From b7348b6cadebe9eee37236802c9c680f4ad774f7 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 5 Jun 2023 09:28:31 +1000 Subject: [PATCH 01/35] feat: new dedicated docker-host chart --- charts/lagoon-docker-host/.gitignore | 1 + charts/lagoon-docker-host/.helmignore | 22 ++++ charts/lagoon-docker-host/Chart.yaml | 30 +++++ charts/lagoon-docker-host/README.md | 4 + .../lagoon-docker-host/ci/linter-values.yaml | 2 + charts/lagoon-docker-host/templates/NOTES.txt | 27 +++++ .../lagoon-docker-host/templates/_helpers.tpl | 81 +++++++++++++ .../templates/docker-host.clusterrole.yaml | 17 +++ .../templates/docker-host.deployment.yaml | 113 ++++++++++++++++++ .../templates/docker-host.networkpolicy.yaml | 17 +++ .../templates/docker-host.pvc.yaml | 17 +++ .../templates/docker-host.rolebinding.yaml | 17 +++ .../templates/docker-host.service.yaml | 15 +++ .../templates/docker-host.serviceaccount.yaml | 8 ++ .../templates/tests/test-connection.yaml | 18 +++ charts/lagoon-docker-host/values.yaml | 95 +++++++++++++++ 16 files changed, 484 insertions(+) create mode 100644 charts/lagoon-docker-host/.gitignore create mode 100644 charts/lagoon-docker-host/.helmignore create mode 100644 charts/lagoon-docker-host/Chart.yaml create mode 100644 charts/lagoon-docker-host/README.md create mode 100644 charts/lagoon-docker-host/ci/linter-values.yaml create mode 100644 charts/lagoon-docker-host/templates/NOTES.txt create mode 100644 charts/lagoon-docker-host/templates/_helpers.tpl create mode 100644 charts/lagoon-docker-host/templates/docker-host.clusterrole.yaml create mode 100644 charts/lagoon-docker-host/templates/docker-host.deployment.yaml create mode 100644 charts/lagoon-docker-host/templates/docker-host.networkpolicy.yaml create mode 100644 charts/lagoon-docker-host/templates/docker-host.pvc.yaml create mode 100644 charts/lagoon-docker-host/templates/docker-host.rolebinding.yaml create mode 100644 charts/lagoon-docker-host/templates/docker-host.service.yaml create mode 100644 charts/lagoon-docker-host/templates/docker-host.serviceaccount.yaml create mode 100644 charts/lagoon-docker-host/templates/tests/test-connection.yaml create mode 100644 charts/lagoon-docker-host/values.yaml diff --git a/charts/lagoon-docker-host/.gitignore b/charts/lagoon-docker-host/.gitignore new file mode 100644 index 00000000..413d4a36 --- /dev/null +++ b/charts/lagoon-docker-host/.gitignore @@ -0,0 +1 @@ +/charts diff --git a/charts/lagoon-docker-host/.helmignore b/charts/lagoon-docker-host/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/charts/lagoon-docker-host/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/lagoon-docker-host/Chart.yaml b/charts/lagoon-docker-host/Chart.yaml new file mode 100644 index 00000000..5310513d --- /dev/null +++ b/charts/lagoon-docker-host/Chart.yaml @@ -0,0 +1,30 @@ +apiVersion: v2 +name: lagoon-docker-host +description: A Helm chart to run a lagoon-docker-host +home: https://github.com/uselagoon/lagoon-charts +icon: https://raw.githubusercontent.com/uselagoon/lagoon-charts/main/icon.png +maintainers: +- name: shreddedbacon + email: ben.jackson@amazee.io + url: https://amazee.io +kubeVersion: ">= 1.21.0-0" + +# Application charts are a collection of templates that can be packaged into +# versioned archives to be deployed. +type: application + +# This is the chart version. This version number should be incremented each +# time you make changes to the chart and its templates, including the app +# version. +version: 0.1.0 + +appVersion: v3.3.0 + + +# This section is used to collect a changelog for artifacthub.io +# It should be started afresh for each release +# Valid supported kinds are added, changed, deprecated, removed, fixed and security +annotations: + artifacthub.io/changes: | + - kind: changed + description: update lagoon-docker-host to appversion v3.3.0 diff --git a/charts/lagoon-docker-host/README.md b/charts/lagoon-docker-host/README.md new file mode 100644 index 00000000..1f261af3 --- /dev/null +++ b/charts/lagoon-docker-host/README.md @@ -0,0 +1,4 @@ +# Lagoon Docker Host + +This chart installs a docker hpst service for [Lagoon](https://github.com/amazeeio/lagoon/). +Install this chart into the cluster you want to deploy workloads to. diff --git a/charts/lagoon-docker-host/ci/linter-values.yaml b/charts/lagoon-docker-host/ci/linter-values.yaml new file mode 100644 index 00000000..579baa2b --- /dev/null +++ b/charts/lagoon-docker-host/ci/linter-values.yaml @@ -0,0 +1,2 @@ +storage: + size: 50Gi diff --git a/charts/lagoon-docker-host/templates/NOTES.txt b/charts/lagoon-docker-host/templates/NOTES.txt new file mode 100644 index 00000000..0e853eec --- /dev/null +++ b/charts/lagoon-docker-host/templates/NOTES.txt @@ -0,0 +1,27 @@ + +            .;. +        .':ooo' .l;. +     .:odddooo' .lllc:'. + .;oxxxxdddddo' .lllcc:::,. +.kkkkxxxxxdddd' .lllcc:::::: +.kkkkkkxxxxxdd, .lllcccccc:: +.OOOkkkkkxxxxx, .llllllccccc +.OOOOOkkkkkxxx;  ':llllllccc +.0OOOOOOkkkkxxxo;.  .,cllllc. +.0000OOOOOkkkkxxxddc,. .':ll. +.K0000000OOOOkkkxxxxddo;.  . +.kKKKKKK0000OOOkkkkxxxdddoc. +  .;d0KKKKK000OOOOkkkxxdc' +      .ckKKKK000OOOOd;. +         .,o0KKKOl, +             .;.  + _ _ _ _ _ +| | | | | | | | | | +| | __ _ __ _ ___ ___ _ __ __| | ___ ___| | _____ _ __ | |__ ___ ___| |_ +| |/ _` |/ _` |/ _ \ / _ \| '_ \ / _` |/ _ \ / __| |/ / _ \ '__| | '_ \ / _ \/ __| __| +| | (_| | (_| | (_) | (_) | | | | | (_| | (_) | (__| < __/ | | | | | (_) \__ \ |_ +|_|\__,_|\__, |\___/ \___/|_| |_| \__,_|\___/ \___|_|\_\___|_| |_| |_|\___/|___/\__| + __/ | + |___/ + +Lagoon Docker Host configured. diff --git a/charts/lagoon-docker-host/templates/_helpers.tpl b/charts/lagoon-docker-host/templates/_helpers.tpl new file mode 100644 index 00000000..4ca2eff3 --- /dev/null +++ b/charts/lagoon-docker-host/templates/_helpers.tpl @@ -0,0 +1,81 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "lagoon-docker-host.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "lagoon-docker-host.fullname" -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "lagoon-docker-host.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "lagoon-docker-host.labels" -}} +helm.sh/chart: {{ include "lagoon-docker-host.chart" . }} +{{ include "lagoon-docker-host.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "lagoon-docker-host.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lagoon-docker-host.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + + +{{/* +Create the name of the service account to use for dockerHost. +*/}} +{{- define "lagoon-docker-host.dockerHost.serviceAccountName" -}} +{{- default (include "lagoon-docker-host.dockerHost.fullname" .) .Values.serviceAccount.name }} +{{- end }} + +{{/* +Create a default fully qualified app name for dockerHost. +*/}} +{{- define "lagoon-docker-host.dockerHost.fullname" -}} +{{- include "lagoon-docker-host.fullname" . }}-docker-host +{{- end }} + +{{/* +Common labels dockerHost. +*/}} +{{- define "lagoon-docker-host.dockerHost.labels" -}} +helm.sh/chart: {{ include "lagoon-docker-host.chart" . }} +{{ include "lagoon-docker-host.dockerHost.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels dockerHost. +*/}} +{{- define "lagoon-docker-host.dockerHost.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lagoon-docker-host.name" . }} +app.kubernetes.io/component: {{ include "lagoon-docker-host.dockerHost.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/charts/lagoon-docker-host/templates/docker-host.clusterrole.yaml b/charts/lagoon-docker-host/templates/docker-host.clusterrole.yaml new file mode 100644 index 00000000..cb4e6583 --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.clusterrole.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.serviceAccount.create .Values.global.openshift -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "lagoon-docker-host.dockerHost.fullname" . }} + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end }} diff --git a/charts/lagoon-docker-host/templates/docker-host.deployment.yaml b/charts/lagoon-docker-host/templates/docker-host.deployment.yaml new file mode 100644 index 00000000..5f3b0041 --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.deployment.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "lagoon-docker-host.dockerHost.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "lagoon-docker-host.dockerHost.selectorLabels" . | nindent 6 }} + strategy: + type: Recreate + template: + metadata: + labels: + {{- include "lagoon-docker-host.dockerHost.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "lagoon-docker-host.dockerHost.serviceAccountName" . }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: docker-host + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- range $name, $value := .Values.extraEnvs }} + - name: {{ .name }} + value: {{ .value | quote }} + {{- end }} + {{- with .Values.httpProxy }} + - name: HTTP_PROXY + value: {{ . | quote }} + - name: http_proxy + value: {{ . | quote }} + {{- end }} + {{- with .Values.httpsProxy }} + - name: HTTPS_PROXY + value: {{ . | quote }} + - name: https_proxy + value: {{ . | quote }} + {{- end }} + {{- with .Values.noProxy }} + - name: NO_PROXY + value: {{ . | quote }} + - name: no_proxy + value: {{ . | quote }} + {{- end }} + - name: DOCKER_HOST + value: localhost + - name: REGISTRY + value: {{ .Values.registry | quote }} + - name: REPOSITORY_TO_UPDATE + value: {{ .Values.repositoryToUpdate | quote }} + - name: PRUNE_IMAGES_UNTIL + value: {{ .Values.pruneImagesUntil | quote }} + - name: CRONJOBS + value: | + 22 1 * * * /lagoon/cronjob.sh "/prune-images.sh" + 22 */4 * * * /lagoon/cronjob.sh "/remove-exited.sh" + */15 * * * * /lagoon/cronjob.sh "/update-images.sh" + ports: + - containerPort: 2375 + protocol: TCP + name: docker-daemon + livenessProbe: + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 2375 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 2375 + timeoutSeconds: 1 + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: /var/lib/docker + name: docker-lib + volumes: + - name: docker-lib + {{- if .Values.storage.create }} + persistentVolumeClaim: + claimName: {{ include "lagoon-docker-host.dockerHost.fullname" . }} + {{- else }} + emptyDir: {} + {{- end -}} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/lagoon-docker-host/templates/docker-host.networkpolicy.yaml b/charts/lagoon-docker-host/templates/docker-host.networkpolicy.yaml new file mode 100644 index 00000000..1548ea17 --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.networkpolicy.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "lagoon-docker-host.dockerHost.fullname" . }} + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +spec: + ingress: + - from: + {{- toYaml .Values.networkPolicy.policy | nindent 4 }} + podSelector: + matchLabels: + {{- include "lagoon-docker-host.dockerHost.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/lagoon-docker-host/templates/docker-host.pvc.yaml b/charts/lagoon-docker-host/templates/docker-host.pvc.yaml new file mode 100644 index 00000000..a72c3c6c --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.pvc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.storage.create -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "lagoon-docker-host.dockerHost.fullname" . }} + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size | quote }} + {{- with .Values.storage.className }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/lagoon-docker-host/templates/docker-host.rolebinding.yaml b/charts/lagoon-docker-host/templates/docker-host.rolebinding.yaml new file mode 100644 index 00000000..89978731 --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.serviceAccount.create .Values.global.openshift -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "lagoon-docker-host.dockerHost.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "lagoon-docker-host.dockerHost.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "lagoon-docker-host.dockerHost.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/lagoon-docker-host/templates/docker-host.service.yaml b/charts/lagoon-docker-host/templates/docker-host.service.yaml new file mode 100644 index 00000000..c1b28ee7 --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: docker-host + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: docker-daemon + protocol: TCP + name: docker-daemon + selector: + {{- include "lagoon-docker-host.dockerHost.selectorLabels" . | nindent 4 }} diff --git a/charts/lagoon-docker-host/templates/docker-host.serviceaccount.yaml b/charts/lagoon-docker-host/templates/docker-host.serviceaccount.yaml new file mode 100644 index 00000000..5e5e81c3 --- /dev/null +++ b/charts/lagoon-docker-host/templates/docker-host.serviceaccount.yaml @@ -0,0 +1,8 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "lagoon-docker-host.dockerHost.serviceAccountName" . }} + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} +{{- end }} diff --git a/charts/lagoon-docker-host/templates/tests/test-connection.yaml b/charts/lagoon-docker-host/templates/tests/test-connection.yaml new file mode 100644 index 00000000..fcf59492 --- /dev/null +++ b/charts/lagoon-docker-host/templates/tests/test-connection.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "lagoon-docker-host.dockerHost.fullname" . }}-test-connection" + labels: + {{- include "lagoon-docker-host.dockerHost.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: nc + image: busybox + command: ['nc'] + args: + - "-zvw5" + - "docker-host" + - "{{ .Values.service.port }}" + restartPolicy: Never diff --git a/charts/lagoon-docker-host/values.yaml b/charts/lagoon-docker-host/values.yaml new file mode 100644 index 00000000..877dc32e --- /dev/null +++ b/charts/lagoon-docker-host/values.yaml @@ -0,0 +1,95 @@ +global: + # set to true to enable openshift support + openshift: false + +image: + repository: uselagoon/docker-host + pullPolicy: Always + +name: docker-host + +pruneImagesUntil: 168h + +# TODO: change this up once new docker-host is released +registry: registry.lagoon.svc:5000 +repositoryToUpdate: amazeeio|lagoon + +replicaCount: 1 + +## proxy configuration +# httpProxy: "" +# httpsProxy: "" +# noProxy: "" + +# add extra environment variables if required +extraEnvs: + +storage: + create: true + size: 750Gi + # className sets the storageClassName for the docker-host PVC. This is + # useful if the docker-host requires a specific storage class for features + # such as increased IOPS. + # + # WARNING: On platforms such as AKS not all storage volume classes can be + # bound to all node types. So if you configure a storage class that can't + # be bound to any nodes in the cluster it will cause the docker-host pod to + # fail to schedule. For example AKS requires Premium Storage suport on the + # node for the managed-premium storage class. + # + # If className is not defined the chart will not set any specify storage + # class on the PVC, effectively falling back to the cluster default. + # + # className: managed-premium + +networkPolicy: + # Specifies whether the docker-host network policy should be enabled + enabled: true + # Specify the policy to apply, useful to change who can access the docker-host + # This default policy just replicates the existing docker-host + policy: + - namespaceSelector: + matchExpressions: + - key: lagoon.sh/environment + operator: Exists + podSelector: + matchExpressions: + - key: lagoon.sh/buildName + operator: Exists + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname + # template + name: + +podSecurityContext: {} + +securityContext: + privileged: true + seLinuxOptions: + # Ensures selinux relabeling is disabled, this would case the container never to start + # as there can be so many files in the persistent storage + type: spc_t + +resources: {} + +service: + type: ClusterIP + port: 2375 + +tolerations: +- key: lagoon/build + effect: NoSchedule + operator: Exists +- key: lagoon/build + effect: PreferNoSchedule + operator: Exists +- key: lagoon.sh/build + effect: NoSchedule + operator: Exists +- key: lagoon.sh/build + effect: PreferNoSchedule + operator: Exists From 99a1602cd94d72d1fed5170ce2e7c992f553de63 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 14:27:34 +1000 Subject: [PATCH 02/35] remove lagoon-gatekeeper chart --- charts/lagoon-gatekeeper/.gitignore | 1 - charts/lagoon-gatekeeper/.helmignore | 23 - charts/lagoon-gatekeeper/Chart.lock | 6 - charts/lagoon-gatekeeper/Chart.yaml | 25 - charts/lagoon-gatekeeper/README.md | 29 - .../lagoon-gatekeeper/ci/linter-values.yaml | 0 .../lagoon-gatekeeper/templates/_helpers.tpl | 64 - .../lagoon-gatekeeper/templates/config.yaml | 18 - .../templates/constraint.job.yaml | 36 - .../templates/constrainttemplate.yaml | 1581 ----------------- ...p-pods-allowed-user-ranges.constraint.yaml | 30 - charts/lagoon-gatekeeper/values.yaml | 20 - 12 files changed, 1833 deletions(-) delete mode 100644 charts/lagoon-gatekeeper/.gitignore delete mode 100644 charts/lagoon-gatekeeper/.helmignore delete mode 100644 charts/lagoon-gatekeeper/Chart.lock delete mode 100644 charts/lagoon-gatekeeper/Chart.yaml delete mode 100644 charts/lagoon-gatekeeper/README.md delete mode 100644 charts/lagoon-gatekeeper/ci/linter-values.yaml delete mode 100644 charts/lagoon-gatekeeper/templates/_helpers.tpl delete mode 100644 charts/lagoon-gatekeeper/templates/config.yaml delete mode 100644 charts/lagoon-gatekeeper/templates/constraint.job.yaml delete mode 100644 charts/lagoon-gatekeeper/templates/constrainttemplate.yaml delete mode 100644 charts/lagoon-gatekeeper/templates/psp-pods-allowed-user-ranges.constraint.yaml delete mode 100644 charts/lagoon-gatekeeper/values.yaml diff --git a/charts/lagoon-gatekeeper/.gitignore b/charts/lagoon-gatekeeper/.gitignore deleted file mode 100644 index 413d4a36..00000000 --- a/charts/lagoon-gatekeeper/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/charts diff --git a/charts/lagoon-gatekeeper/.helmignore b/charts/lagoon-gatekeeper/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/charts/lagoon-gatekeeper/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/lagoon-gatekeeper/Chart.lock b/charts/lagoon-gatekeeper/Chart.lock deleted file mode 100644 index 62363e1b..00000000 --- a/charts/lagoon-gatekeeper/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: gatekeeper - repository: https://open-policy-agent.github.io/gatekeeper/charts - version: 3.3.0 -digest: sha256:bd9188f62f77ce3297e59f54d845d3a31c782634be4aebb07174f00a74e647d3 -generated: "2021-02-04T15:05:32.015308647+08:00" diff --git a/charts/lagoon-gatekeeper/Chart.yaml b/charts/lagoon-gatekeeper/Chart.yaml deleted file mode 100644 index f743d99c..00000000 --- a/charts/lagoon-gatekeeper/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v2 -name: lagoon-gatekeeper -description: - A Helm chart for Kubernetes that installs the gatekeeper admission controller - and policy for Lagoon. -home: https://github.com/amazeeio/charts -icon: https://raw.githubusercontent.com/uselagoon/lagoon-charts/main/icon.png -maintainers: -- name: smlx - email: scott.leggett@amazee.io - url: https://amazee.io -kubeVersion: "< 1.22.0-0" -deprecated: true - -type: application - -version: 0.4.0 - -# appVersion reflects the gatekeeper-library version -appVersion: 2e5e92f - -dependencies: -- name: gatekeeper - repository: https://open-policy-agent.github.io/gatekeeper/charts - version: ~3.3.0 diff --git a/charts/lagoon-gatekeeper/README.md b/charts/lagoon-gatekeeper/README.md deleted file mode 100644 index 8a13d164..00000000 --- a/charts/lagoon-gatekeeper/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# Lagoon Gatekeeper - -This chart installs the [gatekeeper](https://github.com/open-policy-agent/gatekeeper) admission controller as well as policies tailored for Lagoon. - -## Installation - -Gatekeeper works by generating CRDs of `constraints` from `constrainttemplates`. -This means that when you first install Gatekeeper, the CRDs are not created until Gatekeeper parses the configured `constrainttemplates` and creates the associated CRDs. - -For this reason this chart must be installed in two stages: - -1. install chart with default values. Wait for gatekeeper to create the `*.constraints.gatekeeper.sh` CRDs (`kubectl get crd -w`). -2. install with `--set=constraints.create=true`. - -The `constraints.create=false` value stops the chart from trying to create any custom resources which aren't yet defined. - -## Policy and chart configuration - -There is currently no other configuration for this chart. - -Policies will be applied to namespaces with a `lagoon.sh/project` label. - -## About - -The constraint templates are taken from [gatekeeper-library](https://github.com/open-policy-agent/gatekeeper-library) and generated via: - -``` -kustomize build library > templates/constrainttemplate.yaml -``` diff --git a/charts/lagoon-gatekeeper/ci/linter-values.yaml b/charts/lagoon-gatekeeper/ci/linter-values.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/lagoon-gatekeeper/templates/_helpers.tpl b/charts/lagoon-gatekeeper/templates/_helpers.tpl deleted file mode 100644 index 57876ab3..00000000 --- a/charts/lagoon-gatekeeper/templates/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "lagoon-gatekeeper.name" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "lagoon-gatekeeper.fullname" -}} -{{- if contains .Chart.Name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} - -{{/* -Append a suffix to the fully qualified app name without hitting length limits of 63 (62 plus hyphen). -*/}} -{{- define "lagoon-gatekeeper.fullname.suffix" -}} -{{ include "lagoon-gatekeeper.fullname" . | trunc (sub 62 (len .suffix) | int) }}-{{ .suffix }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "lagoon-gatekeeper.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "lagoon-gatekeeper.labels" -}} -helm.sh/chart: {{ include "lagoon-gatekeeper.chart" . }} -{{ include "lagoon-gatekeeper.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "lagoon-gatekeeper.selectorLabels" -}} -app.kubernetes.io/name: {{ include "lagoon-gatekeeper.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "lagoon-gatekeeper.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "lagoon-gatekeeper.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/lagoon-gatekeeper/templates/config.yaml b/charts/lagoon-gatekeeper/templates/config.yaml deleted file mode 100644 index 692baf66..00000000 --- a/charts/lagoon-gatekeeper/templates/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: config.gatekeeper.sh/v1alpha1 -kind: Config -metadata: - # NOTE: this _must_ be named config since it is a singleton resource as per - # https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/controller/config/config_controller.go#L199-L202 - name: config - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} - namespace: "gatekeeper-system" -spec: - sync: - syncOnly: - - group: "" - version: "v1" - kind: "Namespace" - - group: "" - version: "v1" - kind: "Pod" diff --git a/charts/lagoon-gatekeeper/templates/constraint.job.yaml b/charts/lagoon-gatekeeper/templates/constraint.job.yaml deleted file mode 100644 index 8ccbfc81..00000000 --- a/charts/lagoon-gatekeeper/templates/constraint.job.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "lagoon-gatekeeper.fullname.suffix" (merge (dict "suffix" "wait-for-constraint-crd") .) }} - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation -spec: - backoffLimit: 1 - template: - metadata: - name: {{ include "lagoon-gatekeeper.fullname.suffix" (merge (dict "suffix" "wait-for-constraint-crd") .) }} - labels: - {{- include "lagoon-gatekeeper.selectorLabels" . | nindent 8 }} - spec: - restartPolicy: Never - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: kubectl - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} - image: "{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}" - command: - - "sh" - - "-c" - - | - # wait 2 minutes for the CRD - for n in $(seq 12); do - kubectl api-resources | grep k8spspallowedusers && exit 0; - sleep 10; - done - exit 1 diff --git a/charts/lagoon-gatekeeper/templates/constrainttemplate.yaml b/charts/lagoon-gatekeeper/templates/constrainttemplate.yaml deleted file mode 100644 index 2902cd65..00000000 --- a/charts/lagoon-gatekeeper/templates/constrainttemplate.yaml +++ /dev/null @@ -1,1581 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires container images to begin with a repo string from a specified list. - name: k8sallowedrepos - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sAllowedRepos - validation: - openAPIV3Schema: - properties: - repos: - items: - type: string - type: array - targets: - - rego: | - package k8sallowedrepos - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] - not any(satisfied) - msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) - } - - violation[{"msg": msg}] { - container := input.review.object.spec.initContainers[_] - satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] - not any(satisfied) - msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Disallows all Services with type NodePort. - name: k8sblocknodeport - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sBlockNodePort - targets: - - rego: | - package k8sblocknodeport - - violation[{"msg": msg}] { - input.review.kind.kind == "Service" - input.review.object.spec.type == "NodePort" - msg := "User is not allowed to create service of type NodePort" - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires containers to have memory and CPU limits set and within a specified maximum amount. - name: k8scontainerlimits - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sContainerLimits - validation: - openAPIV3Schema: - properties: - cpu: - type: string - memory: - type: string - targets: - - rego: | - package k8scontainerlimits - - missing(obj, field) = true { - not obj[field] - } - - missing(obj, field) = true { - obj[field] == "" - } - - canonify_cpu(orig) = new { - is_number(orig) - new := orig * 1000 - } - - canonify_cpu(orig) = new { - not is_number(orig) - endswith(orig, "m") - new := to_number(replace(orig, "m", "")) - } - - canonify_cpu(orig) = new { - not is_number(orig) - not endswith(orig, "m") - re_match("^[0-9]+$", orig) - new := to_number(orig) * 1000 - } - - # 10 ** 21 - mem_multiple("E") = 1000000000000000000000 { true } - - # 10 ** 18 - mem_multiple("P") = 1000000000000000000 { true } - - # 10 ** 15 - mem_multiple("T") = 1000000000000000 { true } - - # 10 ** 12 - mem_multiple("G") = 1000000000000 { true } - - # 10 ** 9 - mem_multiple("M") = 1000000000 { true } - - # 10 ** 6 - mem_multiple("k") = 1000000 { true } - - # 10 ** 3 - mem_multiple("") = 1000 { true } - - # Kubernetes accepts millibyte precision when it probably shouldn't. - # https://github.com/kubernetes/kubernetes/issues/28741 - # 10 ** 0 - mem_multiple("m") = 1 { true } - - # 1000 * 2 ** 10 - mem_multiple("Ki") = 1024000 { true } - - # 1000 * 2 ** 20 - mem_multiple("Mi") = 1048576000 { true } - - # 1000 * 2 ** 30 - mem_multiple("Gi") = 1073741824000 { true } - - # 1000 * 2 ** 40 - mem_multiple("Ti") = 1099511627776000 { true } - - # 1000 * 2 ** 50 - mem_multiple("Pi") = 1125899906842624000 { true } - - # 1000 * 2 ** 60 - mem_multiple("Ei") = 1152921504606846976000 { true } - - get_suffix(mem) = suffix { - not is_string(mem) - suffix := "" - } - - get_suffix(mem) = suffix { - is_string(mem) - count(mem) > 0 - suffix := substring(mem, count(mem) - 1, -1) - mem_multiple(suffix) - } - - get_suffix(mem) = suffix { - is_string(mem) - count(mem) > 1 - suffix := substring(mem, count(mem) - 2, -1) - mem_multiple(suffix) - } - - get_suffix(mem) = suffix { - is_string(mem) - count(mem) > 1 - not mem_multiple(substring(mem, count(mem) - 1, -1)) - not mem_multiple(substring(mem, count(mem) - 2, -1)) - suffix := "" - } - - get_suffix(mem) = suffix { - is_string(mem) - count(mem) == 1 - not mem_multiple(substring(mem, count(mem) - 1, -1)) - suffix := "" - } - - get_suffix(mem) = suffix { - is_string(mem) - count(mem) == 0 - suffix := "" - } - - canonify_mem(orig) = new { - is_number(orig) - new := orig * 1000 - } - - canonify_mem(orig) = new { - not is_number(orig) - suffix := get_suffix(orig) - raw := replace(orig, suffix, "") - re_match("^[0-9]+$", raw) - new := to_number(raw) * mem_multiple(suffix) - } - - violation[{"msg": msg}] { - general_violation[{"msg": msg, "field": "containers"}] - } - - violation[{"msg": msg}] { - general_violation[{"msg": msg, "field": "initContainers"}] - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - cpu_orig := container.resources.limits.cpu - not canonify_cpu(cpu_orig) - msg := sprintf("container <%v> cpu limit <%v> could not be parsed", [container.name, cpu_orig]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - mem_orig := container.resources.limits.memory - not canonify_mem(mem_orig) - msg := sprintf("container <%v> memory limit <%v> could not be parsed", [container.name, mem_orig]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - not container.resources - msg := sprintf("container <%v> has no resource limits", [container.name]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - not container.resources.limits - msg := sprintf("container <%v> has no resource limits", [container.name]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - missing(container.resources.limits, "cpu") - msg := sprintf("container <%v> has no cpu limit", [container.name]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - missing(container.resources.limits, "memory") - msg := sprintf("container <%v> has no memory limit", [container.name]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - cpu_orig := container.resources.limits.cpu - cpu := canonify_cpu(cpu_orig) - max_cpu_orig := input.parameters.cpu - max_cpu := canonify_cpu(max_cpu_orig) - cpu > max_cpu - msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig]) - } - - general_violation[{"msg": msg, "field": field}] { - container := input.review.object.spec[field][_] - mem_orig := container.resources.limits.memory - mem := canonify_mem(mem_orig) - max_mem_orig := input.parameters.memory - max_mem := canonify_mem(max_mem_orig) - mem > max_mem - msg := sprintf("container <%v> memory limit <%v> is higher than the maximum allowed of <%v>", [container.name, mem_orig, max_mem_orig]) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires Ingress resources to be HTTPS only; TLS configuration should be set and `kubernetes.io/ingress.allow-http` annotation equals false. - name: k8shttpsonly - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sHttpsOnly - targets: - - rego: | - package k8shttpsonly - - violation[{"msg": msg}] { - input.review.object.kind == "Ingress" - re_match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion) - ingress := input.review.object - not https_complete(ingress) - msg := sprintf("Ingress should be https. tls configuration and allow-http=false annotation are required for %v", [ingress.metadata.name]) - } - - https_complete(ingress) = true { - ingress.spec["tls"] - count(ingress.spec.tls) > 0 - ingress.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false" - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires container images to contain a digest. - name: k8simagedigests - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sImageDigests - targets: - - rego: | - package k8simagedigests - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] - not all(satisfied) - msg := sprintf("container <%v> uses an image without a digest <%v>", [container.name, container.image]) - } - - violation[{"msg": msg}] { - container := input.review.object.spec.initContainers[_] - satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)] - not all(satisfied) - msg := sprintf("initContainer <%v> uses an image without a digest <%v>", [container.name, container.image]) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the user and group IDs of the container. - name: k8spspallowedusers - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPAllowedUsers - validation: - openAPIV3Schema: - properties: - fsGroup: - properties: - ranges: - items: - properties: - max: - type: integer - min: - type: integer - type: object - type: array - rule: - type: string - type: object - runAsGroup: - properties: - ranges: - items: - properties: - max: - type: integer - min: - type: integer - type: object - type: array - rule: - type: string - type: object - runAsUser: - properties: - ranges: - items: - properties: - max: - type: integer - min: - type: integer - type: object - type: array - rule: - type: string - type: object - supplementalGroups: - properties: - ranges: - items: - properties: - max: - type: integer - min: - type: integer - type: object - type: array - rule: - type: string - type: object - targets: - - rego: | - package k8spspallowedusers - - violation[{"msg": msg}] { - fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] - field := fields[_] - container := input_containers[_] - msg := get_type_violation(field, container) - } - - get_type_violation(field, container) = msg { - field == "runAsUser" - params := input.parameters[field] - msg := get_user_violation(params, container) - } - - get_type_violation(field, container) = msg { - field != "runAsUser" - params := input.parameters[field] - msg := get_violation(field, params, container) - } - - # RunAsUser (separate due to "MustRunAsNonRoot") - get_user_violation(params, container) = msg { - rule := params.rule - provided_user := get_field_value("runAsUser", container, input.review) - not accept_users(rule, provided_user) - msg := sprintf("Container %v is attempting to run as disallowed user %v. Allowed runAsUser: %v", [container.name, provided_user, params]) - } - - get_user_violation(params, container) = msg { - not get_field_value("runAsUser", container, input.review) - params.rule != "RunAsAny" - msg := sprintf("Container %v is attempting to run without a required securityContext/runAsUser. Allowed runAsUser: %v", [container.name, params]) - } - - accept_users("RunAsAny", provided_user) {true} - - accept_users("MustRunAsNonRoot", provided_user) = res {res := provided_user != 0} - - accept_users("MustRunAs", provided_user) = res { - ranges := input.parameters.runAsUser.ranges - res := is_in_range(provided_user, ranges) - } - - # Group Options - get_violation(field, params, container) = msg { - rule := params.rule - provided_value := get_field_value(field, container, input.review) - not is_array(provided_value) - not accept_value(rule, provided_value, params.ranges) - msg := sprintf("Container %v is attempting to run as disallowed group %v. Allowed %v: %v", [container.name, provided_value, field, params]) - } - # SupplementalGroups is array value - get_violation(field, params, container) = msg { - rule := params.rule - array_value := get_field_value(field, container, input.review) - is_array(array_value) - provided_value := array_value[_] - not accept_value(rule, provided_value, params.ranges) - msg := sprintf("Container %v is attempting to run with disallowed supplementalGroups %v. Allowed %v: %v", [container.name, array_value, field, params]) - } - - get_violation(field, params, container) = msg { - not get_field_value(field, container, input.review) - params.rule == "MustRunAs" - msg := sprintf("Container %v is attempting to run without a required securityContext/%v. Allowed %v: %v", [container.name, field, field, params]) - } - - accept_value("RunAsAny", provided_value, ranges) {true} - - accept_value("MayRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)} - - accept_value("MustRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)} - - - # If container level is provided, that takes precedence - get_field_value(field, container, review) = out { - container_value := get_seccontext_field(field, container) - out := container_value - } - - # If no container level exists, use pod level - get_field_value(field, container, review) = out { - not get_seccontext_field(field, container) - review.kind.kind == "Pod" - pod_value := get_seccontext_field(field, review.object.spec) - out := pod_value - } - - # Helper Functions - is_in_range(val, ranges) = res { - matching := {1 | val >= ranges[j].min; val <= ranges[j].max} - res := count(matching) > 0 - } - - get_seccontext_field(field, obj) = out { - out = obj.securityContext[field] - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - } - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls restricting escalation to root privileges. - name: k8spspallowprivilegeescalationcontainer - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPAllowPrivilegeEscalationContainer - targets: - - rego: | - package k8spspallowprivilegeescalationcontainer - - violation[{"msg": msg, "details": {}}] { - c := input_containers[_] - input_allow_privilege_escalation(c) - msg := sprintf("Privilege escalation container is not allowed: %v", [c.name]) - } - - input_allow_privilege_escalation(c) { - not has_field(c, "securityContext") - } - input_allow_privilege_escalation(c) { - not c.securityContext.allowPrivilegeEscalation == false - } - input_containers[c] { - c := input.review.object.spec.containers[_] - } - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the AppArmor profile used by containers. - name: k8spspapparmor - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPAppArmor - validation: - openAPIV3Schema: - properties: - allowedProfiles: - items: - type: string - type: array - targets: - - rego: | - package k8spspapparmor - - violation[{"msg": msg, "details": {}}] { - metadata := input.review.object.metadata - container := input_containers[_] - not input_apparmor_allowed(container, metadata) - msg := sprintf("AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles]) - } - - input_apparmor_allowed(container, metadata) { - metadata.annotations[key] == input.parameters.allowedProfiles[_] - key == sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name]) - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - } - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls Linux capabilities. - name: k8spspcapabilities - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPCapabilities - validation: - openAPIV3Schema: - properties: - allowedCapabilities: - items: - type: string - type: array - requiredDropCapabilities: - items: - type: string - type: array - targets: - - rego: | - package capabilities - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - has_disallowed_capabilities(container) - msg := sprintf("container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) - } - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - missing_drop_capabilities(container) - msg := sprintf("container <%v> is not dropping all required capabilities. Container must drop all of %v", [container.name, input.parameters.requiredDropCapabilities]) - } - - - violation[{"msg": msg}] { - container := input.review.object.spec.initContainers[_] - has_disallowed_capabilities(container) - msg := sprintf("init container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) - } - - violation[{"msg": msg}] { - container := input.review.object.spec.initContainers[_] - missing_drop_capabilities(container) - msg := sprintf("init container <%v> is not dropping all required capabilities. Container must drop all of %v", [container.name, input.parameters.requiredDropCapabilities]) - } - - - has_disallowed_capabilities(container) { - allowed := {c | c := input.parameters.allowedCapabilities[_]} - not allowed["*"] - capabilities := {c | c := container.securityContext.capabilities.add[_]} - count(capabilities - allowed) > 0 - } - - missing_drop_capabilities(container) { - must_drop := {c | c := input.parameters.requiredDropCapabilities[_]} - dropped := {c | c := container.securityContext.capabilities.drop[_]} - count(must_drop - dropped) > 0 - } - - get_default(obj, param, _default) = out { - out = obj[param] - } - - get_default(obj, param, _default) = out { - not obj[param] - not obj[param] == false - out = _default - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the allowlist of Flexvolume drivers. - name: k8spspflexvolumes - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPFlexVolumes - validation: - openAPIV3Schema: - properties: - allowedFlexVolumes: - items: - properties: - driver: - type: string - type: object - type: array - targets: - - rego: | - package k8spspflexvolumes - - violation[{"msg": msg, "details": {}}] { - volume := input_flexvolumes[_] - not input_flexvolumes_allowed(volume) - msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) - } - - input_flexvolumes_allowed(volume) { - input.parameters.allowedFlexVolumes[_].driver == volume.flexVolume.driver - } - - input_flexvolumes[v] { - v := input.review.object.spec.volumes[_] - has_field(v, "flexVolume") - } - - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the `sysctl` profile used by containers. - name: k8spspforbiddensysctls - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPForbiddenSysctls - validation: - openAPIV3Schema: - properties: - forbiddenSysctls: - items: - type: string - type: array - targets: - - rego: | - package k8spspforbiddensysctls - - violation[{"msg": msg, "details": {}}] { - sysctl := input.review.object.spec.securityContext.sysctls[_].name - forbidden_sysctl(sysctl) - msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) - } - - # * may be used to forbid all sysctls - forbidden_sysctl(sysctl) { - input.parameters.forbiddenSysctls[_] == "*" - } - - forbidden_sysctl(sysctl) { - input.parameters.forbiddenSysctls[_] == sysctl - } - - forbidden_sysctl(sysctl) { - startswith(sysctl, trim(input.parameters.forbiddenSysctls[_], "*")) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls allocating an FSGroup that owns the Pod's volumes. - name: k8spspfsgroup - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPFSGroup - validation: - openAPIV3Schema: - properties: - ranges: - items: - properties: - max: - type: integer - min: - type: integer - type: object - type: array - rule: - type: string - targets: - - rego: | - package k8spspfsgroup - - violation[{"msg": msg, "details": {}}] { - spec := input.review.object.spec - not input_fsGroup_allowed(spec) - msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) - } - - input_fsGroup_allowed(spec) { - # RunAsAny - No range is required. Allows any fsGroup ID to be specified. - input.parameters.rule == "RunAsAny" - } - input_fsGroup_allowed(spec) { - # MustRunAs - Validates pod spec fsgroup against all ranges - input.parameters.rule == "MustRunAs" - fg := spec.securityContext.fsGroup - count(input.parameters.ranges) > 0 - range := input.parameters.ranges[_] - value_within_range(range, fg) - } - input_fsGroup_allowed(spec) { - # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset - input.parameters.rule == "MayRunAs" - not has_field(spec, "securityContext") - } - input_fsGroup_allowed(spec) { - # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset - input.parameters.rule == "MayRunAs" - not spec.securityContext.fsGroup - } - input_fsGroup_allowed(spec) { - # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset - input.parameters.rule == "MayRunAs" - fg := spec.securityContext.fsGroup - count(input.parameters.ranges) > 0 - range := input.parameters.ranges[_] - value_within_range(range, fg) - } - value_within_range(range, value) { - range.min <= value - range.max >= value - } - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls usage of the host filesystem. - name: k8spsphostfilesystem - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPHostFilesystem - validation: - openAPIV3Schema: - properties: - allowedHostPaths: - items: - properties: - pathPrefix: - type: string - readOnly: - type: boolean - type: object - type: array - targets: - - rego: | - package k8spsphostfilesystem - - violation[{"msg": msg, "details": {}}] { - volume := input_hostpath_volumes[_] - allowedPaths := get_allowed_paths(input) - input_hostpath_violation(allowedPaths, volume) - msg := sprintf("HostPath volume %v is not allowed, pod: %v. Allowed path: %v", [volume, input.review.object.metadata.name, allowedPaths]) - } - - input_hostpath_violation(allowedPaths, volume) { - # An empty list means all host paths are blocked - allowedPaths == [] - } - input_hostpath_violation(allowedPaths, volume) { - not input_hostpath_allowed(allowedPaths, volume) - } - - get_allowed_paths(arg) = out { - not arg.parameters - out = [] - } - get_allowed_paths(arg) = out { - not arg.parameters.allowedHostPaths - out = [] - } - get_allowed_paths(arg) = out { - out = arg.parameters.allowedHostPaths - } - - input_hostpath_allowed(allowedPaths, volume) { - allowedHostPath := allowedPaths[_] - path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) - not allowedHostPath.readOnly == true - } - - input_hostpath_allowed(allowedPaths, volume) { - allowedHostPath := allowedPaths[_] - path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) - allowedHostPath.readOnly - not writeable_input_volume_mounts(volume.name) - } - - writeable_input_volume_mounts(volume_name) { - container := input_containers[_] - mount := container.volumeMounts[_] - mount.name == volume_name - not mount.readOnly - } - - # This allows "/foo", "/foo/", "/foo/bar" etc., but - # disallows "/fool", "/etc/foo" etc. - path_matches(prefix, path) { - a := split(trim(prefix, "/"), "/") - b := split(trim(path, "/"), "/") - prefix_matches(a, b) - } - prefix_matches(a, b) { - count(a) <= count(b) - not any_not_equal_upto(a, b, count(a)) - } - - any_not_equal_upto(a, b, n) { - a[i] != b[i] - i < n - } - - input_hostpath_volumes[v] { - v := input.review.object.spec.volumes[_] - has_field(v, "hostPath") - } - - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } - input_containers[c] { - c := input.review.object.spec.containers[_] - } - - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls usage of host namespaces. - name: k8spsphostnamespace - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPHostNamespace - targets: - - rego: | - package k8spsphostnamespace - - violation[{"msg": msg, "details": {}}] { - input_share_hostnamespace(input.review.object) - msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) - } - - input_share_hostnamespace(o) { - o.spec.hostPID - } - input_share_hostnamespace(o) { - o.spec.hostIPC - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls usage of host networking and ports. - name: k8spsphostnetworkingports - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPHostNetworkingPorts - validation: - openAPIV3Schema: - properties: - hostNetwork: - type: boolean - max: - type: integer - min: - type: integer - targets: - - rego: | - package k8spsphostnetworkingports - - violation[{"msg": msg, "details": {}}] { - input_share_hostnetwork(input.review.object) - msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) - } - - input_share_hostnetwork(o) { - not input.parameters.hostNetwork - o.spec.hostNetwork - } - - input_share_hostnetwork(o) { - hostPort := input_containers[_].ports[_].hostPort - hostPort < input.parameters.min - } - - input_share_hostnetwork(o) { - hostPort := input_containers[_].ports[_].hostPort - hostPort > input.parameters.max - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - } - - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls running of privileged containers. - name: k8spspprivilegedcontainer - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPPrivilegedContainer - targets: - - rego: | - package k8spspprivileged - - violation[{"msg": msg, "details": {}}] { - c := input_containers[_] - c.securityContext.privileged - msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - } - - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the allowed `procMount` types for the container. - name: k8spspprocmount - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPProcMount - validation: - openAPIV3Schema: - properties: - procMount: - type: string - targets: - - rego: | - package k8spspprocmount - - violation[{"msg": msg, "details": {}}] { - c := input_containers[_] - allowedProcMount := get_allowed_proc_mount(input) - not input_proc_mount_type_allowed(allowedProcMount, c) - msg := sprintf("ProcMount type is not allowed, container: %v. Allowed procMount types: %v", [c.name, allowedProcMount]) - } - - input_proc_mount_type_allowed(allowedProcMount, c) { - allowedProcMount == "default" - lower(c.securityContext.procMount) == "default" - } - input_proc_mount_type_allowed(allowedProcMount, c) { - allowedProcMount == "unmasked" - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - c.securityContext.procMount - } - input_containers[c] { - c := input.review.object.spec.initContainers[_] - c.securityContext.procMount - } - - get_allowed_proc_mount(arg) = out { - not arg.parameters - out = "default" - } - get_allowed_proc_mount(arg) = out { - not arg.parameters.procMount - out = "default" - } - get_allowed_proc_mount(arg) = out { - not valid_proc_mount(arg.parameters.procMount) - out = "default" - } - get_allowed_proc_mount(arg) = out { - out = lower(arg.parameters.procMount) - } - - valid_proc_mount(str) { - lower(str) == "default" - } - valid_proc_mount(str) { - lower(str) == "unmasked" - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires the use of a read only root file system. - name: k8spspreadonlyrootfilesystem - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPReadOnlyRootFilesystem - targets: - - rego: | - package k8spspreadonlyrootfilesystem - - violation[{"msg": msg, "details": {}}] { - c := input_containers[_] - input_read_only_root_fs(c) - msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name]) - } - - input_read_only_root_fs(c) { - not has_field(c, "securityContext") - } - input_read_only_root_fs(c) { - not c.securityContext.readOnlyRootFilesystem == true - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - } - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the seccomp profile used by containers. - name: k8spspseccomp - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPSeccomp - validation: - openAPIV3Schema: - properties: - allowedProfiles: - items: - type: string - type: array - targets: - - rego: | - package k8spspseccomp - - violation[{"msg": msg, "details": {}}] { - metadata := input.review.object.metadata - not input_wildcard_allowed(metadata) - container := input_containers[_] - not input_container_allowed(metadata, container) - msg := sprintf("Seccomp profile is not allowed, pod: %v, container: %v, Allowed profiles: %v", [metadata.name, container.name, input.parameters.allowedProfiles]) - } - - input_wildcard_allowed(metadata) { - input.parameters.allowedProfiles[_] == "*" - } - - input_container_allowed(metadata, container) { - not get_container_profile(metadata, container) - metadata.annotations["seccomp.security.alpha.kubernetes.io/pod"] == input.parameters.allowedProfiles[_] - } - - input_container_allowed(metadata, container) { - profile := get_container_profile(metadata, container) - profile == input.parameters.allowedProfiles[_] - } - - get_container_profile(metadata, container) = profile { - value := metadata.annotations[key] - startswith(key, "container.seccomp.security.alpha.kubernetes.io/") - [prefix, name] := split(key, "/") - name == container.name - profile = value - } - - input_containers[c] { - c := input.review.object.spec.containers[_] - } - input_containers[c] { - c := input.review.object.spec.initContainers[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls the SELinux context of the container. - name: k8spspselinuxv2 - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPSELinuxV2 - validation: - openAPIV3Schema: - properties: - allowedSELinuxOptions: - items: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - type: array - targets: - - rego: | - package k8spspselinux - - # Disallow top level custom SELinux options - violation[{"msg": msg, "details": {}}] { - has_field(input.review.object.spec.securityContext, "seLinuxOptions") - not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) - msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) - } - # Disallow container level custom SELinux options - violation[{"msg": msg, "details": {}}] { - c := input_security_context[_] - has_field(c.securityContext, "seLinuxOptions") - not input_seLinuxOptions_allowed(c.securityContext.seLinuxOptions) - msg := sprintf("SELinux options is not allowed, pod: %v, container %v. Allowed options: %v", [input.review.object.metadata.name, c.name, input.parameters.allowedSELinuxOptions]) - } - - input_seLinuxOptions_allowed(options) { - params := input.parameters.allowedSELinuxOptions[_] - field_allowed("level", options, params) - field_allowed("role", options, params) - field_allowed("type", options, params) - field_allowed("user", options, params) - } - - field_allowed(field, options, params) { - params[field] == options[field] - } - field_allowed(field, options, params) { - not has_field(options, field) - } - - input_security_context[c] { - c := input.review.object.spec.containers[_] - has_field(c.securityContext, "seLinuxOptions") - } - input_security_context[c] { - c := input.review.object.spec.initContainers[_] - has_field(c.securityContext, "seLinuxOptions") - } - - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Controls usage of volume types. - name: k8spspvolumetypes - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sPSPVolumeTypes - validation: - openAPIV3Schema: - properties: - volumes: - items: - type: string - type: array - targets: - - rego: | - package k8spspvolumetypes - - violation[{"msg": msg, "details": {}}] { - volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} - field := volume_fields[_] - not input_volume_type_allowed(field) - msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes]) - } - - # * may be used to allow all volume types - input_volume_type_allowed(field) { - input.parameters.volumes[_] == "*" - } - - input_volume_type_allowed(field) { - field == input.parameters.volumes[_] - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires all resources to contain a specified label with a value matching a provided regular expression. - name: k8srequiredlabels - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sRequiredLabels - validation: - openAPIV3Schema: - properties: - labels: - items: - properties: - allowedRegex: - type: string - key: - type: string - type: object - type: array - message: - type: string - targets: - - rego: | - package k8srequiredlabels - - get_message(parameters, _default) = msg { - not parameters.message - msg := _default - } - - get_message(parameters, _default) = msg { - msg := parameters.message - } - - violation[{"msg": msg, "details": {"missing_labels": missing}}] { - provided := {label | input.review.object.metadata.labels[label]} - required := {label | label := input.parameters.labels[_].key} - missing := required - provided - count(missing) > 0 - def_msg := sprintf("you must provide labels: %v", [missing]) - msg := get_message(input.parameters, def_msg) - } - - violation[{"msg": msg}] { - value := input.review.object.metadata.labels[key] - expected := input.parameters.labels[_] - expected.key == key - # do not match if allowedRegex is not defined, or is an empty string - expected.allowedRegex != "" - not re_match(expected.allowedRegex, value) - def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) - msg := get_message(input.parameters, def_msg) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires Pods to have readiness and/or liveness probes. - name: k8srequiredprobes - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sRequiredProbes - validation: - openAPIV3Schema: - properties: - probeTypes: - items: - type: string - type: array - probes: - items: - type: string - type: array - targets: - - rego: | - package k8srequiredprobes - - probe_type_set = probe_types { - probe_types := {type | type := input.parameters.probeTypes[_]} - } - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - probe := input.parameters.probes[_] - probe_is_missing(container, probe) - msg := get_violation_message(container, input.review, probe) - } - - probe_is_missing(ctr, probe) = true { - not ctr[probe] - } - - probe_is_missing(ctr, probe) = true { - probe_field_empty(ctr, probe) - } - - probe_field_empty(ctr, probe) = true { - probe_fields := {field | ctr[probe][field]} - diff_fields := probe_type_set - probe_fields - count(diff_fields) == count(probe_type_set) - } - - get_violation_message(container, review, probe) = msg { - msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires all Ingress hosts to be unique. - name: k8suniqueingresshost - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sUniqueIngressHost - targets: - - rego: | - package k8suniqueingresshost - - identical(obj, review) { - obj.metadata.namespace == review.object.metadata.namespace - obj.metadata.name == review.object.metadata.name - } - - violation[{"msg": msg}] { - input.review.kind.kind == "Ingress" - re_match("^(extensions|networking.k8s.io)$", input.review.kind.group) - host := input.review.object.spec.rules[_].host - other := data.inventory.namespace[ns][otherapiversion]["Ingress"][name] - re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion) - other.spec.rules[_].host == host - not identical(other, input.review) - msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host]) - } - target: admission.k8s.gatekeeper.sh ---- -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - annotations: - description: Requires Services to have unique selectors within a namespace. - name: k8suniqueserviceselector - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} -spec: - crd: - spec: - names: - kind: K8sUniqueServiceSelector - targets: - - rego: | - package k8suniqueserviceselector - - make_apiversion(kind) = apiVersion { - g := kind.group - v := kind.version - g != "" - apiVersion = sprintf("%v/%v", [g, v]) - } - - make_apiversion(kind) = apiVersion { - kind.group == "" - apiVersion = kind.version - } - - identical(obj, review) { - obj.metadata.namespace == review.namespace - obj.metadata.name == review.name - obj.kind == review.kind.kind - obj.apiVersion == make_apiversion(review.kind) - } - - flatten_selector(obj) = flattened { - selectors := [s | s = concat(":", [key, val]); val = obj.spec.selector[key]] - flattened := concat(",", sort(selectors)) - } - - violation[{"msg": msg}] { - input.review.kind.kind == "Service" - input.review.kind.version == "v1" - input.review.kind.group == "" - input_selector := flatten_selector(input.review.object) - other := data.inventory.namespace[namespace][_][_][name] - not identical(other, input.review) - other_selector := flatten_selector(other) - input_selector == other_selector - msg := sprintf("same selector as service <%v> in namespace <%v>", [name, namespace]) - } - target: admission.k8s.gatekeeper.sh diff --git a/charts/lagoon-gatekeeper/templates/psp-pods-allowed-user-ranges.constraint.yaml b/charts/lagoon-gatekeeper/templates/psp-pods-allowed-user-ranges.constraint.yaml deleted file mode 100644 index efac5830..00000000 --- a/charts/lagoon-gatekeeper/templates/psp-pods-allowed-user-ranges.constraint.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: constraints.gatekeeper.sh/v1beta1 -kind: K8sPSPAllowedUsers -metadata: - name: {{ include "lagoon-gatekeeper.fullname.suffix" (merge (dict "suffix" "psp-pods-allowed-user-ranges") .) }} - labels: - {{- include "lagoon-gatekeeper.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation -spec: - match: - kinds: - - apiGroups: [""] - kinds: ["Pod"] - namespaceSelector: - matchExpressions: - - key: lagoon.sh/project - operator: Exists - parameters: - runAsUser: - rule: MustRunAs - ranges: - - min: 10000 - max: 60000 - fsGroup: - rule: MustRunAs - ranges: - - min: 10000 - max: 60000 diff --git a/charts/lagoon-gatekeeper/values.yaml b/charts/lagoon-gatekeeper/values.yaml deleted file mode 100644 index 349c5c9a..00000000 --- a/charts/lagoon-gatekeeper/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Default values for lagoon-gatekeeper. - -# The gatekeeper controller dynamically creates CRDs. We install our custom -# resources to configure gatekeeper in a chart post-install hook, which waits -# until the controller creates the CRDs. This kubectl image is used by this -# hook. -kubectl: - image: - repository: bitnami/kubectl - tag: latest - -podSecurityContext: {} -securityContext: {} - -# subchart options -gatekeeper: - # avoid hitting the k8s api for auditing - auditFromCache: true - # audit only - don't stop pods scheduling - disableValidatingWebhook: true From eb81bbd84a8f118e7dfeb7a7f413a2393511c494 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 14:27:55 +1000 Subject: [PATCH 03/35] remove lagoon-insights-remote --- charts/lagoon-insights-remote/Chart.yaml | 34 -------- charts/lagoon-insights-remote/README.md | 3 - .../ci/linter-values.yaml | 3 - .../templates/NOTES.txt | 1 - .../templates/_helpers.tpl | 62 -------------- .../templates/clusterrole.yaml | 13 --- .../templates/clusterrolebinding.yaml | 12 --- .../templates/deployment.yaml | 67 --------------- .../templates/secrets.yaml | 10 --- .../templates/serviceaccount.yaml | 12 --- charts/lagoon-insights-remote/values.yaml | 82 ------------------- 11 files changed, 299 deletions(-) delete mode 100644 charts/lagoon-insights-remote/Chart.yaml delete mode 100644 charts/lagoon-insights-remote/README.md delete mode 100644 charts/lagoon-insights-remote/ci/linter-values.yaml delete mode 100644 charts/lagoon-insights-remote/templates/NOTES.txt delete mode 100644 charts/lagoon-insights-remote/templates/_helpers.tpl delete mode 100644 charts/lagoon-insights-remote/templates/clusterrole.yaml delete mode 100644 charts/lagoon-insights-remote/templates/clusterrolebinding.yaml delete mode 100644 charts/lagoon-insights-remote/templates/deployment.yaml delete mode 100644 charts/lagoon-insights-remote/templates/secrets.yaml delete mode 100644 charts/lagoon-insights-remote/templates/serviceaccount.yaml delete mode 100644 charts/lagoon-insights-remote/values.yaml diff --git a/charts/lagoon-insights-remote/Chart.yaml b/charts/lagoon-insights-remote/Chart.yaml deleted file mode 100644 index 37904b0a..00000000 --- a/charts/lagoon-insights-remote/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v2 -name: lagoon-insights-remote -description: DEPRECATED A Helm chart for Lagoon remote insights -home: https://github.com/uselagoon/lagoon-charts -icon: https://raw.githubusercontent.com/uselagoon/lagoon-charts/main/icon.png -kubeVersion: ">= 1.19.0-0" -# This sub-chart has been deprecated and will be replaced by a service in lagoon-remote -deprecated: true - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.2 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: v0.0.3 - -annotations: - artifacthub.io/changes: | - - kind: deprecated - description: This chart has been deprecated diff --git a/charts/lagoon-insights-remote/README.md b/charts/lagoon-insights-remote/README.md deleted file mode 100644 index 73428974..00000000 --- a/charts/lagoon-insights-remote/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# DEPRECATED Lagoon Insights Remote - -This chart was originally consumed as a sub-chart of Lagoon Remote, but the service has instead been added as an optional service in a coming release. diff --git a/charts/lagoon-insights-remote/ci/linter-values.yaml b/charts/lagoon-insights-remote/ci/linter-values.yaml deleted file mode 100644 index 33b242f8..00000000 --- a/charts/lagoon-insights-remote/ci/linter-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -rabbitMQHostname: "messagebroker" -rabbitMQPassword: "password" -rabbitMQUsername: "user" diff --git a/charts/lagoon-insights-remote/templates/NOTES.txt b/charts/lagoon-insights-remote/templates/NOTES.txt deleted file mode 100644 index 59723d5f..00000000 --- a/charts/lagoon-insights-remote/templates/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -Lagoon Insights Remote is installed. \ No newline at end of file diff --git a/charts/lagoon-insights-remote/templates/_helpers.tpl b/charts/lagoon-insights-remote/templates/_helpers.tpl deleted file mode 100644 index 2eefc33c..00000000 --- a/charts/lagoon-insights-remote/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "lagoon-insights-remote.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "lagoon-insights-remote.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "lagoon-insights-remote.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "lagoon-insights-remote.labels" -}} -helm.sh/chart: {{ include "lagoon-insights-remote.chart" . }} -{{ include "lagoon-insights-remote.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "lagoon-insights-remote.selectorLabels" -}} -app.kubernetes.io/name: {{ include "lagoon-insights-remote.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "lagoon-insights-remote.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "lagoon-insights-remote.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/lagoon-insights-remote/templates/clusterrole.yaml b/charts/lagoon-insights-remote/templates/clusterrole.yaml deleted file mode 100644 index cefad383..00000000 --- a/charts/lagoon-insights-remote/templates/clusterrole.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "lagoon-insights-remote.fullname" . }}-manager - labels: - {{- include "lagoon-insights-remote.labels" . | nindent 4 }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - "*" \ No newline at end of file diff --git a/charts/lagoon-insights-remote/templates/clusterrolebinding.yaml b/charts/lagoon-insights-remote/templates/clusterrolebinding.yaml deleted file mode 100644 index 0a4cc013..00000000 --- a/charts/lagoon-insights-remote/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "lagoon-insights-remote.fullname" . }}-manager -subjects: -- kind: ServiceAccount - name: {{ include "lagoon-insights-remote.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} -roleRef: - kind: ClusterRole - name: {{ include "lagoon-insights-remote.fullname" . }}-manager - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/lagoon-insights-remote/templates/deployment.yaml b/charts/lagoon-insights-remote/templates/deployment.yaml deleted file mode 100644 index f1690734..00000000 --- a/charts/lagoon-insights-remote/templates/deployment.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "lagoon-insights-remote.fullname" . }} - labels: - {{- include "lagoon-insights-remote.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "lagoon-insights-remote.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "lagoon-insights-remote.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "lagoon-insights-remote.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - {{- if .Values.burnAfterReading }} - - name: BURN_AFTER_READING - value: "TRUE" - {{- end }} - - name: RABBITMQ_ADDRESS - value: {{ required "A valid .Values.rabbitMQHostname required!" .Values.rabbitMQHostname | quote }} - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "lagoon-insights-remote.fullname" . }}-rabbitmqsecret - key: password - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "lagoon-insights-remote.fullname" . }}-rabbitmqsecret - key: username - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - \ No newline at end of file diff --git a/charts/lagoon-insights-remote/templates/secrets.yaml b/charts/lagoon-insights-remote/templates/secrets.yaml deleted file mode 100644 index 7709090e..00000000 --- a/charts/lagoon-insights-remote/templates/secrets.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.rabbitMQPassword }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "lagoon-insights-remote.fullname" . }}-rabbitmqsecret -type: kubernetes.io/basic-auth -stringData: - username: {{ required "A valid .Values.rabbitMQUsername required!" .Values.rabbitMQUsername | quote }} - password: {{ required "A valid .Values.rabbitMQPassword required!" .Values.rabbitMQPassword | quote }} -{{- end }} \ No newline at end of file diff --git a/charts/lagoon-insights-remote/templates/serviceaccount.yaml b/charts/lagoon-insights-remote/templates/serviceaccount.yaml deleted file mode 100644 index aa3b2d10..00000000 --- a/charts/lagoon-insights-remote/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "lagoon-insights-remote.serviceAccountName" . }} - labels: - {{- include "lagoon-insights-remote.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/lagoon-insights-remote/values.yaml b/charts/lagoon-insights-remote/values.yaml deleted file mode 100644 index 6e5dbc8b..00000000 --- a/charts/lagoon-insights-remote/values.yaml +++ /dev/null @@ -1,82 +0,0 @@ -rabbitMQHostname: "" -rabbitMQPassword: "" -rabbitMQUsername: "" -# sets insights configMaps to be removed after being processed -burnAfterReading: true - -replicaCount: 1 - -image: - repository: uselagoon/insights-remote - pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 -# service: -# type: ClusterIP -# port: 80 -# ingress: -# enabled: false -# className: "" -# annotations: {} -# # kubernetes.io/ingress.class: nginx -# # kubernetes.io/tls-acme: "true" -# hosts: -# - host: chart-example.local -# paths: -# - path: / -# pathType: ImplementationSpecific -# tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} From becaf9477ba11ed54b24e8e520028a1d6b1528f8 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 14:28:06 +1000 Subject: [PATCH 04/35] remove lagoon-monitoring --- helmfiles/lagoon-monitoring/auth.yaml.gotmpl | 14 - helmfiles/lagoon-monitoring/helmfile.yaml | 26 -- .../lagoon-monitoring/prometheus.yaml.gotmpl | 349 ------------------ helmfiles/lagoon-monitoring/values.yaml | 31 -- 4 files changed, 420 deletions(-) delete mode 100644 helmfiles/lagoon-monitoring/auth.yaml.gotmpl delete mode 100644 helmfiles/lagoon-monitoring/helmfile.yaml delete mode 100644 helmfiles/lagoon-monitoring/prometheus.yaml.gotmpl delete mode 100644 helmfiles/lagoon-monitoring/values.yaml diff --git a/helmfiles/lagoon-monitoring/auth.yaml.gotmpl b/helmfiles/lagoon-monitoring/auth.yaml.gotmpl deleted file mode 100644 index 63b341bc..00000000 --- a/helmfiles/lagoon-monitoring/auth.yaml.gotmpl +++ /dev/null @@ -1,14 +0,0 @@ -ingress: - enabled: true - annotations: - kubernetes.io/tls-acme: "true" - paths: ["/"] - hosts: - - {{ .Values.auth.host }} - tls: - - secretName: {{ .Values.auth.host }}-tls - hosts: - - {{ .Values.auth.host }} - -config: -{{- toYaml .Values.auth.vouchConfig | nindent 2 }} diff --git a/helmfiles/lagoon-monitoring/helmfile.yaml b/helmfiles/lagoon-monitoring/helmfile.yaml deleted file mode 100644 index 373f7570..00000000 --- a/helmfiles/lagoon-monitoring/helmfile.yaml +++ /dev/null @@ -1,26 +0,0 @@ -environments: - default: - values: - - values.yaml - - -releases: -- name: lagoon-monitoring - chart: prometheus-community/kube-prometheus-stack - namespace: {{ .Values.namespace }} - version: 10.1.1 - values: - - prometheus.yaml.gotmpl -- name: lagoon-monitoring-auth - chart: halkeye/vouch - namespace: {{ .Values.namespace }} - values: - - auth.yaml.gotmpl - condition: auth.enabled - - -repositories: -- name: "prometheus-community" - url: "https://prometheus-community.github.io/helm-charts" -- name: "halkeye" - url: "https://halkeye.github.io/helm-charts" diff --git a/helmfiles/lagoon-monitoring/prometheus.yaml.gotmpl b/helmfiles/lagoon-monitoring/prometheus.yaml.gotmpl deleted file mode 100644 index ed0fe1d3..00000000 --- a/helmfiles/lagoon-monitoring/prometheus.yaml.gotmpl +++ /dev/null @@ -1,349 +0,0 @@ -## Create default rules for monitoring the cluster -## - -commonLabels: - lagoon.sh/component: monitoring - monitoring.lagoon.sh/monitorMe: "true" - -defaultRules: - create: true - rules: - prometheus: true - general: true - - alertmanager: false - etcd: false - k8s: false - kubeApiserver: false - kubeApiserverAvailability: false - kubeApiserverError: false - kubeApiserverSlos: false - kubelet: false - kubePrometheusGeneral: false - kubePrometheusNodeAlerting: false - kubePrometheusNodeRecording: false - kubernetesAbsent: false - kubernetesApps: false - kubernetesResources: false - kubernetesStorage: false - kubernetesSystem: false - kubeScheduler: false - kubeStateMetrics: false - network: false - node: false - prometheusOperator: false - time: false - -## Configuration for alertmanager -## ref: https://prometheus.io/docs/alerting/alertmanager/ -## -alertmanager: - - ## Deploy alertmanager - ## - enabled: true - - ingress: - enabled: true - annotations: - kubernetes.io/tls-acme: "true" - {{- if .Values.auth.enabled }} - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.auth.host }}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err" - nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.auth.host }}/validate - nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User - nginx.ingress.kubernetes.io/auth-snippet: | - # these return values are used by the @error401 call - auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; - auth_request_set $auth_resp_err $upstream_http_x_vouch_err; - auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; - {{- end }} - hosts: - - {{ .Values.alertmanager.host }} - path: / - tls: - - secretName: {{ .Values.alertmanager.host }}-tls - hosts: - - {{ .Values.alertmanager.host }} - - alertmanagerSpec: - externalUrl: https://{{ .Values.alertmanager.host }} - - config: - route: - group_wait: 30s - group_interval: 5m - repeat_interval: 4h - group_by: ['cluster', 'alertname', 'service', 'namespace'] - receiver: slack_amazeeio_alertmanager_normal - # The child route trees - routes: - - match: - alertname: Watchdog - repeat_interval: 5m - receiver: deadmanssnitch - - match: - severity: critical - receiver: slack_amazeeio_alertmanager_critical - - match: - severity: warning - receiver: slack_amazeeio_alertmanager_warning - # Inhibition rules allow to mute a set of alerts given that another alert is - # firing. - # We use this to mute any warning-level notifications if the same alert is - # already critical. - inhibit_rules: - - source_match: - severity: 'critical' - target_match: - severity: 'warning' - # Apply inhibition if the alertname is the same. - equal: ['alertname', 'cluster', 'service'] - receivers: - - name: slack_amazeeio_alertmanager_critical - slack_configs: - - api_url: {{ .Values.alertmanager.slack.apiUrl }} - channel: '{{ .Values.alertmanager.slack.channel }}' - send_resolved: true - username: {{ .Values.alertmanager.slack.username }} - color: '{{ `{{ if eq .Status "firing" }}` }}danger{{ `{{ else }}` }}good{{ `{{ end }}` }}' - title: |- - [{{ `{{ .Status | toUpper }}` }}{{ `{{ if eq .Status "firing" }}` }}:{{ `{{ .Alerts.Firing | len }}` }}{{ `{{ end }}` }}] {{ `{{ .CommonLabels.alertname }}` }} - text: '{{ `{{ template "slack.amazeeio.text" . }}` }}' - - name: slack_amazeeio_alertmanager_warning - slack_configs: - - api_url: {{ .Values.alertmanager.slack.apiUrl }} - channel: '{{ .Values.alertmanager.slack.channel }}' - send_resolved: false - username: {{ .Values.alertmanager.slack.username }} - color: '{{ `{{ if eq .Status "firing" }}` }}warning{{ `{{ else }}` }}good{{ `{{ end }}` }}' - title: |- - [{{ `{{ .Status | toUpper }}` }}{{ `{{ if eq .Status "firing" }}` }}:{{ `{{ .Alerts.Firing | len }}` }}{{ `{{ end }}` }}] {{ `{{ .CommonLabels.alertname }}` }} - text: '{{ `{{ template "slack.amazeeio.text" . }}` }}' - - name: slack_amazeeio_alertmanager_normal - slack_configs: - - api_url: {{ .Values.alertmanager.slack.apiUrl }} - channel: '{{ .Values.alertmanager.slack.channel }}' - send_resolved: true - username: {{ .Values.alertmanager.slack.username }} - color: 'good' - title: |- - [{{ `{{ .Status | toUpper }}` }}{{ `{{ if eq .Status "firing" }}` }}:{{ `{{ .Alerts.Firing | len }}` }}{{ `{{ end }}` }}] {{ `{{ .CommonLabels.alertname }}` }} - text: '{{ `{{ template "slack.amazeeio.text" . }}` }}' - - name: deadmanssnitch - webhook_configs: - - send_resolved: false - url: {{ .Values.alertmanager.littlesnitch.url }} - templates: - - '/etc/alertmanager/config/slack.tmpl' - templateFiles: - slack.tmpl: |- - {{ `{{ define "cluster" }}` }}{{ `{{ .ExternalURL | reReplaceAll ".*alertmanager\\.(.*)" "$1" }}` }}{{ `{{ end }}` }} - - {{ `{{ define "slack.amazeeio.text" }}` }} - {{ `{{- $root := . -}}` }} - {{ `{{ range .Alerts }}` }} - *Alert:* {{ `{{ .Annotations.summary }}` }} - `{{ `{{ .Labels.severity }}` }}` - *Cluster:* {{ `{{ template "cluster" $root }}` }} - *Description:* {{ `{{ .Annotations.description }}` }} - *Graph:* <{{ `{{ .GeneratorURL }}` }}|:chart_with_upwards_trend:> - *Runbook:* <{{ `{{ .Annotations.runbook }}` }}|:spiral_note_pad:> - *Details:* - {{ `{{ range .Labels.SortedPairs }}` }} • *{{ `{{ .Name }}` }}:* `{{ `{{ .Value }}` }}` - {{ `{{ end }}` }} - {{ `{{ end }}` }} - {{ `{{ end }}` }} - -## Using default values from https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml -## -grafana: - enabled: true - defaultDashboardsEnabled: false - ingress: - enabled: true - annotations: - kubernetes.io/tls-acme: "true" - {{- if .Values.auth.enabled }} - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.auth.host }}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err" - nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.auth.host }}/validate - nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User - nginx.ingress.kubernetes.io/auth-snippet: | - # these return values are used by the @error401 call - auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; - auth_request_set $auth_resp_err $upstream_http_x_vouch_err; - auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; - {{- end }} - hosts: - - {{ .Values.grafana.host }} - path: / - tls: - - secretName: {{ .Values.grafana.host }}-tls - hosts: - - {{ .Values.grafana.host }} - - grafana.ini: - server: - root_url: https://{{ .Values.grafana.host }} - auth.anonymous: - enabled: true - org_role: Admin - org_name: Main Org. - - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: 'grafana-com' - orgId: 1 - folder: '' - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/grafana-com - - dashboards: - grafana-com: - prometheus-stats: - gnetId: 2 - revision: 2 - datasource: Prometheus - loggin-operator: - gnetId: 7752 - revision: 4 - datasource: Prometheus - fluentd: - gnetId: 13042 - revision: 2 - datasource: Prometheus - alertmanager: - gnetId: 9578 - revision: 4 - datasource: Prometheus - grafana: - gnetId: 3590 - revision: 3 - datasource: Prometheus - nginx-ingress: - gnetId: 9614 - revision: 1 - datasource: Prometheus -{{- toYaml .Values.grafana.dashboards | nindent 6 }} - -## Component scraping the kube api server -## -kubeApiServer: - enabled: false - - -## Component scraping the kubelet and kubelet-hosted cAdvisor -## -kubelet: - enabled: false - - -## Component scraping the kube controller manager -## -kubeControllerManager: - enabled: false - - -## Component scraping coreDns. Use either this or kubeDns -## -coreDns: - enabled: false - -## Component scraping kubeDns. Use either this or coreDns -## -kubeDns: - enabled: false - - -## Component scraping etcd -## -kubeEtcd: - enabled: false - - -## Component scraping kube scheduler -## -kubeScheduler: - enabled: false - -## Component scraping kube proxy -## -kubeProxy: - enabled: false - -## Component scraping kube state metrics -## -kubeStateMetrics: - enabled: false - -## Deploy node exporter as a daemonset to all nodes -## -nodeExporter: - enabled: false - -## Manages Prometheus and Alertmanager components -## -prometheusOperator: - enabled: false - manageCrds: false - createCustomResource: false - - admissionWebhooks: - enabled: false - -## Deploy a Prometheus instance -## -prometheus: - - enabled: true - - prometheusSpec: - serviceMonitorSelectorNilUsesHelmValues: false - serviceMonitorSelector: - matchLabels: - monitoring.lagoon.sh/monitorMe: "true" - - podMonitorSelectorNilUsesHelmValues: false - podMonitorSelector: - matchLabels: - monitoring.lagoon.sh/monitorMe: "true" - - ruleSelectorNilUsesHelmValues: false - ruleSelector: - matchLabels: - monitoring.lagoon.sh/monitorMe: "true" - - storageSpec: - volumeClaimTemplate: - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 200Gi - - externalUrl: "https://{{ .Values.prometheus.host }}" - - ingress: - enabled: true - annotations: - kubernetes.io/tls-acme: "true" - {{- if .Values.auth.enabled }} - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.auth.host }}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err" - nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.auth.host }}/validate - nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User - nginx.ingress.kubernetes.io/auth-snippet: | - # these return values are used by the @error401 call - auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; - auth_request_set $auth_resp_err $upstream_http_x_vouch_err; - auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; - {{- end }} - hosts: - - {{ .Values.prometheus.host }} - path: / - tls: - - secretName: {{ .Values.prometheus.host }}-tls - hosts: - - {{ .Values.prometheus.host }} diff --git a/helmfiles/lagoon-monitoring/values.yaml b/helmfiles/lagoon-monitoring/values.yaml deleted file mode 100644 index 1aa2b724..00000000 --- a/helmfiles/lagoon-monitoring/values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Example values for lagoon-monitoring helmfile -# -# We strongly suggest to adapt these in your own helmfile as they will out of the box -# not really work. - -namespace: lagoon-monitoring -auth: - enabled: false - host: auth.monitoring.example.com - config: - vouch: - domains: [] - allowAllUsers: false - whiteList: [] - jwt: - secret: super-secret-stuff - webapp: false - testing: false - - oauth: - provider: - client_id: - client_secret: - callback_urls: [] - preferredDomain: -alertmanager: - host: alertmanager.monitoring.example.com -grafana: - host: grafana.monitoring.example.com -prometheus: - host: prometheus.monitoring.example.com From cd4ba3384301af22b15a02730dc78849a4158d6e Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 14:32:30 +1000 Subject: [PATCH 05/35] remove references to gatekeeper chart --- .github/workflows/lint-test.yaml | 8 -------- .github/workflows/release.yaml | 1 - .github/workflows/test-suite.yaml | 1 - default.ct.yaml | 2 -- test-suite-lint.ct.yaml | 1 - 5 files changed, 13 deletions(-) diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 3d23604e..ee6ab78a 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -19,7 +19,6 @@ jobs: helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com helm repo add lagoon https://uselagoon.github.io/lagoon-charts/ helm repo add amazeeio https://amazeeio.github.io/charts/ - helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm repo add nats https://nats-io.github.io/k8s/helm/charts/ helm repo add kube-logging https://kube-logging.github.io/helm-charts - name: Generate helm templates @@ -28,8 +27,6 @@ jobs: # hacky workaround for lagoon-test templated values tests=[foo,bar] envsubst '$tests' < lagoon-test/ci/linter-values.yaml.tpl > lagoon-test/ci/linter-values.yaml - # don't lint lagoon-gatekeeper - rm -rf lagoon-gatekeeper for chart in *; do helm dependency build $chart mkdir -p /tmp/charts/$chart @@ -38,11 +35,6 @@ jobs: --output-dir /tmp/charts/$chart done - # workaround until gatekeeper templates are fixed: - # * https://github.com/open-policy-agent/gatekeeper/pull/1114 - # * https://github.com/open-policy-agent/gatekeeper/pull/1115 - rm -rf /tmp/charts/lagoon-gatekeeper/lagoon-gatekeeper/charts/gatekeeper - rm -rf /tmp/charts/lagoon-remote/lagoon-remote/charts/lagoon-gatekeeper/charts/gatekeeper # workaround until logging-operator templates are fixed: # https://github.com/banzaicloud/logging-operator/pull/792 rm -rf /tmp/charts/lagoon-logging/lagoon-logging/charts/logging-operator diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6f01c05a..3726cbab 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,7 +31,6 @@ jobs: helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com helm repo add lagoon https://uselagoon.github.io/lagoon-charts/ helm repo add amazeeio https://amazeeio.github.io/charts/ - helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm repo add nats https://nats-io.github.io/k8s/helm/charts/ helm repo add kube-logging https://kube-logging.github.io/helm-charts diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 188391bd..016ddb2f 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -97,7 +97,6 @@ jobs: helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo add bitnami https://charts.bitnami.com/bitnami - helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm repo add amazeeio https://amazeeio.github.io/charts/ helm repo add lagoon https://uselagoon.github.io/lagoon-charts/ helm repo add nats https://nats-io.github.io/k8s/helm/charts/ diff --git a/default.ct.yaml b/default.ct.yaml index a00f6d8f..98f52a91 100644 --- a/default.ct.yaml +++ b/default.ct.yaml @@ -8,10 +8,8 @@ chart-repos: - banzaicloud-stable=https://kubernetes-charts.banzaicloud.com - lagoon=https://uselagoon.github.io/lagoon-charts/ - amazeeio=https://amazeeio.github.io/charts/ -- gatekeeper=https://open-policy-agent.github.io/gatekeeper/charts - nats=https://nats-io.github.io/k8s/helm/charts/ - kube-logging=https://kube-logging.github.io/helm-charts excluded-charts: - lagoon-test -- lagoon-gatekeeper helm-extra-args: --timeout 20m diff --git a/test-suite-lint.ct.yaml b/test-suite-lint.ct.yaml index 17dc40f5..76aa8dcc 100644 --- a/test-suite-lint.ct.yaml +++ b/test-suite-lint.ct.yaml @@ -7,5 +7,4 @@ excluded-charts: - lagoon-logging - lagoon-logs-concentrator - lagoon-build-deploy -- lagoon-gatekeeper helm-extra-args: --timeout 20m From 73a410b07530d9edccbbb90db4a92f0d398d3473 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 14:41:52 +1000 Subject: [PATCH 06/35] force action run From b39b11b13e8c24d41cb106d276ca666d87836402 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 17:51:46 +1000 Subject: [PATCH 07/35] v1.26.4 as kubernetes default for tests --- .github/workflows/lint-test-matrix.yaml | 2 +- .github/workflows/lint-test.yaml | 2 +- .github/workflows/test-suite.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint-test-matrix.yaml b/.github/workflows/lint-test-matrix.yaml index dfd4e34f..74d26fb6 100644 --- a/.github/workflows/lint-test-matrix.yaml +++ b/.github/workflows/lint-test-matrix.yaml @@ -15,7 +15,7 @@ jobs: - v1.22.17@sha256:9af784f45a584f6b28bce2af84c494d947a05bd709151466489008f80a9ce9d5 - v1.23.17@sha256:f77f8cf0b30430ca4128cc7cfafece0c274a118cd0cdb251049664ace0dee4ff - v1.24.13@sha256:cea86276e698af043af20143f4bf0509e730ec34ed3b7fa790cc0bea091bc5dd - - v1.26.4@sha256:f4c0d87be03d6bea69f5e5dc0adb678bb498a190ee5c38422bf751541cebe92e + - v1.25.9@sha256:c08d6c52820aa42e533b70bce0c2901183326d86dcdcbedecc9343681db45161 - v1.27.1@sha256:b7d12ed662b873bd8510879c1846e87c7e676a79fefc93e17b2a52989d3ff42b steps: - name: Checkout diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 3d23604e..7a1904a5 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -95,7 +95,7 @@ jobs: uses: helm/kind-action@v1.7.0 with: version: v0.19.0 - node_image: kindest/node:v1.25.9@sha256:c08d6c52820aa42e533b70bce0c2901183326d86dcdcbedecc9343681db45161 + node_image: kindest/node:v1.26.4@sha256:f4c0d87be03d6bea69f5e5dc0adb678bb498a190ee5c38422bf751541cebe92e if: | (steps.list-changed.outputs.changed == 'true') || (contains(github.event.pull_request.labels.*.name, 'needs-testing')) diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 188391bd..bf72ee66 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -75,9 +75,9 @@ jobs: (contains(github.event.pull_request.labels.*.name, 'needs-testing')) with: version: v0.19.0 - node_image: kindest/node:v1.25.9@sha256:c08d6c52820aa42e533b70bce0c2901183326d86dcdcbedecc9343681db45161 + node_image: kindest/node:v1.26.4@sha256:f4c0d87be03d6bea69f5e5dc0adb678bb498a190ee5c38422bf751541cebe92e config: test-suite.kind-config.yaml - kubectl_version: v1.25.9 + kubectl_version: v1.26.4 - name: Check node IP matches kind configuration if: | From b8643b31a05d8ebc10b26b9fa7e1f3b76a7695c4 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 20 Jun 2023 17:56:30 +1000 Subject: [PATCH 08/35] force action run From cbbfa143c712a10211908912108ccbcb6439c20c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 4 Apr 2023 20:53:37 +0800 Subject: [PATCH 09/35] chore: bump lagoon-ssh-portal-api and lagoon-ssh-token versions --- charts/lagoon-core/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index c66db53c..63670e72 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -809,7 +809,7 @@ sshPortalAPI: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-portal-api pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.28.0" + tag: "v0.30.0" podAnnotations: {} @@ -882,7 +882,7 @@ sshToken: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-token pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.28.0" + tag: "v0.30.0" podAnnotations: {} From 74b4f53be4db299bffc53fa0fcd779caad6d4d50 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 4 Apr 2023 20:53:23 +0800 Subject: [PATCH 10/35] chore: bump lagoon-core chart version --- charts/lagoon-core/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 5235a9af..e4dd6d2c 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.32.0 +version: 1.33.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -41,4 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: add resource requests to lagoon-core deployments + description: update lagoon-ssh-portal-api and lagoon-ssh-token to v0.30.0 From 99a15e74262cf8320e9700ed040f803a5951ead1 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 4 Apr 2023 20:54:22 +0800 Subject: [PATCH 11/35] fix: bump lagoon-ssh-portal version and update image pull policy Pull policy should be IfNotPresent since the tags are versioned. --- charts/lagoon-remote/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml index ec9440e4..1d35a7e7 100644 --- a/charts/lagoon-remote/values.yaml +++ b/charts/lagoon-remote/values.yaml @@ -120,9 +120,9 @@ sshPortal: replicaCount: 2 image: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-portal - pullPolicy: Always + pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.28.0" + tag: "v0.30.0" service: type: LoadBalancer From e11f003d04fa57db29fcf8088591937b64bf1ac6 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 4 Apr 2023 20:54:00 +0800 Subject: [PATCH 12/35] chore: bump lagoon-remote chart version --- charts/lagoon-remote/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 0f8d4c85..9a077657 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.78.1 +version: 0.79.0 dependencies: - name: lagoon-build-deploy @@ -45,4 +45,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-build-deploy subchart to 0.23.1 + description: update lagoon-ssh-portal to v0.30.0 From 462202e4349aae65872e39cc6679ef46bf23fef8 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 4 Jul 2023 09:50:30 +1000 Subject: [PATCH 13/35] update Lagoon appVersion to v2.15.2 --- charts/lagoon-core/Chart.yaml | 6 +++--- charts/lagoon-test/Chart.yaml | 14 +++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index e4dd6d2c..ff908507 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,13 +21,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.33.0 +version: 1.34.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.1 +appVersion: v2.15.2 dependencies: - name: nats @@ -41,4 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-ssh-portal-api and lagoon-ssh-token to v0.30.0 + description: update Lagoon appVersion to v2.15.2 diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index 646f95c6..149ebd1f 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -11,9 +11,17 @@ kubeVersion: ">= 1.21.0-0" type: application -version: 0.47.0 +# This is the chart version. This version number should be incremented each +# time you make changes to the chart and its templates, including the app +# version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.48.0 -appVersion: v2.15.1 +# This is the version number of the application being deployed. This version +# number should be incremented each time you make changes to the application. +# Versions are not expected to follow Semantic Versioning. They should reflect +# the version the application is using. +appVersion: v2.15.2 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -21,4 +29,4 @@ appVersion: v2.15.1 annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.15.1 + description: update Lagoon appVersion to v2.15.2 From 921b92fcf0a706ffc1a3c9d38465b564bbdbd0ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 01:29:44 +0000 Subject: [PATCH 14/35] chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/lint-test-matrix.yaml | 2 +- .github/workflows/lint-test.yaml | 2 +- .github/workflows/test-suite.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint-test-matrix.yaml b/.github/workflows/lint-test-matrix.yaml index 74d26fb6..60912546 100644 --- a/.github/workflows/lint-test-matrix.yaml +++ b/.github/workflows/lint-test-matrix.yaml @@ -42,7 +42,7 @@ jobs: run: ct lint --config ./default.ct.yaml - name: Create kind cluster - uses: helm/kind-action@v1.7.0 + uses: helm/kind-action@v1.8.0 with: version: v0.19.0 node_image: kindest/node:${{ matrix.kindest_node_version }} diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 08f53f09..7b476f8b 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -84,7 +84,7 @@ jobs: run: ct lint --config ./default.ct.yaml - name: Create kind cluster - uses: helm/kind-action@v1.7.0 + uses: helm/kind-action@v1.8.0 with: version: v0.19.0 node_image: kindest/node:v1.26.4@sha256:f4c0d87be03d6bea69f5e5dc0adb678bb498a190ee5c38422bf751541cebe92e diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 9eb7881f..8880d36d 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -69,7 +69,7 @@ jobs: envsubst < test-suite.kind-config.yaml.tpl > test-suite.kind-config.yaml - name: Create kind cluster - uses: helm/kind-action@v1.7.0 + uses: helm/kind-action@v1.8.0 if: | (steps.list-changed.outputs.changed == 'true') || (contains(github.event.pull_request.labels.*.name, 'needs-testing')) From 35ee39d8d86bf2dcff4e4d04562db737f3ec14f4 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 17 Jul 2023 11:34:40 +1000 Subject: [PATCH 15/35] update kind and its images --- .github/workflows/lint-test-matrix.yaml | 14 +++++++------- .github/workflows/lint-test.yaml | 5 +++-- .github/workflows/test-suite.yaml | 6 +++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/lint-test-matrix.yaml b/.github/workflows/lint-test-matrix.yaml index 60912546..0e085941 100644 --- a/.github/workflows/lint-test-matrix.yaml +++ b/.github/workflows/lint-test-matrix.yaml @@ -11,12 +11,12 @@ jobs: fail-fast: false matrix: kindest_node_version: - - v1.21.14@sha256:220cfafdf6e3915fbce50e13d1655425558cb98872c53f802605aa2fb2d569cf - - v1.22.17@sha256:9af784f45a584f6b28bce2af84c494d947a05bd709151466489008f80a9ce9d5 - - v1.23.17@sha256:f77f8cf0b30430ca4128cc7cfafece0c274a118cd0cdb251049664ace0dee4ff - - v1.24.13@sha256:cea86276e698af043af20143f4bf0509e730ec34ed3b7fa790cc0bea091bc5dd - - v1.25.9@sha256:c08d6c52820aa42e533b70bce0c2901183326d86dcdcbedecc9343681db45161 - - v1.27.1@sha256:b7d12ed662b873bd8510879c1846e87c7e676a79fefc93e17b2a52989d3ff42b + - v1.21.14@sha256:8a4e9bb3f415d2bb81629ce33ef9c76ba514c14d707f9797a01e3216376ba093 + - v1.22.17@sha256:f5b2e5698c6c9d6d0adc419c0deae21a425c07d81bbf3b6a6834042f25d4fba2 + - v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb + - v1.24.15@sha256:7db4f8bea3e14b82d12e044e25e34bd53754b7f2b0e9d56df21774e6f66a70ab + - v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8 + - v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 steps: - name: Checkout uses: actions/checkout@v3 @@ -44,7 +44,7 @@ jobs: - name: Create kind cluster uses: helm/kind-action@v1.8.0 with: - version: v0.19.0 + version: v0.20.0 node_image: kindest/node:${{ matrix.kindest_node_version }} if: | (steps.list-changed.outputs.changed == 'true') || diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 7b476f8b..ea28a138 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -86,8 +86,9 @@ jobs: - name: Create kind cluster uses: helm/kind-action@v1.8.0 with: - version: v0.19.0 - node_image: kindest/node:v1.26.4@sha256:f4c0d87be03d6bea69f5e5dc0adb678bb498a190ee5c38422bf751541cebe92e + version: v0.20.0 + node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb + kubectl_version: v1.26.6 if: | (steps.list-changed.outputs.changed == 'true') || (contains(github.event.pull_request.labels.*.name, 'needs-testing')) diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 8880d36d..9599fb08 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -74,10 +74,10 @@ jobs: (steps.list-changed.outputs.changed == 'true') || (contains(github.event.pull_request.labels.*.name, 'needs-testing')) with: - version: v0.19.0 - node_image: kindest/node:v1.26.4@sha256:f4c0d87be03d6bea69f5e5dc0adb678bb498a190ee5c38422bf751541cebe92e + version: v0.20.0 + node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb config: test-suite.kind-config.yaml - kubectl_version: v1.26.4 + kubectl_version: v1.26.6 - name: Check node IP matches kind configuration if: | From 78b063cd2a8c26f65864fbf8e940483e477513b1 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 17 Jul 2023 11:38:49 +1000 Subject: [PATCH 16/35] chore: update remote-controller and bump crd for tasks --- charts/lagoon-build-deploy/Chart.yaml | 8 +++++--- .../crds/crd.lagoon.sh_lagoontasks.yaml | 11 +++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-build-deploy/Chart.yaml b/charts/lagoon-build-deploy/Chart.yaml index 81a2b43b..61c58b79 100644 --- a/charts/lagoon-build-deploy/Chart.yaml +++ b/charts/lagoon-build-deploy/Chart.yaml @@ -16,11 +16,13 @@ kubeVersion: ">= 1.21.0-0" type: application -version: 0.23.1 +version: 0.24.0 -appVersion: v0.13.1 +appVersion: v0.14.0 annotations: artifacthub.io/changes: | - kind: changed - description: update remote-controller appVersion to v0.13.1 + description: update remote-controller appVersion to v0.14.0 + - kind: changed + description: updated lagoontask crd, will require crds to be re-applied diff --git a/charts/lagoon-build-deploy/crds/crd.lagoon.sh_lagoontasks.yaml b/charts/lagoon-build-deploy/crds/crd.lagoon.sh_lagoontasks.yaml index 74f095ad..15cb54c0 100644 --- a/charts/lagoon-build-deploy/crds/crd.lagoon.sh_lagoontasks.yaml +++ b/charts/lagoon-build-deploy/crds/crd.lagoon.sh_lagoontasks.yaml @@ -108,6 +108,17 @@ spec: type: string namespacePattern: type: string + variables: + description: Variables contains the project and environment variables + from lagoon. + properties: + environment: + format: byte + type: string + project: + format: byte + type: string + type: object required: - id - name From 9898959409060a4a8a98e6db5cc93e83c5e42df4 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 17 Jul 2023 14:16:53 +1000 Subject: [PATCH 17/35] chore: update lagoon-build-deploy to v0.24.0 --- charts/lagoon-remote/Chart.lock | 6 +++--- charts/lagoon-remote/Chart.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/lagoon-remote/Chart.lock b/charts/lagoon-remote/Chart.lock index 48e25846..7657cdf7 100644 --- a/charts/lagoon-remote/Chart.lock +++ b/charts/lagoon-remote/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: lagoon-build-deploy repository: https://uselagoon.github.io/lagoon-charts/ - version: 0.23.1 + version: 0.24.0 - name: dioscuri repository: https://amazeeio.github.io/charts/ version: 0.4.1 @@ -11,5 +11,5 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.18.3 -digest: sha256:b46d43268f1114fee8e633f79ffdb55577ccb5e0fda164857e3f46b38240c0c5 -generated: "2023-06-09T12:12:07.88969372+10:00" +digest: sha256:09ef09e8f94f0d2840e252552a76b151bf72916c5f4e12f38584ae1807b5293b +generated: "2023-07-17T14:16:18.328197887+10:00" diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 9a077657..6438cb5e 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,11 +19,11 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.79.0 +version: 0.80.0 dependencies: - name: lagoon-build-deploy - version: ~0.23.0 + version: ~0.24.0 repository: https://uselagoon.github.io/lagoon-charts/ condition: lagoon-build-deploy.enabled - name: dioscuri @@ -45,4 +45,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-ssh-portal to v0.30.0 + description: update lagoon-build-deploy to v0.24.0 From fc0d457f37e147cce874228d730b41e478d3163f Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 24 Jul 2023 07:33:51 +1000 Subject: [PATCH 18/35] update Lagoon appVersion to v2.15.3 --- charts/lagoon-core/Chart.yaml | 6 +++--- charts/lagoon-test/Chart.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index ff908507..bde851a4 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,13 +21,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.34.0 +version: 1.35.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.2 +appVersion: v2.15.3 dependencies: - name: nats @@ -41,4 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.15.2 + description: update Lagoon appVersion to v2.15.3 diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index 149ebd1f..e6c8d373 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -15,13 +15,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.48.0 +version: 0.49.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.2 +appVersion: v2.15.3 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -29,4 +29,4 @@ appVersion: v2.15.2 annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.15.2 + description: update Lagoon appVersion to v2.15.3 From 45bb0d001d9bb8ec71a4abb4caaf1e5fd4014397 Mon Sep 17 00:00:00 2001 From: Michael Schmid Date: Wed, 26 Jul 2023 16:53:06 -0400 Subject: [PATCH 19/35] Monitor Lagoon Broker with more details This tells Prometheus to scrape the lagoon broker more detailed, which allows to monitor the amount of messages and consumers per queue --- charts/lagoon-core/Chart.yaml | 4 ++-- charts/lagoon-core/templates/broker.servicemonitor.yaml | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index bde851a4..05005aa7 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.35.0 +version: 1.35.1 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -41,4 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.15.3 + description: add additional metrics to broker diff --git a/charts/lagoon-core/templates/broker.servicemonitor.yaml b/charts/lagoon-core/templates/broker.servicemonitor.yaml index d655c029..2261f4fd 100644 --- a/charts/lagoon-core/templates/broker.servicemonitor.yaml +++ b/charts/lagoon-core/templates/broker.servicemonitor.yaml @@ -8,6 +8,14 @@ metadata: spec: endpoints: - port: metrics + - interval: 30s + params: + family: + - queue_coarse_metrics + - queue_metrics + path: /metrics/detailed + port: metrics + scrapeTimeout: 29s namespaceSelector: matchNames: - {{ .Release.Namespace }} From da16fa00711cc72239a413cd5e5db9892a60c7f3 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 28 Jul 2023 09:51:04 +0800 Subject: [PATCH 20/35] feat: bump ssh-portal components to v0.30.1 --- charts/lagoon-core/values.yaml | 4 ++-- charts/lagoon-remote/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 63670e72..5850b605 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -809,7 +809,7 @@ sshPortalAPI: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-portal-api pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.30.0" + tag: "v0.30.1" podAnnotations: {} @@ -882,7 +882,7 @@ sshToken: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-token pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.30.0" + tag: "v0.30.1" podAnnotations: {} diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml index 1d35a7e7..9b0640b1 100644 --- a/charts/lagoon-remote/values.yaml +++ b/charts/lagoon-remote/values.yaml @@ -122,7 +122,7 @@ sshPortal: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-portal pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.30.0" + tag: "v0.30.1" service: type: LoadBalancer From 81c4f0a08361ed939141756e64322b8f75e15894 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 28 Jul 2023 09:51:54 +0800 Subject: [PATCH 21/35] feat: update NATS dependency and update lagoon-core chart version --- charts/lagoon-core/Chart.lock | 6 +++--- charts/lagoon-core/Chart.yaml | 8 ++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-core/Chart.lock b/charts/lagoon-core/Chart.lock index f404f187..77ce0291 100644 --- a/charts/lagoon-core/Chart.lock +++ b/charts/lagoon-core/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ - version: 0.18.3 -digest: sha256:23ec68e1604f1b9f90bd9571e7e17c6101524be61b304de03f378a31a6c55fbd -generated: "2022-11-24T11:53:36.184266854+11:00" + version: 0.19.17 +digest: sha256:9c58fc4ddeec7b86f5ef2cf1996a48a7e09d9bd4aa149971e2525a6f05649bf8 +generated: "2023-07-28T09:49:46.220986689+08:00" diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 05005aa7..af15b481 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.35.1 +version: 1.36.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -31,7 +31,7 @@ appVersion: v2.15.3 dependencies: - name: nats - version: ~0.18.0 + version: ~0.19.0 repository: https://nats-io.github.io/k8s/helm/charts/ condition: nats.enabled @@ -42,3 +42,7 @@ annotations: artifacthub.io/changes: | - kind: changed description: add additional metrics to broker + - kind: changed + description: update lagoon-ssh-token and lagoon-ssh-portal-api to v0.30.1 + - kind: changed + description: update NATS chart dependency to v0.19.17 From ea0775949f7c8f84a871ba029eb18e005d59f73d Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 28 Jul 2023 09:52:19 +0800 Subject: [PATCH 22/35] feat: bump NATS dependency and update lagoon-remote chart version --- charts/lagoon-remote/Chart.lock | 6 +++--- charts/lagoon-remote/Chart.yaml | 8 +++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/charts/lagoon-remote/Chart.lock b/charts/lagoon-remote/Chart.lock index 7657cdf7..5bd1617b 100644 --- a/charts/lagoon-remote/Chart.lock +++ b/charts/lagoon-remote/Chart.lock @@ -10,6 +10,6 @@ dependencies: version: 0.3.0 - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ - version: 0.18.3 -digest: sha256:09ef09e8f94f0d2840e252552a76b151bf72916c5f4e12f38584ae1807b5293b -generated: "2023-07-17T14:16:18.328197887+10:00" + version: 0.19.17 +digest: sha256:5bf74bd117c2e5ae31d4084a588c52dd9408bbcc54cd0c86abf763d35f583412 +generated: "2023-07-28T09:49:56.393491706+08:00" diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 6438cb5e..b46d57ef 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.80.0 +version: 0.81.0 dependencies: - name: lagoon-build-deploy @@ -35,7 +35,7 @@ dependencies: repository: https://amazeeio.github.io/charts/ condition: dbaas-operator.enabled - name: nats - version: ~0.18.0 + version: ~0.19.0 repository: https://nats-io.github.io/k8s/helm/charts/ condition: nats.enabled @@ -45,4 +45,6 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-build-deploy to v0.24.0 + description: update lagoon-ssh-portal to v0.30.1 + - kind: changed + description: update NATS chart dependency to v0.19.17 From 7337f7f5b650af53726916fb57ddd77339872e5f Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 31 Jul 2023 11:55:35 +1000 Subject: [PATCH 23/35] update Lagoon appVersion to v2.15.4 --- charts/lagoon-core/Chart.yaml | 4 +++- charts/lagoon-test/Chart.yaml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index af15b481..81aca95b 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -27,7 +27,7 @@ version: 1.36.0 # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.3 +appVersion: v2.15.4 dependencies: - name: nats @@ -46,3 +46,5 @@ annotations: description: update lagoon-ssh-token and lagoon-ssh-portal-api to v0.30.1 - kind: changed description: update NATS chart dependency to v0.19.17 + - kind: changed + description: update Lagoon appVersion to v2.15.4 diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index e6c8d373..e9fba831 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -21,7 +21,7 @@ version: 0.49.0 # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.3 +appVersion: v2.15.4 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -29,4 +29,4 @@ appVersion: v2.15.3 annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.15.3 + description: update Lagoon appVersion to v2.15.4 From 9f6a457abf4d65a315c7de77d6133e06ae04bf27 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 31 Jul 2023 15:10:36 +1000 Subject: [PATCH 24/35] Update lagoon-test Chart.yaml --- charts/lagoon-test/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index e9fba831..076b6886 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -15,7 +15,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.49.0 +version: 0.50.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. From 4e9e9f31424ea4101e623b9c77fd90d23cda3571 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 00:29:00 +0000 Subject: [PATCH 25/35] chore(deps): bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/lint-test-matrix.yaml | 2 +- .github/workflows/lint-test.yaml | 6 +++--- .github/workflows/release.yaml | 2 +- .github/workflows/test-suite.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/lint-test-matrix.yaml b/.github/workflows/lint-test-matrix.yaml index 0e085941..84d9b17e 100644 --- a/.github/workflows/lint-test-matrix.yaml +++ b/.github/workflows/lint-test-matrix.yaml @@ -19,7 +19,7 @@ jobs: - v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: "0" diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index ea28a138..4721000b 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Helm run: | cd /tmp @@ -61,7 +61,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: "0" @@ -100,7 +100,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: "0" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3726cbab..522bb8ac 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: "0" diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 9599fb08..5e4be252 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -40,7 +40,7 @@ jobs: continue-on-error: true - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: "0" From ce9d44309d1ed4e14c99067d44410e85b2ca83d3 Mon Sep 17 00:00:00 2001 From: Brandon Williams Date: Tue, 12 Sep 2023 16:34:12 -0500 Subject: [PATCH 26/35] feat: Add lagoon-remote-ssh-core resources --- charts/lagoon-remote/Chart.yaml | 8 ++-- charts/lagoon-remote/templates/_helpers.tpl | 37 +++++++++++++++++++ .../templates/ssh-core.clusterrole.yaml | 36 ++++++++++++++++++ .../ssh-core.clusterrolebinding.yaml | 16 ++++++++ .../templates/ssh-core.secret.yaml | 11 ++++++ .../templates/ssh-core.serviceaccount.yaml | 12 ++++++ charts/lagoon-remote/values.yaml | 11 ++++++ 7 files changed, 126 insertions(+), 5 deletions(-) create mode 100644 charts/lagoon-remote/templates/ssh-core.clusterrole.yaml create mode 100644 charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml create mode 100644 charts/lagoon-remote/templates/ssh-core.secret.yaml create mode 100644 charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index b46d57ef..e050a684 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.81.0 +version: 0.82.0 dependencies: - name: lagoon-build-deploy @@ -44,7 +44,5 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: changed - description: update lagoon-ssh-portal to v0.30.1 - - kind: changed - description: update NATS chart dependency to v0.19.17 + - kind: added + description: add lagoon-remote-ssh-core resources diff --git a/charts/lagoon-remote/templates/_helpers.tpl b/charts/lagoon-remote/templates/_helpers.tpl index a0fd1b6f..56cd7263 100644 --- a/charts/lagoon-remote/templates/_helpers.tpl +++ b/charts/lagoon-remote/templates/_helpers.tpl @@ -155,6 +155,43 @@ app.kubernetes.io/instance: {{ .Release.Name }} +{{/* +Create the name of the service account to use for sshCore. +*/}} +{{- define "lagoon-remote.sshCore.serviceAccountName" -}} +{{- default (include "lagoon-remote.sshCore.fullname" .) .Values.sshCore.serviceAccount.name }} +{{- end }} + +{{/* +Create a default fully qualified app name for sshCore. +*/}} +{{- define "lagoon-remote.sshCore.fullname" -}} +{{- include "lagoon-remote.fullname" . }}-ssh-core +{{- end }} + +{{/* +Common labels sshCore. +*/}} +{{- define "lagoon-remote.sshCore.labels" -}} +helm.sh/chart: {{ include "lagoon-remote.chart" . }} +{{ include "lagoon-remote.sshCore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels sshCore. +*/}} +{{- define "lagoon-remote.sshCore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lagoon-remote.name" . }} +app.kubernetes.io/component: {{ include "lagoon-remote.sshCore.