:
+          - containerPort: 9125
+        #  - containerPort: 9102
+        resources:
+          requests:
+            cpu: 50m
+            memory: 32Mi
+          limits:
+            cpu: 200m
+            memory: 64Mi
+        volumeMounts:
+          - name: statsd-exporter-config
+            mountPath: /etc/statsd-exporter
+      volumes:
+      - name: ratelimit-config
+        configMap:
+          name: ratelimit-config
+      - name: statsd-exporter-config
+        configMap:
+          name: ratelimit-statsd-exporter-config
+{{- end }}

charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.metrics.enabled }}
+{{- if and .Values.istiod.telemetry.enabled .Values.rateLimiting.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:

charts/kubezero-istio/values.yaml

@@ -56,7 +56,29 @@ kiali-server:
     #url: "kiali.example.com"
 
 
-# for available options see envoy-ratelimit chart
-envoy-ratelimit:
+rateLimiting:
   enabled: false
 
+  log:
+    level: warn
+    format: json
+
+  # 1MB local cache for already reached limits to reduce calls to Redis
+  localCacheSize: 1048576
+
+  # Wether to block requests if ratelimiting is down
+  failureModeDeny: false
+
+  # rate limit descriptors for each domain, examples 10 req/s per sourceIP
+  descriptors:
+    ingress:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10
+
+    privateIngress:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10

charts/kubezero-lib/Chart.yaml

@@ -10,4 +10,4 @@ keywords:
 maintainers:
   - name: Stefan Reimer
     email: stefan@zero-downtime.net
-kubeVersion: ">= 1.30.0-0"
+kubeVersion: ">= 1.30.0"

charts/kubezero-logging/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: fluentd
     version: 0.5.2

charts/kubezero-metrics/Chart.yaml

@@ -16,7 +16,7 @@ maintainers:
 # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: kube-prometheus-stack
     version: 69.2.3

charts/kubezero-mq/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-mq
 description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
 type: application
-version: 0.3.10
+version: 0.3.11
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -14,14 +14,14 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: nats
-    version: 1.2.2
+    version: 1.2.10
     repository: https://nats-io.github.io/k8s/helm/charts/
     condition: nats.enabled
   - name: rabbitmq
-    version: 14.6.6
+    version: 14.7.0
     repository: https://charts.bitnami.com/bitnami
     condition: rabbitmq.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero-network/Chart.yaml

@@ -16,7 +16,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: cilium
     version: 1.16.6

charts/kubezero-operators/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: opensearch-operator
     version: 2.7.0

charts/kubezero-operators/README.md

@@ -42,7 +42,6 @@ Kubernetes: `>= 1.30.0-0`
 | rabbitmq-cluster-operator.clusterOperator.metrics.enabled | bool | `false` |  |
 | rabbitmq-cluster-operator.clusterOperator.metrics.serviceMonitor.enabled | bool | `true` |  |
 | rabbitmq-cluster-operator.enabled | bool | `false` |  |
-| rabbitmq-cluster-operator.msgTopologyOperator.enabled | bool | `false` |  |
 | rabbitmq-cluster-operator.msgTopologyOperator.metrics.enabled | bool | `false` |  |
 | rabbitmq-cluster-operator.msgTopologyOperator.metrics.serviceMonitor.enabled | bool | `true` |  |
 | rabbitmq-cluster-operator.useCertManager | bool | `true` |  |
@@ -53,4 +52,4 @@ Kubernetes: `>= 1.30.0-0`
 | strimzi-kafka-operator.watchAnyNamespace | bool | `true` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/kubezero-operators/templates/cloudnative-pg/ClusterImageCatalog-bookworm.yaml

@@ -1,4 +1,3 @@
-{{- if index .Values "cloudnative-pg" "enabled" }}
 apiVersion: postgresql.cnpg.io/v1
 kind: ClusterImageCatalog
 metadata:
@@ -15,4 +14,3 @@ spec:
       image: ghcr.io/cloudnative-pg/postgresql:16.6-33-bookworm@sha256:7dfda49485274b61ada9bb347caffac01dee442ffd119eb19317a2692347657b
     - major: 17
       image: ghcr.io/cloudnative-pg/postgresql:17.2-33-bookworm@sha256:52b78e8e4a297e268be168c7e107a2117072dc38f4a11d9d056ff0cc13d4007f
-{{- end }}

charts/kubezero-sql/Chart.yaml

@@ -14,7 +14,7 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: mariadb-galera
     version: 14.0.10

charts/kubezero-storage/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-storage
 description: KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, gemini
 type: application
-version: 0.8.10
+version: 0.8.9
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -17,18 +17,18 @@ maintainers:
     email: stefan@zero-downtime.net
 dependencies:
   - name: kubezero-lib
-    version: 0.2.1
+    version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: lvm-localpv
     version: 1.6.2
     condition: lvm-localpv.enabled
     repository: https://openebs.github.io/lvm-localpv
   - name: aws-ebs-csi-driver
-    version: 2.39.3
+    version: 2.36.0
     condition: aws-ebs-csi-driver.enabled
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver
-    version: 3.1.6
+    version: 3.0.8
     condition: aws-efs-csi-driver.enabled
     repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver
   - name: gemini
@@ -36,7 +36,7 @@ dependencies:
     condition: gemini.enabled
     repository: https://charts.fairwinds.com/stable
   - name: k8up
-    version: 4.8.3
+    version: 4.8.1
     condition: k8up.enabled
     repository: https://k8up-io.github.io/k8up
 kubeVersion: ">= 1.26.0"

charts/kubezero-storage/charts/aws-ebs-csi-driver/CHANGELOG.md

@@ -1,77 +1,4 @@
 # Helm chart
-
-## v2.39.3
-
-### Urgent Upgrade Notes
-
-Please upgrade from v2.39.2 directly to v2.39.3 to avoid upgrade failures if you are using this chart as a subchart.
-
-### Bug or Regression
-- Fix sub-charting by removing values schema ([#2322](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2322), [@ElijahQuinones]((https://github.com/ElijahQuinones)
-
-## v2.39.2
-
-### Urgent Upgrade Notes
-
-Please upgrade from v2.38.1 directly to v2.39.2 to avoid upgrade failures if you are relying on `a1CompatibilityDaemonSet`. 
-
-### Bug or Regression
-- Fix helm regression when `a1CompatibilityDaemonSet=true` ([#2316](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2316), [@AndrewSirenko](https://github.com/AndrewSirenko))
-
-## v2.39.1
-
-### Bug or Regression
-- Fix `node.selinux` to properly set SELinux-specific mounts as ReadOnly ([#2311](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2311), [@AndrewSirenko](https://github.com/AndrewSirenko))
-
-## v2.39.0
-
-### Feature
-
-- Add Helm parameter `node.selinux` to enable SELinux-specific mounts on the node DaemonSet ([#2253](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2253), [@ConnorJC3](https://github.com/ConnorJC3))
-- Add Helm FIPS parameter ([#2244](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2244), [@ConnorJC3](https://github.com/ConnorJC3))
-
-## v2.38.1
-
-### Feature
-
-- Render templated controller service account parameters ([#2243](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2243), [@ElijahQuinones](https://github.com/ElijahQuinones))
-
-### Bug or Regression
-
-- Fix rendering failrue when `node.enableMetrics` is set to `true` ([#2250](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2250), [@mindw](https://github.com/mindw))
-- Remove duplicate 'enableMetrics' key ([#2256](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2256), [@sule26](https://github.com/sule26))
-
-## v2.37.0
-* Bump driver version to `v1.37.0`
-* Add init containers to node daemonset ([#2215](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2215), [@clbx](https://github.com/clbx))
-* Fix fetching test package version for kubetest in helm-tester ([#2203](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2203), [@torredil](https://github.com/torredil))
-
-## v2.36.0
-* Bump driver version to `v1.36.0`
-* Add recommended autoscalar Tolerations to driver DaemonSet ([#2165](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2165), [@AndrewSirenko](https://github.com/AndrewSirenko))
-* Add support for unhealthyPodEvictionPolicy on PodDisruptionBudget ([#2159](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2159), [@peterabarr](https://github.com/peterabarr))
-
-## v2.35.1
-* Fix an issue causing the `csi-attacher` container to get stuck in `CrashLoopBackoff` on clusters with VAC enabled. Users with a VAC-enabled cluster are strongly encouraged to skip `v2.35.0` and/or upgrade directly to `v2.35.1` or later.
-
-## v2.35.0
-* Bump driver version to `v1.35.0`
-* Add reservedVolumeAttachments to windows nodes ([#2134](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2134),[@AndrewSirenko](https://github.com/AndrewSirenko))
-* Add legacy-xfs driver option for clusters that mount XFS volumes to nodes with Linux kernel <= 5.4. Warning: This is a temporary workaround for customers unable to immediately upgrade their nodes. It will be removed in a future release. See [the options documentation](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/release-1.35/docs/options.md) for more details.([#2121](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2121),[@AndrewSirenko](https://github.com/AndrewSirenko))
-* Add back "Auto-enable VAC on clusters with beta API version" ([#2141](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2141), [@ConnorJC3](https://github.com/ConnorJC3))
-
-## v2.34.0
-* Bump driver version to `v1.34.0`
-* Add toggle for PodDisruptionBudget in chart ([#2109](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2109), [@AndrewSirenko](https://github.com/AndrewSirenko))
-* Add nodeComponentOnly parameter to helm chart ([#2106](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2106), [@AndrewSirenko](https://github.com/AndrewSirenko))
-* fix: sidecars.snapshotter.logLevel not being respect ([#2102](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2102), [@zyue110026](https://github.com/zyue110026))
-
-## v2.33.0
-* Bump driver version to `v1.33.0`
-* Bump CSI sidecar container versions
-* Add fix for enableLinux node parameter ([#2078](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2078), [@ElijahQuinones](https://github.com/ElijahQuinones))
-* Fix dnsConfig indentation in controller template file ([#2084](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2084), [@cHiv0rz](https://github.com/cHiv0rz))
-
 ## v2.32.0
 * Bump driver version to `v1.32.0`
 * Bump CSI sidecar container versions

charts/kubezero-storage/charts/aws-ebs-csi-driver/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.39.0
+appVersion: 1.32.0
 description: A Helm chart for AWS EBS CSI Driver
 home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 keywords:
@@ -13,4 +13,4 @@ maintainers:
 name: aws-ebs-csi-driver
 sources:
 - https://github.com/kubernetes-sigs/aws-ebs-csi-driver
-version: 2.39.3
+version: 2.32.0

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/NOTES.txt

@@ -2,6 +2,4 @@ To verify that aws-ebs-csi-driver has started, run:
 
     kubectl get pod -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
 
-[ACTION REQUIRED] Update to the EBS CSI Driver IAM Policy
-
-Due to an upcoming change in handling of IAM polices for the CreateVolume API when creating a volume from an EBS snapshot, a change to your EBS CSI Driver policy may be needed. For more information and remediation steps, see GitHub issue #2190 (https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/2190). This change affects all versions of the EBS CSI Driver and action may be required even on clusters where the driver is not upgraded.
+NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/_helpers.tpl

@@ -31,13 +31,6 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{/*
-Determine image
-*/}}
-{{- define "aws-ebs-csi-driver.fullImagePath" -}}
-{{ printf "%s%s:%s%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) (.Values.fips | ternary "-fips" "") }}
-{{- end -}}
-
 {{/*
 Common labels
 */}}
@@ -90,21 +83,3 @@ Handle http proxy env vars
 - name: NO_PROXY
   value: {{ .Values.proxy.no_proxy | quote }}
 {{- end -}}
-
-{{/*
-Recommended daemonset tolerations
-*/}}
-{{- define "aws-ebs-csi-driver.daemonset-tolerations" -}}
-# Prevents stateful workloads from being scheduled to node before CSI Driver reports volume attachment limit
-- key: "ebs.csi.aws.com/agent-not-ready"
-  operator: "Exists"
-# Prevents undesired eviction by Cluster Autoscalar
-- key: "ToBeDeletedByClusterAutoscaler"
-  operator: Exists
-# Prevents undesired eviction by v1 Karpenter
-- key: "karpenter.sh/disrupted"
-  operator: Exists
-# Prevents undesired eviction by v1beta1 Karpenter
-- key: "karpenter.sh/disruption"
-  operator: Exists
-{{- end -}}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/_node-windows.tpl

@@ -49,7 +49,6 @@ spec:
         {{- with .Values.node.tolerations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- include "aws-ebs-csi-driver.daemonset-tolerations" . | nindent 8 }}
         {{- end }}
       {{- if .Values.node.windowsHostProcess }}
       securityContext:
@@ -57,14 +56,10 @@ spec:
           hostProcess: true
           runAsUserName: "NT AUTHORITY\\SYSTEM"
       hostNetwork: true
-      {{- with .Values.node.initContainers }}
-      initContainers:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       {{- end }}
       containers:
         - name: ebs-plugin
-          image: {{ include "aws-ebs-csi-driver.fullImagePath" $ }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.node.windowsHostProcess }}
           command:
@@ -73,15 +68,9 @@ spec:
           args:
             - node
             - --endpoint=$(CSI_ENDPOINT)
-            {{- with .Values.node.reservedVolumeAttachments }}
-            - --reserved-volume-attachments={{ . }}
-            {{- end }}
             {{- with .Values.node.volumeAttachLimit }}
             - --volume-attach-limit={{ . }}
             {{- end }}
-            {{- if .Values.node.legacyXFS }}
-            - --legacy-xfs=true
-            {{- end}}
             {{- with .Values.node.loggingFormat }}
             - --logging-format={{ . }}
             {{- end }}
@@ -111,10 +100,6 @@ spec:
               value: {{ .otelServiceName }}
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
               value: {{ .otelExporterEndpoint }}
-            {{- if .Values.fips }}
-            - name: AWS_USE_FIPS_ENDPOINT
-              value: "true"
-            {{- end }}
             {{- end }}
             {{- with .Values.node.env }}
             {{- . | toYaml | nindent 12 }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/_node.tpl

@@ -1,5 +1,5 @@
 {{- define "node" }}
-{{- if .Values.node.enableLinux }}
+{{- if or (eq (default true .Values.node.enableLinux) true) }}
 ---
 kind: DaemonSet
 apiVersion: apps/v1
@@ -53,20 +53,17 @@ spec:
         {{- with .Values.node.tolerations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- include "aws-ebs-csi-driver.daemonset-tolerations" . | nindent 8 }}
+        - key: "ebs.csi.aws.com/agent-not-ready"
+          operator: "Exists"
         {{- end }}
       hostNetwork: {{ .Values.node.hostNetwork }}
       {{- with .Values.node.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.node.initContainers }}
-      initContainers:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
         - name: ebs-plugin
-          image: {{ include "aws-ebs-csi-driver.fullImagePath" $ }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - node
@@ -74,18 +71,9 @@ spec:
             {{- with .Values.node.reservedVolumeAttachments }}
             - --reserved-volume-attachments={{ . }}
             {{- end }}
-            {{- if .Values.node.enableMetrics }}
-            - --http-endpoint=0.0.0.0:3302
-            {{- end}}
-            {{- with .Values.node.kubeletPath }}
-            - --csi-mount-point-prefix={{ . }}/plugins/kubernetes.io/csi/ebs.csi.aws.com/
-            {{- end}}
             {{- with .Values.node.volumeAttachLimit }}
             - --volume-attach-limit={{ . }}
             {{- end }}
-            {{- if .Values.node.legacyXFS }}
-            - --legacy-xfs=true
-            {{- end}}
             {{- with .Values.node.loggingFormat }}
             - --logging-format={{ . }}
             {{- end }}
@@ -112,10 +100,6 @@ spec:
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
               value: {{ .otelExporterEndpoint }}
             {{- end }}
-            {{- if .Values.fips }}
-            - name: AWS_USE_FIPS_ENDPOINT
-              value: "true"
-            {{- end }}
             {{- with .Values.node.env }}
             {{- . | toYaml | nindent 12 }}
             {{- end }}
@@ -131,14 +115,6 @@ spec:
               mountPath: /csi
             - name: device-dir
               mountPath: /dev
-            {{- if .Values.node.selinux }}
-            - name: selinux-sysfs
-              mountPath: /sys/fs/selinux
-              readOnly: true
-            - name: selinux-config
-              mountPath: /etc/selinux/config
-              readOnly: true
-            {{- end }}
           {{- with .Values.node.volumeMounts }}
           {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -256,16 +232,6 @@ spec:
           hostPath:
             path: /dev
             type: Directory
-        {{- if .Values.node.selinux }}
-        - name: selinux-sysfs
-          hostPath:
-            path: /sys/fs/selinux
-            type: Directory
-        - name: selinux-config
-          hostPath:
-            path: /etc/selinux/config
-            type: File
-        {{- end }}
         - name: probe-dir
           {{- if .Values.node.probeDirVolume }}
           {{- toYaml .Values.node.probeDirVolume | nindent 10 }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -6,23 +5,22 @@ metadata:
   name: ebs-external-attacher-role
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
-# Do not modify the rules below manually, see `make update-sidecar-dependencies`
-# BEGIN AUTOGENERATED RULES
 rules:
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "patch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["csinodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "patch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments/status"]
-    verbs: ["patch"]
-# END AUTOGENERATED RULES
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "csi.storage.k8s.io" ]
+    resources: [ "csinodeinfos" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattachments" ]
+    verbs: [ "get", "list", "watch", "update", "patch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattachments/status" ]
+    verbs: [ "patch" ]
   {{- with .Values.sidecars.attacher.additionalClusterRoleRules }}
     {{- . | toYaml | nindent 2 }}
   {{- end }}
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -6,51 +5,37 @@ metadata:
   name: ebs-external-provisioner-role
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
-# Do not modify the rules below manually, see `make update-sidecar-dependencies`
-# BEGIN AUTOGENERATED RULES
 rules:
-  # The following rule should be uncommented for plugins that require secrets
-  # for provisioning.
-  # - apiGroups: [""]
-  #   resources: ["secrets"]
-  #   verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["list", "watch", "create", "update", "patch"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshots"]
-    verbs: ["get", "list"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshotcontents"]
-    verbs: ["get", "list"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["csinodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
-  # Access to volumeattachments is only needed when the CSI driver
-  # has the PUBLISH_UNPUBLISH_VOLUME controller capability.
-  # In that case, external-provisioner will watch volumeattachments
-  # to determine when it is safe to delete a volume.
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch"]
-# END AUTOGENERATED RULES
-  # Extra rule: VAC rules not present in upstream example
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattributesclasses"]
-    verbs: ["get"]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "create", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch", "update" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshots" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotcontents" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "csinodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattachments" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattributesclasses" ]
+    verbs: [ "get" ]
   {{- with .Values.sidecars.provisioner.additionalClusterRoleRules }}
     {{- . | toYaml | nindent 2 }}
   {{- end }}
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -6,35 +5,33 @@ metadata:
   name: ebs-external-resizer-role
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
-# Do not modify the rules below manually, see `make update-sidecar-dependencies`
-# BEGIN AUTOGENERATED RULES
 rules:
   # The following rule should be uncommented for plugins that require secrets
   # for provisioning.
   # - apiGroups: [""]
   #   resources: ["secrets"]
   #   verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "patch"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims/status"]
-    verbs: ["patch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["list", "watch", "create", "update", "patch"]
-  # only required if enabling the alpha volume modify feature
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattributesclasses"]
-    verbs: ["get", "list", "watch"]
-# END AUTOGENERATED RULES
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims/status" ]
+    verbs: [ "update", "patch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattributesclasses" ]
+    verbs: [ "get", "list", "watch" ]
   {{- with .Values.sidecars.resizer.additionalClusterRoleRules }}
     {{- . | toYaml | nindent 2 }}
   {{- end }}
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -6,39 +5,26 @@ metadata:
   name: ebs-external-snapshotter-role
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
-# Do not modify the rules below manually, see `make update-sidecar-dependencies`
-# BEGIN AUTOGENERATED RULES
 rules:
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
   # Secret permission is optional.
   # Enable it if your driver needs secret.
   # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
   # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
-  #  - apiGroups: [""]
-  #    resources: ["secrets"]
-  #    verbs: ["get", "list"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshotclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshotcontents"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshotcontents/status"]
-    verbs: ["update", "patch"]
-  - apiGroups: ["groupsnapshot.storage.k8s.io"]
-    resources: ["volumegroupsnapshotclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["groupsnapshot.storage.k8s.io"]
-    resources: ["volumegroupsnapshotcontents"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: ["groupsnapshot.storage.k8s.io"]
-    resources: ["volumegroupsnapshotcontents/status"]
-    verbs: ["update", "patch"]
-# END AUTOGENERATED RULES
+  # - apiGroups: [ "" ]
+  #   resources: [ "secrets" ]
+  #   verbs: [ "get", "list" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotcontents" ]
+    verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotcontents/status" ]
+    verbs: [ "update", "patch" ]
   {{- with .Values.sidecars.snapshotter.additionalClusterRoleRules }}
     {{- . | toYaml | nindent 2 }}
   {{- end }}
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -14,4 +13,3 @@ roleRef:
   kind: ClusterRole
   name: ebs-external-attacher-role
   apiGroup: rbac.authorization.k8s.io
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -14,4 +13,3 @@ roleRef:
   kind: ClusterRole
   name: ebs-external-provisioner-role
   apiGroup: rbac.authorization.k8s.io
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -14,4 +13,3 @@ roleRef:
   kind: ClusterRole
   name: ebs-external-resizer-role
   apiGroup: rbac.authorization.k8s.io
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -14,4 +13,3 @@ roleRef:
   kind: ClusterRole
   name: ebs-external-snapshotter-role
   apiGroup: rbac.authorization.k8s.io
-{{- end -}}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/controller.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 # Controller Service
 kind: Deployment
 apiVersion: apps/v1
@@ -71,10 +70,14 @@ spec:
       {{- end }}
       containers:
         - name: ebs-plugin
-          image: {{ include "aws-ebs-csi-driver.fullImagePath" $ }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
+            {{- if ne .Release.Name "kustomize" }}
             - controller
+            {{- else }}
+            # - {all,controller,node} # specify the driver mode
+            {{- end }}
             - --endpoint=$(CSI_ENDPOINT)
             {{- if .Values.controller.extraVolumeTags }}
               {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
@@ -150,10 +153,6 @@ spec:
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
               value: {{ .otelExporterEndpoint }}
             {{- end }}
-            {{- if .Values.fips }}
-            - name: AWS_USE_FIPS_ENDPOINT
-              value: "true"
-            {{- end }}
           {{- with .Values.controller.envFrom }}
           envFrom:
             {{- . | toYaml | nindent 12 }}
@@ -231,9 +230,6 @@ spec:
             {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.provisioner.additionalArgs)) }}
             - --retry-interval-max=30m
             {{- end }}
-            {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }}
-            - --feature-gates=VolumeAttributesClass=true
-            {{- end }}
             {{- range .Values.sidecars.provisioner.additionalArgs }}
             - {{ . }}
             {{- end }}
@@ -324,7 +320,6 @@ spec:
           args:
             - --csi-address=$(ADDRESS)
             - --leader-election=true
-            - --v={{ .Values.sidecars.snapshotter.logLevel }}
             {{- if .Values.controller.extraCreateMetadata }}
             - --extra-create-metadata
             {{- end}}
@@ -452,9 +447,6 @@ spec:
             {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.resizer.additionalArgs)) }}
             - --retry-interval-max=30m
             {{- end }}
-            {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }}
-            - --feature-gates=VolumeAttributesClass=true
-            {{- end }}
             {{- range .Values.sidecars.resizer.additionalArgs }}
             - {{ . }}
             {{- end }}
@@ -521,8 +513,7 @@ spec:
         {{- with .Values.controller.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- if .Values.controller.dnsConfig }}
-      dnsConfig:
-        {{- toYaml .Values.controller.dnsConfig | nindent 8 }}
-      {{- end }}
-{{- end }}
+  {{- if .Values.controller.dnsConfig }}
+  dnsConfig:
+    {{- toYaml .Values.controller.dnsConfig | nindent 4 }}
+  {{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/csidriver.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }}
 kind: CSIDriver
 metadata:
@@ -11,4 +10,3 @@ spec:
   {{- if not .Values.useOldCSIDriver }}
   fsGroupPolicy: File
   {{- end }}
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/ebs-csi-default-sc.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 {{- if .Values.defaultStorageClass.enabled }}
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
@@ -10,4 +9,3 @@ provisioner: ebs.csi.aws.com
 volumeBindingMode: WaitForFirstConsumer
 allowVolumeExpansion: true
 {{- end }}
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/metrics.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.enableMetrics (not .Values.nodeComponentOnly) -}}
+{{- if .Values.controller.enableMetrics -}}
 ---
 apiVersion: v1
 kind: Service
@@ -40,21 +40,3 @@ spec:
       interval: {{ .Values.controller.serviceMonitor.interval | default "15s"}}
 {{- end }}
 {{- end }}
----
-{{- if .Values.node.enableMetrics }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: ebs-csi-node
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: ebs-csi-node
-spec:
-  selector:
-    app: ebs-csi-node
-  ports:
-    - name: metrics
-      port: 3302
-      targetPort: 3302
-  type: ClusterIP
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node.yaml

@@ -12,9 +12,6 @@
 {{- include "node" (deepCopy $ | mustMerge $args) -}}
 {{- end }}
 {{- if .Values.a1CompatibilityDaemonSet }}
-{{- if .Values.fips -}}
-{{- fail "FIPS mode not supported for A1 instance family compatibility image" -}}
-{{- end -}}
 {{$args := dict
   "NodeName" "ebs-csi-node-a1compat"
   "Values" (dict
@@ -30,7 +27,7 @@
                 (dict
                   "key" "eks.amazonaws.com/compute-type"
                   "operator" "NotIn"
-                  "values" (list "fargate" "auto" "hybrid")
+                  "values" (list "fargate")
                 )
                 (dict
                   "key" "node.kubernetes.io/instance-type"

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml

@@ -1,4 +1,3 @@
-{{- if and .Values.controller.podDisruptionBudget.enabled (not .Values.nodeComponentOnly) -}}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
@@ -11,12 +10,8 @@ spec:
     matchLabels:
       app: ebs-csi-controller
       {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
-  {{- if .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
-  unhealthyPodEvictionPolicy: {{ .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
-  {{- end }}
   {{- if le (.Values.controller.replicaCount | int) 2 }}
   maxUnavailable: 1
   {{- else }}
   minAvailable: 2
   {{- end }}
-{{- end -}}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/role-leases.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -10,4 +9,3 @@ rules:
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "watch", "list", "delete", "update", "create"]
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/rolebinding-leases.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.nodeComponentOnly -}}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -14,4 +13,3 @@ roleRef:
   kind: Role
   name: ebs-csi-leases-role
   apiGroup: rbac.authorization.k8s.io
-{{- end }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.serviceAccount.create (not .Values.nodeComponentOnly) -}}
+{{- if .Values.controller.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -8,7 +8,12 @@ metadata:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
   {{- with .Values.controller.serviceAccount.annotations }}
   annotations:
-    {{- tpl (toYaml .) $ | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if eq .Release.Name "kustomize" }}
+  #Enable if EKS IAM roles for service accounts (IRSA) is used. See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html for details.
+  #annotations:
+  #  eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
   {{- end }}
 {{- if .Values.controller.serviceAccount.automountServiceAccountToken }}
 automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}

charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/tests/helm-tester.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.helmTester.enabled (not .Values.nodeComponentOnly) -}}
+{{- if .Values.helmTester.enabled -}}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -220,28 +220,15 @@ spec:
           else
             FOCUS_REGEX="${FOCUS_REGEX})"
           fi
-
-          echo "Detecting Kubernetes server version"
-          export KUBE_VERSION=$(kubectl version --output json | jq -r '.serverVersion.major + "." + .serverVersion.minor' | sed 's/[^0-9.]*$//')
-          echo "Detected KUBE_VERSION=${KUBE_VERSION}"
-
-          echo "Fetching the stable test package version for KUBE_VERSION=${KUBE_VERSION}"
-          test_package_version=$(curl -L https://dl.k8s.io/release/stable-${KUBE_VERSION}.txt 2>/dev/null)
-
-          if echo "$test_package_version" | grep -q "Error"; then
-            echo "Error: Failed to fetch test package version for KUBE_VERSION=${KUBE_VERSION}. Exiting."
-            exit 1
-          fi
-          echo "Fetched test package version ${test_package_version}"
-
-          echo "Starting kubetest2 with ginkgo tests..."
-          kubetest2 noop --run-id='e2e-kubernetes' --test=ginkgo -- --test-package-version="$test_package_version" --skip-regex='[Disruptive]|[Serial]' --focus-regex="$FOCUS_REGEX" --parallel=25 --test-args='-storage.testdriver=/etc/config/manifests.yaml'
-          echo "kubetest2 test run completed."
+          export KUBE_VERSION=$(kubectl version --output json | jq -r '.serverVersion.major + "." + .serverVersion.minor')
+          kubetest2 noop --run-id='e2e-kubernetes' --test=ginkgo -- --test-package-version="$(curl -L https://dl.k8s.io/release/stable-${KUBE_VERSION}.txt)" --skip-regex='[Disruptive]|[Serial]' --focus-regex="$FOCUS_REGEX" --parallel=25 --test-args='-storage.testdriver=/etc/config/manifests.yaml'
       volumeMounts:
       - name: config-vol
         mountPath: /etc/config
+  # kubekins-e2e v1 image is linux amd64 only.
   nodeSelector:
     kubernetes.io/os: linux
+    kubernetes.io/arch: amd64
   serviceAccountName: ebs-csi-driver-test
   volumes:
     - name: config-vol

charts/kubezero-storage/charts/aws-ebs-csi-driver/values.yaml

@@ -11,18 +11,13 @@ image:
 customLabels: {}
 # k8s-app: aws-ebs-csi-driver
 
-# Instruct the AWS SDK to use AWS FIPS endpoints, and deploy container built with BoringCrypto (a FIPS-validated cryptographic library) instead of the Go default
-#
-# The EBS CSI Driver FIPS images have not undergone FIPS certification, and no official guarnatee is made about the compliance of these images under the FIPS standard
-# Users relying on these images for FIPS compliance should perform their own independent evaluation
-fips: false
 sidecars:
   provisioner:
     env: []
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-      tag: "v5.1.0-eks-1-31-12"
+      tag: "v5.0.1-eks-1-30-8"
     logLevel: 2
     # Additional parameters provided by external-provisioner.
     additionalArgs: []
@@ -49,7 +44,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher
-      tag: "v4.8.0-eks-1-31-12"
+      tag: "v4.6.1-eks-1-30-8"
     # Tune leader lease election for csi-attacher.
     # Leader election is on by default.
     leaderElection:
@@ -78,7 +73,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter
-      tag: "v8.2.0-eks-1-31-12"
+      tag: "v8.0.1-eks-1-30-8"
     logLevel: 2
     # Additional parameters provided by csi-snapshotter.
     additionalArgs: []
@@ -94,7 +89,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-      tag: "v2.14.0-eks-1-31-12"
+      tag: "v2.13.0-eks-1-30-8"
     # Additional parameters provided by livenessprobe.
     additionalArgs: []
     resources: {}
@@ -106,7 +101,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
-      tag: "v1.12.0-eks-1-31-11"
+      tag: "v1.11.1-eks-1-30-8"
     # Tune leader lease election for csi-resizer.
     # Leader election is on by default.
     leaderElection:
@@ -133,7 +128,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-      tag: "v2.13.0-eks-1-31-12"
+      tag: "v2.11.0-eks-1-30-8"
     logLevel: 2
     # Additional parameters provided by node-driver-registrar.
     additionalArgs: []
@@ -155,7 +150,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s
-      tag: "v0.5.1"
+      tag: "v0.3.0"
     leaderElection:
       enabled: true
       # Optional values to tune lease behavior.
@@ -201,8 +196,6 @@ controller:
                 operator: NotIn
                 values:
                   - fargate
-                  - auto
-                  - hybrid
     podAntiAffinity:
       preferredDuringSchedulingIgnoredDuringExecution:
         - podAffinityTerm:
@@ -252,11 +245,6 @@ controller:
   deploymentAnnotations: {}
   podAnnotations: {}
   podLabels: {}
-  podDisruptionBudget:
-    # Warning: Disabling PodDisruptionBudget may lead to delays in stateful workloads starting due to controller
-    # pod restarts or evictions.
-    enabled: true
-    # unhealthyPodEvictionPolicy:
   priorityClassName: system-cluster-critical
   # AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
   # service.
@@ -347,15 +335,11 @@ controller:
   # Enable dnsConfig for the controller and node pods
   dnsConfig: {}
 node:
-  # Enable SELinux-only optimizations on the EBS CSI Driver node pods
-  # Must only be set true if all linux nodes in the DaemonSet have SELinux enabled
-  selinux: false
   env: []
   envFrom: []
   kubeletPath: /var/lib/kubelet
   loggingFormat: text
   logLevel: 2
-  enableMetrics: false
   priorityClassName:
   additionalArgs: []
   affinity:
@@ -367,8 +351,6 @@ node:
                 operator: NotIn
                 values:
                   - fargate
-                  - auto
-                  - hybrid
               - key: node.kubernetes.io/instance-type
                 operator: NotIn
                 values:
@@ -406,10 +388,6 @@ node:
   # Enable the linux daemonset creation
   enableLinux: true
   enableWindows: false
-  # Warning: This option will be removed in a future release. It is a temporary workaround for users unable to immediately migrate off of older kernel versions.
-  # Formats XFS volumes with bigtime=0,inobtcount=0,reflink=0, for mounting onto nodes with linux kernel version <= 5.4.
-  # Note that XFS volumes formatted with this option will only have timestamp records until 2038.
-  legacyXFS: false
   # The number of attachment slots to reserve for system use (and not to be used for CSI volumes)
   # When this parameter is not specified (or set to -1), the EBS CSI Driver will attempt to determine the number of reserved slots via heuristic
   # Cannot be specified at the same time as `node.volumeAttachLimit`
@@ -448,14 +426,6 @@ node:
   containerSecurityContext:
     readOnlyRootFilesystem: true
     privileged: true
-  initContainers: []
-  # containers to be run before the csi-node's container starts.
-  #
-  # Example:
-  #
-  # - name: wait
-  #   image: busybox
-  #   command: [ 'sh', '-c', "sleep 20" ]
   # Enable opentelemetry tracing for the plugin running on the daemonset
   otelTracing: {}
   #  otelServiceName: ebs-csi-node
@@ -506,9 +476,7 @@ volumeSnapshotClasses: []
 # Intended for use with older clusters that cannot easily replace the CSIDriver object
 # This parameter should always be false for new installations
 useOldCSIDriver: false
-# Deploy EBS CSI Driver without controller and associated resources
-nodeComponentOnly: false
 helmTester:
   enabled: true
   # Supply a custom image to the ebs-csi-driver-test pod in helm-tester.yaml
-  image: "us-central1-docker.pkg.dev/k8s-staging-test-infra/images/kubekins-e2e:v20241230-3006692a6f-master"
+  image: "gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240611-597c402033-master"

charts/kubezero-storage/charts/aws-efs-csi-driver/CHANGELOG.md

@@ -1,24 +1,4 @@
 # Helm chart
-# v3.1.6
-* Bump app/driver version to `v2.1.5`
-# v3.1.5
-* Bump app/driver version to `v2.1.4`
-# v3.1.4
-* Bump app/driver version to `v2.1.3`
-# v3.1.3
-* Bump app/driver version to `v2.1.2`
-# v3.1.2
-* Bump app/driver version to `v2.1.1`
-# v3.1.1
-* Bump app/driver version to `v2.1.0`
-# v3.1.0
-* Bump app/driver version to `v2.0.9`
-# v3.0.9
-* Bump app/driver version to `v2.0.8`
-# v3.0.8
-* Bump app/driver version to `v2.0.7`
-# v3.0.7
-* Bump app/driver version to `v2.0.6`
 # v3.0.6
 * Bump app/driver version to `v2.0.5`
 # v3.0.5
@@ -244,4 +224,4 @@ for Controller deployment and Node daemonset
 * Fixing Controller deployment using `podAnnotations` and `tolerations` values from Node daemonset
 * Let the user define the whole `tolerations` array, default to `- operator: Exists`
 * Default `logLevel` lowered from `5` to `2`
-* Default `imagePullPolicy` everywhere set to `IfNotPresent`
+* Default `imagePullPolicy` everywhere set to `IfNotPresent`

charts/kubezero-storage/charts/aws-efs-csi-driver/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.1.5
+appVersion: 2.0.5
 description: A Helm chart for AWS EFS CSI Driver
 home: https://github.com/kubernetes-sigs/aws-efs-csi-driver
 keywords:
@@ -15,4 +15,4 @@ maintainers:
 name: aws-efs-csi-driver
 sources:
 - https://github.com/kubernetes-sigs/aws-efs-csi-driver
-version: 3.1.6
+version: 3.0.6

charts/kubezero-storage/charts/aws-efs-csi-driver/templates/controller-deployment.yaml

@@ -3,18 +3,17 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
-  name: {{ .Values.controller.name }}
-  namespace: {{ .Release.Namespace }}
+  name: efs-csi-controller
   labels:
     app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
     {{- with .Values.controller.additionalLabels }}
     {{ toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  replicas: {{ .Values.controller.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app: {{ .Values.controller.name }}
+      app: efs-csi-controller
       app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   {{- with .Values.controller.updateStrategy }}
@@ -24,7 +23,7 @@ spec:
   template:
     metadata:
       labels:
-        app: {{ .Values.controller.name }}
+        app: efs-csi-controller
         app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
         {{- with .Values.controller.podLabels }}
@@ -94,8 +93,6 @@ spec:
             - name: AWS_USE_FIPS_ENDPOINT
               value: "true"
             {{- end }}
-            - name: PORT_RANGE_UPPER_BOUND
-              value: "{{ .Values.portRangeUpperBound }}"
             {{- with .Values.controller.env }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -137,16 +134,13 @@ spec:
             {{- if hasKey .Values.controller "leaderElectionLeaseDuration" }}
             - --leader-election-lease-duration={{ .Values.controller.leaderElectionLeaseDuration }}
             {{- end }}
-            {{- range .Values.sidecars.csiProvisioner.additionalArgs }}
-            - {{ . }}
-            {{- end }}
           env:
             - name: ADDRESS
               value: /var/lib/csi/sockets/pluginproxy/csi.sock
           volumeMounts:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
-          {{- with default .Values.controller.resources .Values.sidecars.csiProvisioner.resources }}
+          {{- with .Values.sidecars.csiProvisioner.resources }}
           resources: {{ toYaml . | nindent 12 }}
           {{- end }}
           {{- with .Values.sidecars.csiProvisioner.securityContext }}
@@ -165,7 +159,7 @@ spec:
             {{- with .Values.controller.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
-          {{- with default .Values.controller.resources .Values.sidecars.livenessProbe.resources }}
+          {{- with .Values.sidecars.livenessProbe.resources }}
           resources: {{ toYaml . | nindent 12 }}
           {{- end }}
           {{- with .Values.sidecars.livenessProbe.securityContext }}
@@ -181,13 +175,4 @@ spec:
       {{- with .Values.controller.affinity }}
       affinity: {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.controller.topologySpreadConstraints }}
-      {{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "efs-csi-controller" ) ) }}
-      {{- $constraints := list }}
-      {{- range .Values.controller.topologySpreadConstraints }}
-        {{- $constraints = mustAppend $constraints (mergeOverwrite . $tscLabelSelector) }}
-      {{- end }}
-      topologySpreadConstraints:
-        {{- $constraints | toYaml | nindent 8 }}
-      {{- end }}
 {{- end }}

charts/kubezero-storage/charts/aws-efs-csi-driver/templates/controller-pdb.yaml

@@ -1,24 +0,0 @@
-{{- if .Values.controller.podDisruptionBudget.enabled -}}
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: {{ .Values.controller.name }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "aws-efs-csi-driver.labels" . | nindent 4 }}
-spec:
-  selector:
-    matchLabels:
-      app: {{ .Values.controller.name }}
-      app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  {{- if .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
-  unhealthyPodEvictionPolicy: {{ .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
-  {{- end }}
-  {{- if .Values.controller.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
-  {{- end }}
-  {{- if .Values.controller.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }}
-  {{- end }}
-{{- end -}}

charts/kubezero-storage/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.controller.serviceAccount.name }}
-  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
   {{- with .Values.controller.serviceAccount.annotations }}
@@ -75,7 +74,6 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: efs-csi-provisioner-binding-describe-secrets
-  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
 subjects:

charts/kubezero-storage/charts/aws-efs-csi-driver/templates/csidriver.yaml

@@ -3,10 +3,8 @@ kind: CSIDriver
 metadata:
   name: efs.csi.aws.com
   annotations:
-    {{- if .Values.useHelmHooksForCSIDriver }}
     "helm.sh/hook": pre-install, pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation
-    {{- end }}
     "helm.sh/resource-policy": keep
 spec:
   attachRequired: false