ABS migration, bump app-operator to v7.0.0, chart-operator to v4.…

…0.0 and remove PSP support (#548)

.abs/main.yaml

@@ -0,0 +1,8 @@
+replace-app-version-with-git: true
+replace-chart-version-with-git: true
+generate-metadata: true
+chart-dir: ./helm/cluster-apps-operator
+destination: ./build
+
+# CI overwrites this, check .circleci/config.yaml
+catalog-base-url: https://giantswarm.github.io/control-plane-catalog/

.circleci/config.yml

@@ -1,7 +1,7 @@
 version: 2.1
 
 orbs:
-  architect: giantswarm/architect@5.8.0
+  architect: giantswarm/architect@5.11.1
 
 workflows:
   build:
@@ -28,6 +28,7 @@ workflows:
             - master
     - architect/push-to-app-catalog:
         context: architect
+        executor: app-build-suite
         name: push-cluster-apps-operator-to-control-plane-app-catalog
         app_catalog: control-plane-catalog
         app_catalog_test: control-plane-test-catalog

CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Removed
+
+- Removed PSP support and thus support for pre v1.25 Kubernetes clusters.
+  - Removed `.global.podSecurityStandards.enforced` Helm value.
+- Removed `.project.branch` and `project.commit` Helm values.
+
+### Changed
+
+- Bump `app-operator` to version [v7.0.0](https://github.com/giantswarm/app-operator/releases/tag/v7.0.0)
+- Bump `chart-operator` to version [v4.0.0](https://github.com/giantswarm/chart-operator/releases/tag/v4.0.0)
+- Bump `architect-orb` to `v5.11.1`.
+- Updated build pipeline to use `app-build-suite`.
+  - Changed value for `application.giantswarm.io/branch` label to point to `.Chart.AppVersion` instead as ABS does not support mangling the templates anymore.
+  - Changed value for `application.giantswarm.io/commit` label to point to `.Chart.AppVersion` instead as ABS does not support mangling the templates anymore.
+- Defaulted `.image.tag` to be an empty string and default that to `.Chart.AppVersion` in the deployment.
+
 ## [2.23.2] - 2024-09-25
 
 ### Changed

helm/cluster-apps-operator/Chart.yaml

@@ -1,9 +1,10 @@
 apiVersion: "v2"
-appVersion: "[[ .AppVersion ]]"
+appVersion: "2.23.3-dev"
 description: "Chart holding cluster-apps-operator."
 home: "https://github.com/giantswarm/cluster-apps-operator"
+icon: https://s.giantswarm.io/app-icons/giantswarm/1/dark.svg
 name: "cluster-apps-operator"
-version: "[[ .Version ]]"
+version: "2.23.2"
 annotations:
   application.giantswarm.io/team: "honeybadger"
   config.giantswarm.io/version: 1.x.x

helm/cluster-apps-operator/templates/_helpers.tpl

@@ -19,8 +19,8 @@ Common labels
 {{- define "labels.common" -}}
 app: {{ include "name" . | quote }}
 {{ include "labels.selector" . }}
-app.giantswarm.io/branch: {{ .Values.project.branch | replace "#" "-" | replace "/" "-" | replace "." "-" | trunc 63 | trimSuffix "-" | quote }}
-app.giantswarm.io/commit: {{ .Values.project.commit | quote }}
+app.giantswarm.io/branch: {{ .Chart.AppVersion | replace "#" "-" | replace "/" "-" | replace "." "-" | trunc 63 | trimSuffix "-" | quote }}
+app.giantswarm.io/commit: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
@@ -34,3 +34,14 @@ Selector labels
 app.kubernetes.io/name: {{ include "name" . | quote }}
 app.kubernetes.io/instance: {{ .Release.Name | quote }}
 {{- end -}}
+
+{{/*
+Define image tag.
+*/}}
+{{- define "image.tag" -}}
+{{- if .Values.image.tag }}
+{{- .Values.image.tag }}
+{{- else }}
+{{- .Chart.AppVersion }}
+{{- end }}
+{{- end }}

helm/cluster-apps-operator/templates/deployment.yaml

@@ -44,14 +44,17 @@ spec:
         {{- end }}
       containers:
       - name: {{ include "name" . }}
-        image: "{{ .Values.registry.domain }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
+        image: "{{ .Values.registry.domain }}/{{ .Values.image.name }}:{{ include "image.tag" . }}"
         args:
         - daemon
         - --config.dirs=/var/run/{{ include "name" . }}/configmap/
         - --config.files=config
         volumeMounts:
         - name: {{ include "name" . }}-configmap
           mountPath: /var/run/{{ include "name" . }}/configmap/
+        ports:
+          - name: http
+            containerPort: 8000
         livenessProbe:
           httpGet:
             path: /healthz

helm/cluster-apps-operator/templates/rbac.yaml

@@ -129,36 +129,3 @@ roleRef:
   kind: ClusterRole
   name: {{ include "resource.default.name"  . }}
   apiGroup: rbac.authorization.k8s.io
----
-{{- if not (((.Values.global).podSecurityStandards).enforced) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "resource.psp.name" . }}
-  labels:
-    {{- include "labels.common" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - extensions
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-    resourceNames:
-      - {{ include "resource.psp.name" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "resource.psp.name" . }}
-  labels:
-    {{- include "labels.common" . | nindent 4 }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "resource.default.name"  . }}
-    namespace: {{ include "resource.default.namespace"  . }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "resource.psp.name" . }}
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}

helm/cluster-apps-operator/values.schema.json

@@ -65,19 +65,6 @@
                 }
             }
         },
-        "global": {
-            "type": "object",
-            "properties": {
-                "podSecurityStandards": {
-                    "type": "object",
-                    "properties": {
-                        "enforced": {
-                            "type": "boolean"
-                        }
-                    }
-                }
-            }
-        },
         "image": {
             "type": "object",
             "properties": {

helm/cluster-apps-operator/values.yaml

@@ -2,13 +2,13 @@ appOperator:
   catalog: control-plane-catalog
   # used by renovate
   # repo: giantswarm/app-operator
-  version: 6.11.0
+  version: 7.0.0
 
 chartOperator:
   catalog: default
   # used by renovate
   # repo: giantswarm/chart-operator
-  version: 3.3.0
+  version: 4.0.0
 
 baseDomain: ""
 
@@ -33,7 +33,7 @@ deployment:
 
 image:
   name: "giantswarm/cluster-apps-operator"
-  tag: "[[ .Version ]]"
+  tag: ""
 
 controller:
   resyncPeriod: "5m"
@@ -49,10 +49,6 @@ pod:
   group:
     id: 1000
 
-project:
-  branch: "[[ .Branch ]]"
-  commit: "[[ .SHA ]]"
-
 registry:
   domain: gsoci.azurecr.io
   mirrors:
@@ -70,6 +66,7 @@ podSecurityContext:
 
 # Add seccomp to container security context
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
     drop:
@@ -84,7 +81,3 @@ serviceMonitor:
   interval: "60s"
   # -- (duration) Prometheus scrape timeout.
   scrapeTimeout: "45s"
-
-global:
-  podSecurityStandards:
-    enforced: false

service/controller/resource/clustersecret/vsphere_test.go

@@ -100,8 +100,6 @@ func getValuesProxyEnabled() string {
     global:
       release:
         version: 1.2.3
-      podSecurityStandards:
-        enforced: true
       connectivity:
         baseDomain: test.example.io
         proxy:
@@ -119,8 +117,6 @@ func getValuesProxyDisabled() string {
     global:
       release:
         version: 1.2.3
-      podSecurityStandards:
-        enforced: true
       connectivity:
         baseDomain: test.example.io
         proxy:
@@ -135,8 +131,6 @@ func getValuesProxyNotDefined() string {
     global:
       release:
         version: 1.2.3
-      podSecurityStandards:
-        enforced: true
       connectivity:
         baseDomain: test.example.io
         availabilityZoneUsageLimit: 3
@@ -149,8 +143,6 @@ func getValuesProxyEmpty() string {
     global:
       release:
         version: 1.2.3
-      podSecurityStandards:
-        enforced: true
       connectivity:
         baseDomain: test.example.io
         proxy: