feat: even more v1.29 module updates

charts/kubezero-argo/README.md

@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.2.3](https://img.shields.io/badge/Version-0.2.3-informational?style=flat-square)
+![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,10 +18,10 @@ Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.1.3 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.4 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.3.8 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.7 |
 | https://argoproj.github.io/argo-helm | argocd-apps | 2.0.0 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.10.0 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.11.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 
 ## Values
@@ -30,10 +30,10 @@ Kubernetes: `>= 1.26.0`
 |-----|------|---------|-------------|
 | argo-cd.configs.cm."resource.customizations" | string | `"cert-manager.io/Certificate:\n  # Lua script for customizing the health status assessment\n  health.lua: |\n    hs = {}\n    if obj.status ~= nil then\n      if obj.status.conditions ~= nil then\n        for i, condition in ipairs(obj.status.conditions) do\n          if condition.type == \"Ready\" and condition.status == \"False\" then\n            hs.status = \"Degraded\"\n            hs.message = condition.message\n            return hs\n          end\n          if condition.type == \"Ready\" and condition.status == \"True\" then\n            hs.status = \"Healthy\"\n            hs.message = condition.message\n            return hs\n          end\n        end\n      end\n    end\n    hs.status = \"Progressing\"\n    hs.message = \"Waiting for certificate\"\n    return hs\n"` |  |
 | argo-cd.configs.cm."timeout.reconciliation" | string | `"300s"` |  |
-| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.28 - Release notes"` |  |
+| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.29 - Release notes"` |  |
 | argo-cd.configs.cm."ui.bannerpermanent" | string | `"true"` |  |
 | argo-cd.configs.cm."ui.bannerposition" | string | `"bottom"` |  |
-| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.28"` |  |
+| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.29"` |  |
 | argo-cd.configs.cm.url | string | `"https://argocd.example.com"` |  |
 | argo-cd.configs.params."controller.operation.processors" | string | `"5"` |  |
 | argo-cd.configs.params."controller.status.processors" | string | `"10"` |  |

charts/kubezero-istio-gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio-gateway
 description: KubeZero Umbrella Chart for Istio gateways
 type: application
-version: 0.21.3
+version: 0.22.3
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-istio-gateway/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio-gateway
 
-![Version: 0.21.2](https://img.shields.io/badge/Version-0.21.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.22.3](https://img.shields.io/badge/Version-0.22.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio gateways
 
@@ -21,7 +21,7 @@ Kubernetes: `>= 1.26.0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://istio-release.storage.googleapis.com/charts | gateway | 1.21.2 |
+| https://istio-release.storage.googleapis.com/charts | gateway | 1.22.3 |
 
 ## Values
 

charts/kubezero-istio-gateway/charts/gateway/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.21.2
+appVersion: 1.22.3
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ name: gateway
 sources:
 - https://github.com/istio/istio
 type: application
-version: 1.21.2
+version: 1.22.3

charts/kubezero-istio-gateway/charts/gateway/README.md

@@ -54,7 +54,7 @@ That is, `--set some.field=true` should be passed, not `--set defaults.some.fiel
 When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
 
 ```console
-helm install istio-ingressgateway istio/gateway -- set profile=openshift
+helm install istio-ingressgateway istio/gateway --set profile=openshift
 ```
 
 ### `image: auto` Information

charts/kubezero-istio-gateway/charts/gateway/files/profile-ambient.yaml

@@ -1,25 +1,21 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
 # The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
 meshConfig:
   defaultConfig:
     proxyMetadata:
       ISTIO_META_ENABLE_HBONE: "true"
-variant: distroless
-pilot:
+global:
   variant: distroless
+pilot:
   env:
-    # Setup more secure default that is off in 'default' only for backwards compatibility
-    VERIFY_CERTIFICATE_AT_CLIENT: "true"
-    ENABLE_AUTO_SNI: "true"
-
-    PILOT_ENABLE_HBONE: "true"
+    PILOT_ENABLE_AMBIENT: "true"
     CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
-    PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
 cni:
-  logLevel: info
-  privileged: true
   ambient:
     enabled: true
 
-  # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
-  excludeNamespaces:
-    - kube-system
+# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
+variant: distroless

charts/kubezero-istio-gateway/charts/gateway/files/profile-compatibility-version-1.20.yaml

@@ -1,6 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
 pilot:
   env:
+    # 1.21 behavioral changes
     ENABLE_EXTERNAL_NAME_ALIAS: "false"
     PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
     VERIFY_CERTIFICATE_AT_CLIENT: "false"
     ENABLE_AUTO_SNI: "false"
+
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+
+meshConfig:
+  # 1.22 behavioral changes
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_DELTA_XDS: "false"
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/kubezero-istio-gateway/charts/gateway/files/profile-compatibility-version-1.21.yaml

@@ -0,0 +1,17 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+meshConfig:
+  # 1.22 behavioral changes
+  proxyMetadata:
+    ISTIO_DELTA_XDS: "false"
+  defaultConfig:
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/kubezero-istio-gateway/charts/gateway/files/profile-demo.yaml

@@ -1,3 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
 # The demo profile enables a variety of things to try out Istio in non-production environments.
 # * Lower resource utilization.
 # * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
@@ -7,7 +11,7 @@ meshConfig:
   extensionProviders:
     - name: otel
       envoyOtelAls:
-        service: opentelemetry-collector.istio-system.svc.cluster.local
+        service: opentelemetry-collector.observability.svc.cluster.local
         port: 4317
     - name: skywalking
       skywalking:
@@ -16,7 +20,7 @@ meshConfig:
     - name: otel-tracing
       opentelemetry:
         port: 4317
-        service: opentelemetry-collector.otel-collector.svc.cluster.local
+        service: opentelemetry-collector.observability.svc.cluster.local
 
 global:
   proxy:

charts/kubezero-istio-gateway/charts/gateway/files/profile-openshift-ambient.yaml

@@ -0,0 +1,34 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  platform: openshift
+cni:
+  ambient:
+    enabled: true
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  logLevel: info
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+  variant: distroless
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
+    PILOT_ENABLE_SENDING_HBONE: "true"
+    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
+    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+platform: openshift
+variant: distroless
+seLinuxOptions:
+  type: spc_t

charts/kubezero-istio-gateway/charts/gateway/files/profile-openshift.yaml

@@ -1,3 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
 # The OpenShift profile provides a basic set of settings to run Istio on OpenShift
 # CNI must be installed.
 cni:
@@ -5,14 +9,12 @@ cni:
   cniConfDir: /etc/cni/multus/net.d
   chained: false
   cniConfFileName: "istio-cni.conf"
-  excludeNamespaces:
-    - istio-system
-    - kube-system
   logLevel: info
-  privileged: true
   provider: "multus"
 global:
   platform: openshift
-istio_cni:
-  enabled: true
-  chained: false
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+platform: openshift

charts/kubezero-istio-gateway/charts/gateway/files/profile-preview.yaml

@@ -1,3 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
 # The preview profile contains features that are experimental.
 # This is intended to explore new features coming to Istio.
 # Stability, security, and performance are not guaranteed - use at your own risk.

charts/kubezero-istio-gateway/charts/gateway/files/profile-stable.yaml

@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true

charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt

@@ -1,8 +1,8 @@
 "{{ include "gateway.name" . }}" successfully installed!
 
 To learn more about the release, try:
-  $ helm status {{ .Release.Name }}
-  $ helm get all {{ .Release.Name }}
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
 
 Next steps:
   * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/

charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml

@@ -28,7 +28,7 @@ spec:
       labels:
         sidecar.istio.io/inject: "true"
         {{- with .Values.revision }}
-        istio.io/rev: {{ . }}
+        istio.io/rev: {{ . | quote }}
         {{- end }}
         {{- include "gateway.podLabels" . | nindent 8 }}
     spec:
@@ -40,7 +40,7 @@ spec:
       securityContext:
       {{- if .Values.securityContext }}
         {{- toYaml .Values.securityContext | nindent 8 }}
-      {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+      {{- else }}
         # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
         sysctls:
         - name: net.ipv4.ip_unprivileged_port_start
@@ -60,28 +60,18 @@ spec:
           securityContext:
           {{- if .Values.containerSecurityContext }}
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
-          {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
-            # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+          {{- else }}
             capabilities:
               drop:
               - ALL
             allowPrivilegeEscalation: false
             privileged: false
             readOnlyRootFilesystem: true
+            {{- if not (eq .Values.platform "openshift") }}
             runAsUser: 1337
             runAsGroup: 1337
+            {{- end }}
             runAsNonRoot: true
-          {{- else }}
-            capabilities:
-              drop:
-              - ALL
-              add:
-              - NET_BIND_SERVICE
-            runAsUser: 0
-            runAsGroup: 1337
-            runAsNonRoot: false
-            allowPrivilegeEscalation: true
-            readOnlyRootFilesystem: true
           {{- end }}
           env:
           {{- with .Values.networkGateway }}

charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml

@@ -1,9 +1,5 @@
 {{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
-{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
 apiVersion: autoscaling/v2
-{{- else }}
-apiVersion: autoscaling/v2beta2
-{{- end }}
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "gateway.name" . }}

charts/kubezero-istio-gateway/charts/gateway/templates/zzz_profile.yaml

@@ -1,4 +1,8 @@
 {{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
 Complex logic ahead...
 We have three sets of values, in order of precedence (last wins):
 1. The builtin values.yaml defaults

charts/kubezero-istio-gateway/charts/gateway/values.yaml

@@ -34,8 +34,8 @@ defaults:
   # Define the security context for the pod.
   # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
   # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-  securityContext: ~
-  containerSecurityContext: ~
+  securityContext: {}
+  containerSecurityContext: {}
 
   service:
     # Type of service. Set to "None" to disable the service entirely

charts/kubezero-istio/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.21.3
+version: 0.22.3
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-istio/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio
 
-![Version: 0.21.2](https://img.shields.io/badge/Version-0.21.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.22.3](https://img.shields.io/badge/Version-0.22.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio
 
@@ -21,9 +21,9 @@ Kubernetes: `>= 1.26.0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://istio-release.storage.googleapis.com/charts | base | 1.21.2 |
-| https://istio-release.storage.googleapis.com/charts | istiod | 1.21.2 |
-| https://kiali.org/helm-charts | kiali-server | 1.83.0 |
+| https://istio-release.storage.googleapis.com/charts | base | 1.22.3 |
+| https://istio-release.storage.googleapis.com/charts | istiod | 1.22.3 |
+| https://kiali.org/helm-charts | kiali-server | 1.87.0 |
 
 ## Values
 

charts/kubezero/values.yaml

@@ -58,13 +58,13 @@ storage:
 istio:
   enabled: false
   namespace: istio-system
-  targetRevision: 0.21.2
+  targetRevision: 0.22.3
 
 istio-ingress:
   enabled: false
   chart: kubezero-istio-gateway
   namespace: istio-ingress
-  targetRevision: 0.21.2
+  targetRevision: 0.22.3
   gateway:
     service: {}
 
@@ -72,7 +72,7 @@ istio-private-ingress:
   enabled: false
   chart: kubezero-istio-gateway
   namespace: istio-ingress
-  targetRevision: 0.21.2
+  targetRevision: 0.22.3
   gateway:
     service: {}
 
@@ -113,7 +113,7 @@ logging:
 argo:
   enabled: false
   namespace: argocd
-  targetRevision: 0.2.2
+  targetRevision: 0.2.4
   argo-cd:
     enabled: false
     istio: