2024-08-09 11:15:53 +00:00
21 changed files with 136 additions and 99 deletions
--- a/admin/dev_apply.sh
+++ b/admin/dev_apply.sh
@ -19,6 +19,22 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 . "$SCRIPT_DIR"/libhelm.sh
 CHARTS="$(dirname $SCRIPT_DIR)/charts"
 # Guess platform from current context
 _auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
 if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
  PLATFORM=gke
 elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
  PLATFORM=aws
 else
  PLATFORM=nocloud
 fi
 parse_version() {
  echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
 }
 KUBE_VERSION=$(parse_version $KUBE_VERSION)
 ### Various hooks for modules
 ################
@ -71,7 +87,7 @@ if [ ${ARTIFACTS[0]} == "all" ]; then
 fi
 # Delete in reverse order, continue even if errors
-if [ $ACTION == "delete" ]; then
+if [ "$ACTION" == "delete" ]; then
  set +e
  for (( idx=${#ARTIFACTS[@]}-1 ; idx>=0 ; idx-- )) ; do
    _helm delete ${ARTIFACTS[idx]} || true
--- a/admin/kubezero.sh
+++ b/admin/kubezero.sh
@ -66,6 +66,7 @@ render_kubeadm() {
 parse_kubezero() {
  export CLUSTERNAME=$(yq eval '.global.clusterName // .clusterName' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml)
  export PLATFORM=$(yq eval '.global.platform // "nocloud"' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml)
  export HIGHAVAILABLE=$(yq eval '.global.highAvailable // .highAvailable // "false"' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml)
  export ETCD_NODENAME=$(yq eval '.etcd.nodeName' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml)
  export NODENAME=$(yq eval '.nodeName' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml)
--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@ -34,9 +34,11 @@ function argo_used() {
 # get kubezero-values from ArgoCD if available or use in-cluster CM without Argo
 function get_kubezero_values() {
  local _namespace="kube-system"
  [ "$PLATFORM" == "gke" ] && _namespace=kubezero
  argo_used && \
    { kubectl get application kubezero -n argocd -o yaml | yq .spec.source.helm.values > ${WORKDIR}/kubezero-values.yaml; } || \
-    { kubectl get configmap -n kube-system kubezero-values -o yaml | yq '.data."values.yaml"' > ${WORKDIR}/kubezero-values.yaml ;}
+    { kubectl get configmap -n $_namespace kubezero-values -o yaml | yq '.data."values.yaml"' > ${WORKDIR}/kubezero-values.yaml ;}
 }
@ -169,14 +171,14 @@ function _helm() {
  yq eval '.spec.source.helm.values' $WORKDIR/kubezero/templates/${module}.yaml > $WORKDIR/values.yaml
  echo "using values to $action of module $module: "
  cat $WORKDIR/values.yaml
  if [ $action == "crds" ]; then
    # Allow custom CRD handling
    declare -F ${module}-crds && ${module}-crds || _crds
  elif [ $action == "apply" ]; then
    echo "using values to $action of module $module: "
    cat $WORKDIR/values.yaml
    # namespace must exist prior to apply
    create_ns $namespace
--- a/charts/kubezero-argo/Chart.yaml
+++ b/charts/kubezero-argo/Chart.yaml
@ -33,4 +33,4 @@ dependencies:
    version: 0.11.0
    repository: https://argoproj.github.io/argo-helm
    condition: argocd-image-updater.enabled
-kubeVersion: ">= 1.26.0"
+kubeVersion: ">= 1.26.0-0"
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@ -14,7 +14,7 @@ KubeZero Argo - Events, Workflow, CD
 ## Requirements
-Kubernetes: `>= 1.26.0`
+Kubernetes: `>= 1.26.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
@ -65,7 +65,7 @@ Kubernetes: `>= 1.26.0`
 | argo-cd.repoServer.initContainers[0].command[0] | string | `"/usr/local/bin/sa2kubeconfig.sh"` |  |
 | argo-cd.repoServer.initContainers[0].command[1] | string | `"/home/argocd/.kube/config"` |  |
 | argo-cd.repoServer.initContainers[0].image | string | `"{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include \"argo-cd.defaultTag\" .) .Values.repoServer.image.tag }}"` |  |
-| argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` |  |
+| argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}"` |  |
 | argo-cd.repoServer.initContainers[0].name | string | `"create-kubeconfig"` |  |
 | argo-cd.repoServer.initContainers[0].securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | argo-cd.repoServer.initContainers[0].securityContext.capabilities.drop[0] | string | `"ALL"` |  |
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@ -91,7 +91,7 @@ argo-cd:
    secret:
      createSecret: false
-      # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
+      # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0`
      # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
      # argocdServerAdminPassword: "ref+file://secrets.yaml#/test"
      # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
--- a/charts/kubezero-cert-manager/Chart.yaml
+++ b/charts/kubezero-cert-manager/Chart.yaml
@ -18,4 +18,4 @@ dependencies:
  - name: cert-manager
    version: v1.15.2
    repository: https://charts.jetstack.io
-kubeVersion: ">= 1.26.0"
+kubeVersion: ">= 1.26.0-0"
--- a/charts/kubezero-cert-manager/README.md
+++ b/charts/kubezero-cert-manager/README.md
@ -1,6 +1,6 @@
 # kubezero-cert-manager
-![Version: 0.9.8](https://img.shields.io/badge/Version-0.9.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.9.9](https://img.shields.io/badge/Version-0.9.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 KubeZero Umbrella Chart for cert-manager
@ -14,12 +14,12 @@ KubeZero Umbrella Chart for cert-manager
 ## Requirements
-Kubernetes: `>= 1.26.0`
+Kubernetes: `>= 1.26.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
-| https://charts.jetstack.io | cert-manager | v1.15.1 |
+| https://charts.jetstack.io | cert-manager | v1.15.2 |
 ## AWS - OIDC IAM roles
@ -34,9 +34,6 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
 |-----|------|---------|-------------|
 | cert-manager.cainjector.extraArgs[0] | string | `"--logging-format=json"` |  |
 | cert-manager.cainjector.extraArgs[1] | string | `"--leader-elect=false"` |  |
 | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` |  |
 | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
 | cert-manager.crds.enabled | bool | `true` |  |
 | cert-manager.enableCertificateOwnerRef | bool | `true` |  |
 | cert-manager.enabled | bool | `true` |  |
@ -46,15 +43,9 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
 | cert-manager.global.leaderElection.namespace | string | `"cert-manager"` |  |
 | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` |  |
 | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` |  |
 | cert-manager.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | cert-manager.prometheus.servicemonitor.enabled | bool | `false` |  |
 | cert-manager.startupapicheck.enabled | bool | `false` |  |
 | cert-manager.tolerations[0].effect | string | `"NoSchedule"` |  |
 | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
 | cert-manager.webhook.extraArgs[0] | string | `"--logging-format=json"` |  |
 | cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` |  |
 | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
 | clusterIssuer | object | `{}` |  |
 | localCA.enabled | bool | `false` |  |
 | localCA.selfsigning | bool | `true` |  |
--- a/charts/kubezero-cert-manager/jsonnetfile.lock.json
+++ b/charts/kubezero-cert-manager/jsonnetfile.lock.json
@ -18,7 +18,7 @@
          "subdir": "contrib/mixin"
        }
      },
-      "version": "010d462c0ff03a70f5c5fd32efbb76ad4c1e7c81",
+      "version": "df4e472a2d09813560ba44b21a29c0453dbec18c",
      "sum": "IXI3LQIT9NmTPJAk8WLUJd5+qZfcGpeNCyWIK7oEpws="
    },
    {
@ -58,7 +58,7 @@
          "subdir": "gen/grafonnet-latest"
        }
      },
-      "version": "5a66b0f6a0f4f7caec754dd39a0e263b56a0f90a",
+      "version": "733beadbc8dab55c5fe1bcdcf0d8a2d215759a55",
      "sum": "eyuJ0jOXeA4MrobbNgU4/v5a7ASDHslHZ0eS6hDdWoI="
    },
    {
@ -68,7 +68,7 @@
          "subdir": "gen/grafonnet-v10.0.0"
        }
      },
-      "version": "5a66b0f6a0f4f7caec754dd39a0e263b56a0f90a",
+      "version": "733beadbc8dab55c5fe1bcdcf0d8a2d215759a55",
      "sum": "xdcrJPJlpkq4+5LpGwN4tPAuheNNLXZjE6tDcyvFjr0="
    },
    {
@ -78,8 +78,8 @@
          "subdir": "gen/grafonnet-v11.0.0"
        }
      },
-      "version": "5a66b0f6a0f4f7caec754dd39a0e263b56a0f90a",
+      "version": "733beadbc8dab55c5fe1bcdcf0d8a2d215759a55",
-      "sum": "Fuo+qTZZzF+sHDBWX/8fkPsUmwW6qhH8hRVz45HznfI="
+      "sum": "0BvzR0i4bS4hc2O3xDv6i9m52z7mPrjvqxtcPrGhynA="
    },
    {
      "source": {
@ -88,8 +88,8 @@
          "subdir": "grafana-builder"
        }
      },
-      "version": "1d877bb0651ef92176f651d0be473c06e372a8a0",
+      "version": "d9ba581fb27aa6689e911f288d4df06948eb8aad",
-      "sum": "udZaafkbKYMGodLqsFhEe+Oy/St2p0edrK7hiMPEey0="
+      "sum": "yxqWcq/N3E/a/XreeU6EuE6X7kYPnG0AspAQFKOjASo="
    },
    {
      "source": {
@ -128,8 +128,8 @@
          "subdir": ""
        }
      },
-      "version": "3dfa72d1d1ab31a686b1f52ec28bbf77c972bd23",
+      "version": "1b71e399caee334af8ba2d15d0dd615043a652d0",
-      "sum": "7ufhpvzoDqAYLrfAsGkTAIRmu2yWQkmHukTE//jOsJU="
+      "sum": "qcRxavmCpuWQuwCMqYaOZ+soA8jxwWLrK7LYqohN5NA="
    },
    {
      "source": {
@ -138,8 +138,8 @@
          "subdir": "jsonnet/kube-state-metrics"
        }
      },
-      "version": "7104d579e93d672754c018a924d6c3f7ec23874e",
+      "version": "f8aa7d9bb9d8e29876e19f4859391a54a7e61d63",
-      "sum": "pvInhJNQVDOcC3NGWRMKRIP954mAvLXCQpTlafIg7fA="
+      "sum": "lO7jUSzAIy8Yk9pOWJIWgPRhubkWzVh56W6wtYfbVH4="
    },
    {
      "source": {
@ -148,7 +148,7 @@
          "subdir": "jsonnet/kube-state-metrics-mixin"
        }
      },
-      "version": "7104d579e93d672754c018a924d6c3f7ec23874e",
+      "version": "f8aa7d9bb9d8e29876e19f4859391a54a7e61d63",
      "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
    },
    {
@ -158,8 +158,8 @@
          "subdir": "jsonnet/kube-prometheus"
        }
      },
-      "version": "defa2bd1e242519c62a5c2b3b786b1caa6d906d4",
+      "version": "33c43a4067a174a99529e41d537eef290a7028ea",
-      "sum": "INKeZ+QIIPImq+TrfHT8CpYdoRzzxRk0txG07XlOo/Q="
+      "sum": "/jU8uXWR202aR7K/3zOefhc4JBUAUkTdHvE9rhfzI/g="
    },
    {
      "source": {
@ -168,7 +168,7 @@
          "subdir": "jsonnet/mixin"
        }
      },
-      "version": "609424db53853b992277b7a9a0e5cf59f4cc24f3",
+      "version": "aa74b0d377d32648ca50f2531fe2253895629d9f",
      "sum": "gi+knjdxs2T715iIQIntrimbHRgHnpM8IFBJDD1gYfs=",
      "name": "prometheus-operator-mixin"
    },
@ -179,8 +179,8 @@
          "subdir": "jsonnet/prometheus-operator"
        }
      },
-      "version": "609424db53853b992277b7a9a0e5cf59f4cc24f3",
+      "version": "aa74b0d377d32648ca50f2531fe2253895629d9f",
-      "sum": "z2/5LjQpWC7snhT+n/mtQqoy5986uI95sTqcKQziwGU="
+      "sum": "EZR4sBAtmFRsUR7U4SybuBUhK9ncMCvEu9xHtu8B9KA="
    },
    {
      "source": {
@ -189,7 +189,7 @@
          "subdir": "doc/alertmanager-mixin"
        }
      },
-      "version": "eb8369ec510d76f63901379a8437c4b55885d6c5",
+      "version": "27b6eb7ce02680c84b9a06503edbddc9213f586d",
      "sum": "IpF46ZXsm+0wJJAPtAre8+yxTNZA57mBqGpBP/r7/kw=",
      "name": "alertmanager"
    },
@ -210,7 +210,7 @@
          "subdir": "documentation/prometheus-mixin"
        }
      },
-      "version": "ac85bd47e1cfa0d63520e4c0b4e26900c42c326b",
+      "version": "616038f2b64656b2c9c6053f02aee544c5b8bb17",
      "sum": "dYLcLzGH4yF3qB7OGC/7z4nqeTNjv42L7Q3BENU8XJI=",
      "name": "prometheus"
    },
@ -232,7 +232,7 @@
          "subdir": "mixin"
        }
      },
-      "version": "35c0dbec856f97683a846e9c53f83156a3a44ff3",
+      "version": "dcadaae80fcce1fb05452b37ca8d3b2809d7cef9",
      "sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY=",
      "name": "thanos-mixin"
    }
--- a/charts/kubezero-cert-manager/values.yaml
+++ b/charts/kubezero-cert-manager/values.yaml
@ -61,31 +61,15 @@ cert-manager:
  #  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
  #  readOnly: true
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  ingressShim:
    defaultIssuerName: letsencrypt-dns-prod
    defaultIssuerKind: ClusterIssuer
  webhook:
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
    extraArgs:
      - "--logging-format=json"
  cainjector:
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
    extraArgs:
      - "--logging-format=json"
      - "--leader-elect=false"
--- a/charts/kubezero-istio-gateway/Chart.yaml
+++ b/charts/kubezero-istio-gateway/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio-gateway
 description: KubeZero Umbrella Chart for Istio gateways
 type: application
-version: 0.22.3
+version: 0.22.3-1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -19,4 +19,4 @@ dependencies:
  - name: gateway
    version: 1.22.3
    repository: https://istio-release.storage.googleapis.com/charts
-kubeVersion: ">= 1.26.0"
+kubeVersion: ">= 1.26.0-0"
--- a/charts/kubezero-istio-gateway/README.md
+++ b/charts/kubezero-istio-gateway/README.md
@ -1,6 +1,6 @@
 # kubezero-istio-gateway
-![Version: 0.22.3](https://img.shields.io/badge/Version-0.22.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.22.3-1](https://img.shields.io/badge/Version-0.22.3--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 KubeZero Umbrella Chart for Istio gateways
@ -16,7 +16,7 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
 ## Requirements
-Kubernetes: `>= 1.26.0`
+Kubernetes: `>= 1.26.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
@ -33,7 +33,6 @@ Kubernetes: `>= 1.26.0`
 | gateway.autoscaling.minReplicas | int | `1` |  |
 | gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
 | gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` |  |
 | gateway.priorityClassName | string | `"system-cluster-critical"` |  |
 | gateway.replicaCount | int | `1` |  |
 | gateway.resources.limits.memory | string | `"512Mi"` |  |
 | gateway.resources.requests.cpu | string | `"50m"` |  |
--- a/charts/kubezero-istio-gateway/values.yaml
+++ b/charts/kubezero-istio-gateway/values.yaml
@ -8,7 +8,6 @@ gateway:
  replicaCount: 1
  terminationGracePeriodSeconds: 120
  priorityClassName: system-cluster-critical
  resources:
    requests:
--- a/charts/kubezero-istio/Chart.yaml
+++ b/charts/kubezero-istio/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.22.3
+version: 0.22.3-1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -22,7 +22,7 @@ dependencies:
    version: 1.22.3
    repository: https://istio-release.storage.googleapis.com/charts
  - name: kiali-server
-    version: "1.87.0"
+    version: "1.88.0"
    repository: https://kiali.org/helm-charts
    condition: kiali-server.enabled
-kubeVersion: ">= 1.26.0"
+kubeVersion: ">= 1.26.0-0"
--- a/charts/kubezero-istio/README.md
+++ b/charts/kubezero-istio/README.md
@ -1,6 +1,6 @@
 # kubezero-istio
-![Version: 0.22.3](https://img.shields.io/badge/Version-0.22.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.22.3-1](https://img.shields.io/badge/Version-0.22.3--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 KubeZero Umbrella Chart for Istio
@ -16,14 +16,14 @@ Installs the Istio control plane
 ## Requirements
-Kubernetes: `>= 1.26.0`
+Kubernetes: `>= 1.26.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 | https://istio-release.storage.googleapis.com/charts | base | 1.22.3 |
 | https://istio-release.storage.googleapis.com/charts | istiod | 1.22.3 |
-| https://kiali.org/helm-charts | kiali-server | 1.87.0 |
+| https://kiali.org/helm-charts | kiali-server | 1.88.0 |
 ## Values
@ -31,19 +31,15 @@ Kubernetes: `>= 1.26.0`
 |-----|------|---------|-------------|
 | global.defaultPodDisruptionBudget.enabled | bool | `false` |  |
 | global.logAsJson | bool | `true` |  |
 | global.priorityClassName | string | `"system-cluster-critical"` |  |
 | global.variant | string | `"distroless"` |  |
 | istiod.meshConfig.accessLogEncoding | string | `"JSON"` |  |
 | istiod.meshConfig.accessLogFile | string | `"/dev/stdout"` |  |
 | istiod.meshConfig.tcpKeepalive.interval | string | `"60s"` |  |
 | istiod.meshConfig.tcpKeepalive.time | string | `"120s"` |  |
 | istiod.pilot.autoscaleEnabled | bool | `false` |  |
 | istiod.pilot.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
 | istiod.pilot.replicaCount | int | `1` |  |
 | istiod.pilot.resources.requests.cpu | string | `"100m"` |  |
 | istiod.pilot.resources.requests.memory | string | `"128Mi"` |  |
 | istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` |  |
 | istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` |  |
 | istiod.telemetry.enabled | bool | `false` |  |
 | kiali-server.auth.strategy | string | `"anonymous"` |  |
 | kiali-server.deployment.ingress_enabled | bool | `false` |  |
--- a/charts/kubezero-istio/values.yaml
+++ b/charts/kubezero-istio/values.yaml
@ -6,19 +6,11 @@ global:
  defaultPodDisruptionBudget:
    enabled: false
  priorityClassName: "system-cluster-critical"
 istiod:
  pilot:
    autoscaleEnabled: false
    replicaCount: 1
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    resources:
      requests:
        cpu: 100m
--- a/charts/kubezero/Chart.yaml
+++ b/charts/kubezero/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero
 description: KubeZero - Root App of Apps chart
 type: application
-version: 1.29.7
+version: 1.29.7-1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -15,4 +15,4 @@ dependencies:
  - name: kubezero-lib
    version: ">= 0.1.6"
    repository: https://cdn.zero-downtime.net/charts
-kubeVersion: ">= 1.26.0"
+kubeVersion: ">= 1.26.0-0"
--- a/charts/kubezero/templates/cert-manager.yaml
+++ b/charts/kubezero/templates/cert-manager.yaml
@ -9,10 +9,29 @@ cert-manager:
    type: Recreate
  {{- end }}
-  prometheus:
+  {{- if eq .Values.global.platform "aws" }}
-    servicemonitor:
+  # map everything to the control-plane
-      enabled: {{ $.Values.metrics.enabled }}
+  nodeSelector:
-{{ with index .Values "cert-manager" "IamArn" }}
+    node-role.kubernetes.io/control-plane: ""
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  webhook:
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
  cainjector:
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
  {{ with index .Values "cert-manager" "IamArn" }}
  extraEnv:
  - name: AWS_ROLE_ARN
    value: "{{ . }}"
@ -34,7 +53,19 @@ cert-manager:
  - name: aws-token
    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
    readOnly: true
-{{- end }}
+  {{- end }}
  {{- end }}
  {{- if eq .Values.global.platform "gke" }}
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: "dns01-solver@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com"
  {{- end }}
  prometheus:
    servicemonitor:
      enabled: {{ $.Values.metrics.enabled }}
 {{- with index .Values "cert-manager" "clusterIssuer" }}
 clusterIssuer:
--- a/charts/kubezero/templates/istio-ingress.yaml
+++ b/charts/kubezero/templates/istio-ingress.yaml
@ -3,6 +3,10 @@
 gateway:
  name: istio-ingressgateway
  {{- if ne .Values.global.platform "gke" }}
    priorityClassName: "system-cluster-critical"
  {{- end }}
  {{- with index .Values "istio-ingress" "gateway" "replicaCount" }}
  replicaCount: {{ . }}
  {{- if gt (int .) 1 }}
@ -11,7 +15,7 @@ gateway:
  {{- end }}
  {{- end }}
-  {{- if not (index .Values "istio-ingress" "gateway" "affinity") }}
+  {{- if eq .Values.global.platform "aws" }}
  # Only nodes who are fronted with matching LB
  affinity:
    nodeAffinity:
--- a/charts/kubezero/templates/istio.yaml
+++ b/charts/kubezero/templates/istio.yaml
@ -1,21 +1,37 @@
 {{- define "istio-values" }}
 {{- if .Values.global.highAvailable }}
 global:
  defaultPodDisruptionBudget:
    enabled: true
  {{- if ne .Values.global.platform "gke" }}
    priorityClassName: "system-cluster-critical"
  {{- end }}
 {{- end }}
 istiod:
  telemetry:
    enabled: {{ $.Values.metrics.enabled }}
  pilot:
 {{- if eq .Values.global.platform "aws" }}
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
 {{- end }}
 {{- if .Values.global.highAvailable }}
    replicaCount: 2
 global:
  defaultPodDisruptionBudget:
    enabled: true
 {{- else }}
    extraContainerArgs:
    - --leader-elect=false
 {{- end }}
 {{- with  index .Values "istio" "kiali-server" }}
 kiali-server:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- with .Values.istio.rateLimiting }}
 rateLimiting:
  {{- toYaml . | nindent 2 }}
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -5,9 +5,15 @@ kubezero:
  gitSync: {}
 global:
  highAvailable: false
  clusterName: zdt-trial-cluster
  # platform: aws (kubeadm), gke, or nocloud ( default )
  platform: "nocloud"
  highAvailable: false
  aws: {}
  gcp: {}
 addons:
  enabled: true
@ -37,7 +43,7 @@ network:
 cert-manager:
  enabled: false
  namespace: cert-manager
-  targetRevision: 0.9.8
+  targetRevision: 0.9.9
 storage:
  enabled: false
@ -58,13 +64,13 @@ storage:
 istio:
  enabled: false
  namespace: istio-system
-  targetRevision: 0.22.3
+  targetRevision: 0.22.3-1
 istio-ingress:
  enabled: false
  chart: kubezero-istio-gateway
  namespace: istio-ingress
-  targetRevision: 0.22.3
+  targetRevision: 0.22.3-1
  gateway:
    service: {}
@ -72,7 +78,7 @@ istio-private-ingress:
  enabled: false
  chart: kubezero-istio-gateway
  namespace: istio-ingress
-  targetRevision: 0.22.3
+  targetRevision: 0.22.3-1
  gateway:
    service: {}