diff --git a/charts/kubezero-addons/update.sh b/charts/kubezero-addons/update.sh index c8889e0..55edb20 100755 --- a/charts/kubezero-addons/update.sh +++ b/charts/kubezero-addons/update.sh @@ -3,6 +3,9 @@ set -ex . ../../scripts/lib-update.sh +login_ecr_public +update_helm + patch_chart aws-node-termination-handler patch_chart aws-eks-asg-rolling-update-handler diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index 5105236..0f3b25f 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -18,4 +18,4 @@ dependencies: - name: cert-manager version: v1.12.3 repository: https://charts.jetstack.io -kubeVersion: ">= 1.25.0" +kubeVersion: ">= 1.26.0" diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index 6917735..89dc2ca 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,6 +1,6 @@ # kubezero-cert-manager -![Version: 0.9.4](https://img.shields.io/badge/Version-0.9.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager @@ -14,12 +14,12 @@ KubeZero Umbrella Chart for cert-manager ## Requirements -Kubernetes: `>= 1.25.0` +Kubernetes: `>= 1.26.0` | Repository | Name | Version | |------------|------|---------| | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | -| https://charts.jetstack.io | cert-manager | 1.11.1 | +| https://charts.jetstack.io | cert-manager | v1.12.3 | ## AWS - OIDC IAM roles @@ -32,11 +32,15 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | Key | Type | Default | Description | |-----|------|---------|-------------| +| cert-manager.cainjector.extraArgs[0] | string | `"--logging-format=json"` | | +| cert-manager.cainjector.extraArgs[1] | string | `"--leader-elect=false"` | | | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | | | cert-manager.enabled | bool | `true` | | -| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | +| cert-manager.extraArgs[0] | string | `"--logging-format=json"` | | +| cert-manager.extraArgs[1] | string | `"--leader-elect=false"` | | +| cert-manager.extraArgs[2] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | @@ -45,6 +49,7 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.startupapicheck.enabled | bool | `false` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | | +| cert-manager.webhook.extraArgs[0] | string | `"--logging-format=json"` | | | cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | | diff --git a/charts/kubezero-cert-manager/cert-manager-rules.yaml b/charts/kubezero-cert-manager/cert-manager-rules.yaml index 2a72ef2..bc6c821 100644 --- a/charts/kubezero-cert-manager/cert-manager-rules.yaml +++ b/charts/kubezero-cert-manager/cert-manager-rules.yaml @@ -1,3 +1,4 @@ rules: - name: prometheus-rules + condition: 'index .Values "cert-manager" "prometheus" "servicemonitor" "enabled"' url: file://rules/cert-manager-mixin-prometheusRule diff --git a/charts/kubezero-cert-manager/jsonnetfile.json b/charts/kubezero-cert-manager/jsonnetfile.json index 4fe5840..854f92c 100644 --- a/charts/kubezero-cert-manager/jsonnetfile.json +++ b/charts/kubezero-cert-manager/jsonnetfile.json @@ -8,7 +8,7 @@ "subdir": "jsonnet/kube-prometheus" } }, - "version": "release-0.10" + "version": "main" }, { "source": { diff --git