chore(deps): update kubezero-metrics-dependencies

.ci/podman.mk

@@ -1,26 +1,25 @@
 # Parse version from latest git semver tag
 GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
-GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
+GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null | sed -e 's/[^a-zA-Z0-9]/-/g')
 
-TAG ::= $(GIT_TAG)
+TAG := $(GIT_TAG)
 # append branch name to tag if NOT main nor master
 ifeq (,$(filter main master, $(GIT_BRANCH)))
 	# If branch is substring of tag, omit branch name
 	ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
 		# only append branch name if not equal tag
 		ifneq ($(GIT_TAG), $(GIT_BRANCH))
-			# Sanitize GIT_BRANCH to allowed Docker tag character set
-			TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
+			TAG = $(GIT_TAG)-$(GIT_BRANCH)
 		endif
 	endif
 endif
 
-ARCH ::= amd64
-ALL_ARCHS ::= amd64 arm64
+ARCH := amd64
+ALL_ARCHS := amd64 arm64
 _ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
 
 ifneq ($(TRIVY_REMOTE),)
-	TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
+	TRIVY_OPTS := --server $(TRIVY_REMOTE)
 endif
 
 .SILENT: ; # no need for @
@@ -46,7 +45,7 @@ test:: ## test built artificats
 
 scan: ## Scan image using trivy
 	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
+	trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
 
 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
@@ -78,7 +77,7 @@ rm-image:
 
 ## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree
-	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
+	git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
 
 create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

.ci/vars/buildPodman.groovy

@@ -2,9 +2,6 @@
 
 def call(Map config=[:]) {
     pipeline {
-      options {
-        disableConcurrentBuilds()
-      }
       agent {
         node {
           label 'podman-aws-trivy'
@@ -13,8 +10,6 @@ def call(Map config=[:]) {
       stages {
         stage('Prepare') {
           steps {
-            sh 'mkdir -p reports'
-
             // we set pull tags as project adv. options
             // pull tags
             //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
@@ -40,13 +35,12 @@ def call(Map config=[:]) {
 
         // Scan via trivy
         stage('Scan') {
+          environment {
+            TRIVY_FORMAT = "template"
+            TRIVY_OUTPUT = "reports/trivy.html"
+          }
           steps {
-            // we always scan and create the full json report
-            sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
-
-            // render custom full html report
-            sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
-
+            sh 'mkdir -p reports && make scan'
             publishHTML target: [
               allowMissing: true,
               alwaysLinkToLastBuild: true,
@@ -56,12 +50,13 @@ def call(Map config=[:]) {
               reportName: 'TrivyScan',
               reportTitles: 'TrivyScan'
             ]
-            sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
 
-            // fail build if issues found above trivy threshold
+            // Scan again and fail on CRITICAL vulns, if not overridden
             script {
-              if ( config.trivyFail ) {
-                sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
+              if (config.trivyFail == 'NONE') {
+                echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
+              } else {
+                sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
               }
             }
           }

charts/kubezero-argo/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero Argo - Events, Workflow, CD
 name: kubezero-argo
-version: 0.2.2
+version: 0.2.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -22,7 +22,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
     condition: argo-events.enabled
   - name: argo-cd
-    version: 6.9.2
+    version: 6.7.10
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-apps
@@ -30,7 +30,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
   - name: argocd-image-updater
-    version: 0.10.0
+    version: 0.9.6
     repository: https://argoproj.github.io/argo-helm
     condition: argocd-image-updater.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero-ci/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.8.11
+version: 0.8.10
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -22,7 +22,7 @@ dependencies:
     repository: https://dl.gitea.io/charts/
     condition: gitea.enabled
   - name: jenkins
-    version: 5.1.18
+    version: 5.1.6
     repository: https://charts.jenkins.io
     condition: jenkins.enabled
   - name: trivy
@@ -30,7 +30,7 @@ dependencies:
     repository: https://aquasecurity.github.io/helm-charts/
     condition: trivy.enabled
   - name: renovate
-    version: 37.368.2
+    version: 37.321.1
     repository: https://docs.renovatebot.com/helm-charts
     condition: renovate.enabled
 kubeVersion: ">= 1.25.0"

charts/kubezero-ci/README.md

@@ -1,6 +1,6 @@
 # kubezero-ci
 
-![Version: 0.8.11](https://img.shields.io/badge/Version-0.8.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.8.10](https://img.shields.io/badge/Version-0.8.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 KubeZero umbrella chart for all things CI
 
@@ -20,9 +20,9 @@ Kubernetes: `>= 1.25.0`
 |------------|------|---------|
 | https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://charts.jenkins.io | jenkins | 5.1.18 |
+| https://charts.jenkins.io | jenkins | 5.1.6 |
 | https://dl.gitea.io/charts/ | gitea | 10.1.4 |
-| https://docs.renovatebot.com/helm-charts | renovate | 37.368.2 |
+| https://docs.renovatebot.com/helm-charts | renovate | 37.321.1 |
 
 # Jenkins
 - default build retention 10 builds, 32days
@@ -71,7 +71,9 @@ Kubernetes: `>= 1.25.0`
 | gitea.istio.enabled | bool | `false` |  |
 | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | gitea.istio.url | string | `"git.example.com"` |  |
-| gitea.persistence.claimName | string | `"data-gitea-0"` |  |
+| gitea.persistence.create | bool | `false` |  |
+| gitea.persistence.enabled | bool | `true` |  |
+| gitea.persistence.mount | bool | `true` |  |
 | gitea.persistence.size | string | `"4Gi"` |  |
 | gitea.postgresql-ha.enabled | bool | `false` |  |
 | gitea.postgresql.enabled | bool | `false` |  |

charts/kubezero-ci/values.yaml

@@ -13,7 +13,10 @@ gitea:
 
   # Since V9 they default to RWX and deployment, we default to old existing RWO from statefulset
   persistence:
-    claimName: data-gitea-0
+    enabled: true
+    mount: true
+    create: false
+    #claimName: <set per install>
     size: 4Gi
 
   securityContext:

charts/kubezero-metrics/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-metrics
 description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
 type: application
-version: 0.9.8
+version: 0.9.9
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -19,14 +19,14 @@ dependencies:
     version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: kube-prometheus-stack
-    version: 58.0.0
+    version: 58.5.3
     repository: https://prometheus-community.github.io/helm-charts
   - name: prometheus-adapter
     version: 4.10.0
     repository: https://prometheus-community.github.io/helm-charts
     condition: prometheus-adapter.enabled
   - name: prometheus-pushgateway
-    version: 2.10.0
+    version: 2.12.0
     repository: https://prometheus-community.github.io/helm-charts
     condition: prometheus-pushgateway.enabled
 kubeVersion: ">= 1.26.0"

charts/kubezero-telemetry/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-telemetry
 description: KubeZero Umbrella Chart for OpenTelemetry, Jaeger etc.
 type: application
-version: 0.2.4
+version: 0.2.3
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -18,11 +18,11 @@ dependencies:
     version: ">= 0.1.6"
     repository: https://cdn.zero-downtime.net/charts/
   - name: opentelemetry-collector
-    version: 0.91.0
+    version: 0.89.0
     repository: https://open-telemetry.github.io/opentelemetry-helm-charts
     condition: opentelemetry-collector.enabled
   - name: jaeger
-    version: 3.0.7
+    version: 3.0.3
     repository: https://jaegertracing.github.io/helm-charts
     condition: jaeger.enabled
   - name: fluentd