a/charts/kubezero-cert-manager/jsonnetfile.lock.json b/charts/kubezero-cert-manager/jsonnetfile.lock.json index ffb2c5e..9a5ba1a 100644 --- a/charts/kubezero-cert-manager/jsonnetfile.lock.json +++ b/charts/kubezero-cert-manager/jsonnetfile.lock.json @@ -8,8 +8,8 @@ "subdir": "grafana" } }, - "version": "199e363523104ff8b3a12483a4e3eca86372b078", - "sum": "/jDHzVAjHB4AOLkJHw1GyATX5ogZ1iMdcJXZAgaG3+g=" + "version": "5698c8940b6dadca3f42107b7839557bc041761f", + "sum": "l6fPvh3tW6fWot308w71QY/amrYsFPeitvz1IgJxqQA=" }, { "source": { @@ -18,8 +18,18 @@ "subdir": "contrib/mixin" } }, - "version": "9d2cda4e44a26f064d8578e258bbba2fc3cd5b73", - "sum": "W/Azptf1PoqjyMwJON96UY69MFugDA4IAYiKURscryc=" + "version": "e2e17c75fe1006ea44b6ad793fa7b23f5e3546f4", + "sum": "GdePvMDfLQcVhwzk/Ephi/jC27ywGObLB5t0eC0lXd4=" + }, + { + "source": { + "git": { + "remote": "https://github.com/grafana/grafana.git", + "subdir": "grafana-mixin" + } + }, + "version": "1120f9e255760a3c104b57871fcb91801e934382", + "sum": "MkjR7zCgq6MUZgjDzop574tFKoTX2OBr7DTwm1K+Ofs=" }, { "source": { @@ -28,9 +38,19 @@ "subdir": "grafonnet" } }, - "version": "f0b70307b8e5f12236b277883d998af129a8211f", + "version": "a1d61cce1da59c71409b99b5c7568511fec661ea", "sum": "342u++/7rViR/zj2jeJOjshzglkZ1SY+hFNuyCBFMdc=" }, + { + "source": { + "git": { + "remote": "https://github.com/grafana/grafonnet-lib.git", + "subdir": "grafonnet-7.0" + } + }, + "version": "a1d61cce1da59c71409b99b5c7568511fec661ea", + "sum": "gCtR9s/4D5fxU9aKXg0Bru+/njZhA0YjLjPiASc61FM=" + }, { "source": { "git": { @@ -38,8 +58,8 @@ "subdir": "grafana-builder" } }, - "version": "e0b90a4435817ad642d8d049e7dd975264cb960e", - "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" + "version": "62aec8403a5c38d5dc97ba596703753289b1c33b", + "sum": "xEFMv4+ObwP5L1Wu0XK5agWci4AJzNApys6iKAQxLlQ=" }, { "source": { @@ -48,18 +68,8 @@ "subdir": "" } }, - "version": "ab104c5c406b91078d676475c14ab18644f84f2d", - "sum": "tRpIInEClWUNe5IS6uIjucFN/KqDFgg19+yo78VrLfU=" - }, - { - "source": { - "git": { - "remote": "https://github.com/kubernetes-monitoring/kubernetes-mixin.git", - "subdir": "lib/promgrafonnet" - } - }, - "version": "eed459199703c969afc318ea55b9361ae48180a7", - "sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps=" + "version": "46fc905d5b2981642043088ac7902ea50db2903e", + "sum": "8FAie1MXww5Ip9F8hQWkU9Fio1Af+hO4weQuuexioIQ=" }, { "source": { @@ -68,8 +78,8 @@ "subdir": "jsonnet/kube-state-metrics" } }, - "version": "e080c3ce73ad514254e38dccb37c93bec6b257ae", - "sum": "U1wzIpTAtOvC1yj43Y8PfvT0JfvnAcMfNH12Wi+ab0Y=" + "version": "570970378edf10655dd81e662658359eb10d9329", + "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g=" }, { "source": { @@ -78,8 +88,8 @@ "subdir": "jsonnet/kube-state-metrics-mixin" } }, - "version": "e080c3ce73ad514254e38dccb37c93bec6b257ae", - "sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk=" + "version": "570970378edf10655dd81e662658359eb10d9329", + "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c=" }, { "source": { @@ -88,8 +98,8 @@ "subdir": "jsonnet/kube-prometheus" } }, - "version": "e7eff18e7e70d7f1168105521451c4d7bd6a6d96", - "sum": "gcgf9y8wos4W8jgcJKuTDfORYDigCxx+q3QOYEijQFo=" + "version": "4b5b94347dd71b3649fef612ab3b8cf237ac48b9", + "sum": "8AeC579AWxP6VzLTxQ/ccIrwOY0G782ZceLlWmOL5/o=" }, { "source": { @@ -98,8 +108,8 @@ "subdir": "jsonnet/mixin" } }, - "version": "d8ba1c766a141cb35072ae2f2578ec8588c9efcd", - "sum": "qZ4WgiweaE6eeKtFK60QUjLO8sf2L9Q8fgafWvDcyfY=", + "version": "8b947d4ff1329440a46903c16f05717b24170061", + "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=", "name": "prometheus-operator-mixin" }, { @@ -109,8 +119,8 @@ "subdir": "jsonnet/prometheus-operator" } }, - "version": "d8ba1c766a141cb35072ae2f2578ec8588c9efcd", - "sum": "yjdwZ+5UXL42EavJleAJmd8Ou6MSDfExvlKAxFCxXVE=" + "version": "8b947d4ff1329440a46903c16f05717b24170061", + "sum": "LLGbS2uangsA5enNpZKxwdCAPZnO1Bj+W+o8Esk0QLw=" }, { "source": { @@ -119,8 +129,8 @@ "subdir": "doc/alertmanager-mixin" } }, - "version": "16fa045db47d68a09a102c7b80b8899c1f57c153", - "sum": "pep+dHzfIjh2SU5pEkwilMCAT/NoL6YYflV4x8cr7vU=", + "version": "6fe1a24df07eed6f6818abd500708040beee7d7b", + "sum": "1d7ZKYArJKacAWXLUz0bRC1uOkozee/PPw97/W5zGhc=", "name": "alertmanager" }, { @@ -130,8 +140,8 @@ "subdir": "docs/node-mixin" } }, - "version": "a2321e7b940ddcff26873612bccdf7cd4c42b6b6", - "sum": "MlWDAKGZ+JArozRKdKEvewHeWn8j2DNBzesJfLVd0dk=" + "version": "f2b274350a07bfd8afcad1a62ef561f8a303fcc2", + "sum": "By6n6U10hYDogUsyhsaKZehbhzxBZZobJloiKyKadgM=" }, { "source": { @@ -140,10 +150,20 @@ "subdir": "documentation/prometheus-mixin" } }, - "version": "41f1a8125e664985dd30674e5bdf6b683eff5d32", - "sum": "ZjQoYhvgKwJNkg+h+m9lW3SYjnjv5Yx5btEipLhru88=", + "version": "4d8e380269da5912265274469ff873142bbbabc3", + "sum": "8OngT76gVXOUROOOeP9yTe6E/dn+2D2J34Dn690QCG0=", "name": "prometheus" }, + { + "source": { + "git": { + "remote": "https://github.com/pyrra-dev/pyrra.git", + "subdir": "config/crd/bases" + } + }, + "version": "2b8c6d372d90942c3b53a9b225a82441be8c5b7b", + "sum": "L3lljFFoFB+nhXnyo8Yl1hKqe60nhHXY0IZCO3H2iVk=" + }, { "source": { "git": { @@ -151,8 +171,8 @@ "subdir": "mixin" } }, - "version": "fb97c9a5ef51849ccb7960abbeb9581ad7f511b9", - "sum": "X+060DnePPeN/87fgj0SrfxVitywTk8hZA9V4nHxl1g=", + "version": "8fcd30ffcedf9e2728518dc2970d070d4c301302", + "sum": "WhheqsiX0maUXByZFsb9xhCEsGXK2955bPmPPf1x+Cs=", "name": "thanos-mixin" }, { diff --git a/charts/kubezero-cert-manager/update.sh b/charts/kubezero-cert-manager/update.sh index 0e5b955..3e54df3 100755 --- a/charts/kubezero-cert-manager/update.sh +++ b/charts/kubezero-cert-manager/update.sh @@ -1,24 +1,19 @@ #!/bin/bash set -ex -helm dep update +. ../../scripts/lib-update.sh + +update_helm + +update_jsonnet + +# Install cert-mamanger mixin +jb install gitlab.com/uneeq-oss/cert-manager-mixin@master + +# Install rules +rm -rf rules && mkdir -p rules +jsonnet -J vendor -m rules rules.jsonnet +../kubezero-metrics/sync_prometheus_rules.py cert-manager-rules.yaml templates # Fetch dashboards from Grafana.com and update ZDT CM ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml - -# Get kube-mixin for alerts -which jsonnet > /dev/null || { echo "Required jsonnet not found!"; exit 1;} -which jb > /dev/null || { echo "Required jb ( json-bundler ) not found!"; exit 1;} - -[ -r jsonnetfile.json ] || jb init -if [ -r jsonnetfile.lock.json ]; then - jb update -else - jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@release-0.10 - jb install gitlab.com/uneeq-oss/cert-manager-mixin@master -fi - -rm -rf rules && mkdir -p rules -jsonnet -J vendor -m rules rules.jsonnet - -../kubezero-metrics/sync_prometheus_rules.py cert-manager-rules.yaml templates diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index d3d0bb0..2a5118d 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -23,6 +23,13 @@ cert-manager: leaderElection: namespace: "cert-manager" + extraArgs: + - "--logging-format=json" + - "--leader-elect=false" + - "--dns01-recursive-nameservers-only" + # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + # - --enable-certificate-owner-ref=true + #enableCertificateOwnerRef: true # On AWS enable Projected Service Accounts to assume IAM role @@ -64,6 +71,8 @@ cert-manager: effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" + extraArgs: + - "--logging-format=json" cainjector: tolerations: @@ -71,11 +80,9 @@ cert-manager: effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" - - extraArgs: - - "--dns01-recursive-nameservers-only" - # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted - # - --enable-certificate-owner-ref=true + extraArgs: + - "--logging-format=json" + - "--leader-elect=false" prometheus: servicemonitor: diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index a83f439..256d046 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -38,7 +38,7 @@ network: cert-manager: enabled: false namespace: cert-manager - targetRevision: 0.9.4 + targetRevision: 0.9.5 storage: enabled: false diff --git a/scripts/lib-update.sh b/scripts/lib-update.sh index e232248..fa78b98 100755 --- a/scripts/lib-update.sh +++ b/scripts/lib-update.sh @@ -1,15 +1,33 @@ #!/bin/bash set -ex -#helm repo update +# prometheus metrics mixin branch +# https://github.com/prometheus-operator/kube-prometheus#compatibility +KUBE_PROMETHEUS_RELEASE=main + +update_jsonnet() { + which jsonnet > /dev/null || { echo "Required jsonnet not found!"; exit 1;} + which jb > /dev/null || { echo "Required jb ( json-bundler ) not found!"; exit 1;} + + # remove previous versions + rm -f jsonnetfile.json jsonnetfile.lock.json + + jb init + jb install github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus@main +} + +update_helm() { + #helm repo update + helm dep update +} # AWS public ECR -aws ecr-public get-login-password \ - --region us-east-1 | helm registry login \ - --username AWS \ - --password-stdin public.ecr.aws - -helm dep update +login_ecr_public() { + aws ecr-public get-login-password \ + --region us-east-1 | helm registry login \ + --username AWS \ + --password-stdin public.ecr.aws +} patch_chart() { CHART=$1 @@ -20,7 +38,7 @@ patch_chart() { tar xfvz charts/$CHART-$VERSION.tgz -C charts && rm charts/$CHART-$VERSION.tgz # diff -tuNr charts/aws-node-termination-handler.orig charts/aws-node-termination-handler > nth.patch - patch -p0 -i $CHART.patch --no-backup-if-mismatch + [ -r $CHART.patch ] && patch -p0 -i $CHART.patch --no-backup-if-mismatch } update_docs() {