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + + {{/* Create the name of the service account to use for sshPortal. */}} diff --git a/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml b/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml new file mode 100644 index 00000000..97250394 --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml @@ -0,0 +1,36 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "lagoon-remote.sshCore.fullname" . }} + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} +rules: +- apiGroups: + - apps + resources: + - deployments/scale + verbs: + - get + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +{{- end }} diff --git a/charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml b/charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml new file mode 100644 index 00000000..bb48fb8d --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "lagoon-remote.sshCore.fullname" . }} + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +roleRef: + kind: ClusterRole + name: {{ include "lagoon-remote.sshCore.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/lagoon-remote/templates/ssh-core.secret.yaml b/charts/lagoon-remote/templates/ssh-core.secret.yaml new file mode 100644 index 00000000..750190e8 --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }}-token + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} + annotations: + kubernetes.io/service-account.name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }} +{{- end }} diff --git a/charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml b/charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml new file mode 100644 index 00000000..a8d2f6bb --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }} + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} + {{- with .Values.sshCore.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml index 9b0640b1..084cdac2 100644 --- a/charts/lagoon-remote/values.yaml +++ b/charts/lagoon-remote/values.yaml @@ -113,6 +113,17 @@ kubernetesBuildDeploy: # If not set, a name is generated using the fullname template. name: +# sshCore creates a restricted, non-expiring ServiceAccount token for use by +# lagoon-core. +sshCore: + enabled: false + serviceAccount: + annotations: {} + # The name of the service account to use. + # If not set, a name is generated using the fullname + # template + name: "" + # sshPortal is an optional service providing low-latency SSH connectivity to # Lagoon environments. sshPortal: From beb090492f014ec138b12b854a61590f06fba74c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 19 Sep 2023 11:46:02 +0800 Subject: [PATCH 27/35] fix: upgrade mariadb chart to fix upgrade bug This change allows `make install-lagoon-remote` to be run more than once. Previously we would hit https://github.com/bitnami/charts/issues/15093. The specific chart version that this PR upgrades to is the latest version of the chart which still uses MariaDB 10.11.x (the LTS minor version of v10). Later versions of the chart upgrade to MariaDB 11, which is outside the scope of this bugfix. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a7ad4e5e..ad11a559 100644 --- a/Makefile +++ b/Makefile @@ -117,7 +117,7 @@ install-mariadb: --wait \ --timeout $(TIMEOUT) \ $$($(KUBECTL) get ns mariadb > /dev/null 2>&1 && echo --set auth.rootPassword=$$($(KUBECTL) get secret --namespace mariadb mariadb -o json | $(JQ) -r '.data."mariadb-root-password" | @base64d')) \ - --version=11.5.7 \ + --version=12.2.9 \ mariadb \ bitnami/mariadb From b088bc7c0d7eba543335b3491d4a665aae11fa01 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Wed, 20 Sep 2023 13:44:11 +1000 Subject: [PATCH 28/35] chore: bump remote-controller to v0.15.0 --- charts/lagoon-build-deploy/Chart.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-build-deploy/Chart.yaml b/charts/lagoon-build-deploy/Chart.yaml index 61c58b79..11649826 100644 --- a/charts/lagoon-build-deploy/Chart.yaml +++ b/charts/lagoon-build-deploy/Chart.yaml @@ -16,13 +16,11 @@ kubeVersion: ">= 1.21.0-0" type: application -version: 0.24.0 +version: 0.25.0 -appVersion: v0.14.0 +appVersion: v0.15.0 annotations: artifacthub.io/changes: | - kind: changed - description: update remote-controller appVersion to v0.14.0 - - kind: changed - description: updated lagoontask crd, will require crds to be re-applied + description: update remote-controller appVersion to v0.15.0 From a4df662324f7afccc01d7fcd921e70c64f124626 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Wed, 20 Sep 2023 15:21:12 +1000 Subject: [PATCH 29/35] chore: update lagoon-build-deploy to v0.25.0 --- charts/lagoon-remote/Chart.lock | 6 +++--- charts/lagoon-remote/Chart.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/lagoon-remote/Chart.lock b/charts/lagoon-remote/Chart.lock index 5bd1617b..a4dd02e0 100644 --- a/charts/lagoon-remote/Chart.lock +++ b/charts/lagoon-remote/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: lagoon-build-deploy repository: https://uselagoon.github.io/lagoon-charts/ - version: 0.24.0 + version: 0.25.0 - name: dioscuri repository: https://amazeeio.github.io/charts/ version: 0.4.1 @@ -11,5 +11,5 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.19.17 -digest: sha256:5bf74bd117c2e5ae31d4084a588c52dd9408bbcc54cd0c86abf763d35f583412 -generated: "2023-07-28T09:49:56.393491706+08:00" +digest: sha256:f5484f77cfe25d079752ea3a19b1a93edb3c93e1262c4f310e149843359ff2c1 +generated: "2023-09-20T15:20:44.302630522+10:00" diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index e050a684..309b8f8f 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,11 +19,11 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.82.0 +version: 0.83.0 dependencies: - name: lagoon-build-deploy - version: ~0.24.0 + version: ~0.25.0 repository: https://uselagoon.github.io/lagoon-charts/ condition: lagoon-build-deploy.enabled - name: dioscuri @@ -44,5 +44,5 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: added - description: add lagoon-remote-ssh-core resources + - kind: changed + description: update lagoon-build-deploy to v0.25.0 From 08b1f043d6d132b677ce0756bd2ff01c5d10243e Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Wed, 4 Oct 2023 11:13:52 +1100 Subject: [PATCH 30/35] chore: bump remote-controller to v0.15.1 --- charts/lagoon-build-deploy/Chart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-build-deploy/Chart.yaml b/charts/lagoon-build-deploy/Chart.yaml index 11649826..395d734b 100644 --- a/charts/lagoon-build-deploy/Chart.yaml +++ b/charts/lagoon-build-deploy/Chart.yaml @@ -16,11 +16,11 @@ kubeVersion: ">= 1.21.0-0" type: application -version: 0.25.0 +version: 0.25.1 -appVersion: v0.15.0 +appVersion: v0.15.1 annotations: artifacthub.io/changes: | - kind: changed - description: update remote-controller appVersion to v0.15.0 + description: update remote-controller appVersion to v0.15.1 From 8ab5e0152ed289eb3736e417c03dcf9b41baffb9 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Wed, 4 Oct 2023 15:54:05 +1100 Subject: [PATCH 31/35] chore: bump lagoon-build-deploy subchart to v0.25.1 --- charts/lagoon-remote/Chart.lock | 6 +++--- charts/lagoon-remote/Chart.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-remote/Chart.lock b/charts/lagoon-remote/Chart.lock index a4dd02e0..f2117b14 100644 --- a/charts/lagoon-remote/Chart.lock +++ b/charts/lagoon-remote/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: lagoon-build-deploy repository: https://uselagoon.github.io/lagoon-charts/ - version: 0.25.0 + version: 0.25.1 - name: dioscuri repository: https://amazeeio.github.io/charts/ version: 0.4.1 @@ -11,5 +11,5 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.19.17 -digest: sha256:f5484f77cfe25d079752ea3a19b1a93edb3c93e1262c4f310e149843359ff2c1 -generated: "2023-09-20T15:20:44.302630522+10:00" +digest: sha256:15cf7820f99a3b67bc9a83db2444f54cc08669616616fb684ef39d0318f2698b +generated: "2023-10-04T15:53:27.449884473+11:00" diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 309b8f8f..d6063977 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.83.0 +version: 0.83.1 dependencies: - name: lagoon-build-deploy @@ -45,4 +45,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-build-deploy to v0.25.0 + description: update lagoon-build-deploy to v0.25.1 From 419ea3f3e765bdc09045abbceae7406c481971fb Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 6 Oct 2023 10:45:07 +1100 Subject: [PATCH 32/35] chore: update remote-controller to v0.15.2 --- charts/lagoon-build-deploy/Chart.yaml | 8 +++++--- charts/lagoon-build-deploy/templates/deployment.yaml | 3 +++ charts/lagoon-build-deploy/values.yaml | 1 + 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-build-deploy/Chart.yaml b/charts/lagoon-build-deploy/Chart.yaml index 395d734b..d4262503 100644 --- a/charts/lagoon-build-deploy/Chart.yaml +++ b/charts/lagoon-build-deploy/Chart.yaml @@ -16,11 +16,13 @@ kubeVersion: ">= 1.21.0-0" type: application -version: 0.25.1 +version: 0.25.2 -appVersion: v0.15.1 +appVersion: v0.15.2 annotations: artifacthub.io/changes: | - kind: changed - description: update remote-controller appVersion to v0.15.1 + description: update remote-controller appVersion to v0.15.2 + - kind: changed + description: added flag support for enabling k8up v2 support diff --git a/charts/lagoon-build-deploy/templates/deployment.yaml b/charts/lagoon-build-deploy/templates/deployment.yaml index 67cad38b..75d678e6 100644 --- a/charts/lagoon-build-deploy/templates/deployment.yaml +++ b/charts/lagoon-build-deploy/templates/deployment.yaml @@ -119,6 +119,9 @@ spec: {{- with .Values.lagoonFeatureFlagBackupWeeklyRandom }} - "--lagoon-feature-flag-backup-weekly-random={{ . }}" {{- end }} + {{- with .Values.lagoonFeatureFlagSupportK8upV2 }} + - "--lagoon-feature-flag-support-k8upv2={{ . }}" + {{- end }} {{- with .Values.lagoonBackupDefaultSchedule }} - "--backup-default-schedule={{ . }}" {{- end }} diff --git a/charts/lagoon-build-deploy/values.yaml b/charts/lagoon-build-deploy/values.yaml index 684974f4..ed1d2871 100644 --- a/charts/lagoon-build-deploy/values.yaml +++ b/charts/lagoon-build-deploy/values.yaml @@ -48,6 +48,7 @@ namespacePrefix: "" # lagoonFeatureFlagDefaultInsights: disabled # lagoonFeatureFlagForceRWX2RWO: disabled # lagoonFeatureFlagDefaultRWX2RWO: disabled +# lagoonFeatureFlagSupportK8upV2: false # It is also possible to define feature flags using `extraEnvs` by defining them like so # this method is useful for enabling features on the fly, ones that might not have built in support From ca4b60e649bf115464af7858b9867851260ca7ee Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 6 Oct 2023 10:50:05 +1100 Subject: [PATCH 33/35] chore: update lagoon-build-deploy to v0.25.2 --- charts/lagoon-remote/Chart.lock | 6 +++--- charts/lagoon-remote/Chart.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-remote/Chart.lock b/charts/lagoon-remote/Chart.lock index f2117b14..8d13133e 100644 --- a/charts/lagoon-remote/Chart.lock +++ b/charts/lagoon-remote/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: lagoon-build-deploy repository: https://uselagoon.github.io/lagoon-charts/ - version: 0.25.1 + version: 0.25.2 - name: dioscuri repository: https://amazeeio.github.io/charts/ version: 0.4.1 @@ -11,5 +11,5 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.19.17 -digest: sha256:15cf7820f99a3b67bc9a83db2444f54cc08669616616fb684ef39d0318f2698b -generated: "2023-10-04T15:53:27.449884473+11:00" +digest: sha256:8ca3385f69f64eed0be9276ea4fb5b59e13e0caac5777e50bfae80fd6fd29cb0 +generated: "2023-10-06T10:49:35.479733592+11:00" diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index d6063977..56b01e09 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.83.1 +version: 0.83.2 dependencies: - name: lagoon-build-deploy @@ -45,4 +45,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-build-deploy to v0.25.1 + description: update lagoon-build-deploy to v0.25.2 From d1d3aa4e2f5035b829dde023295205cfc55343af Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 17 Oct 2023 07:33:53 +1100 Subject: [PATCH 34/35] update Lagoon appVersion to v2.16.0 (#603) --- Makefile | 2 +- charts/lagoon-core/Chart.yaml | 14 ++++---- charts/lagoon-core/README.md | 2 +- charts/lagoon-core/ci/linter-values.yaml | 22 ++++++++++-- .../templates/api-redis.deployment.yaml | 15 ++++++++ .../lagoon-core/templates/api-redis.pvc.yaml | 17 +++++++++ .../lagoon-core/templates/api.deployment.yaml | 6 ++++ .../templates/keycloak.configmap.yaml | 24 +++++++++++++ .../templates/keycloak.deployment.yaml | 36 +++++++++++++++++++ .../templates/opensearch-sync.deployment.yaml | 6 ++++ .../templates/ssh-portal-api.deployment.yaml | 6 ++++ .../templates/ssh-token.deployment.yaml | 6 ++++ .../lagoon-core/templates/ui.deployment.yaml | 14 ++++++-- charts/lagoon-core/values.yaml | 27 +++++++++++++- charts/lagoon-test/Chart.yaml | 6 ++-- 15 files changed, 186 insertions(+), 17 deletions(-) create mode 100644 charts/lagoon-core/templates/api-redis.pvc.yaml create mode 100644 charts/lagoon-core/templates/keycloak.configmap.yaml diff --git a/Makefile b/Makefile index ad11a559..58a6bb69 100644 --- a/Makefile +++ b/Makefile @@ -178,7 +178,7 @@ install-lagoon-core: install-minio $$([ $(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE) ] && echo '--set buildDeployImage.default.image=$(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE)') \ $$([ $(DISABLE_CORE_HARBOR) ] && echo '--set api.additionalEnvs.DISABLE_CORE_HARBOR=$(DISABLE_CORE_HARBOR)') \ $$([ $(OPENSEARCH_INTEGRATION_ENABLED) ] && echo '--set api.additionalEnvs.OPENSEARCH_INTEGRATION_ENABLED=$(OPENSEARCH_INTEGRATION_ENABLED)') \ - --set "keycloakAPIURL=http://lagoon-keycloak.$$($(KUBECTL) get nodes -o jsonpath='{.items[0].status.addresses[0].address}').nip.io:32080/auth" \ + --set "keycloakFrontEndURL=http://lagoon-keycloak.$$($(KUBECTL) get nodes -o jsonpath='{.items[0].status.addresses[0].address}').nip.io:32080" \ --set "lagoonAPIURL=http://lagoon-api.$$($(KUBECTL) get nodes -o jsonpath='{.items[0].status.addresses[0].address}').nip.io:32080/graphql" \ --set actionsHandler.image.repository=$(IMAGE_REGISTRY)/actions-handler \ --set api.image.repository=$(IMAGE_REGISTRY)/api \ diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 81aca95b..e78ae75f 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,13 +21,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.36.0 +version: 1.37.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.4 +appVersion: v2.16.0 dependencies: - name: nats @@ -41,10 +41,12 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: add additional metrics to broker + description: update Lagoon appVersion to v2.16.0 - kind: changed - description: update lagoon-ssh-token and lagoon-ssh-portal-api to v0.30.1 + description: add additional keycloak configuration options - kind: changed - description: update NATS chart dependency to v0.19.17 + description: replace keycloakAPIURL with keycloakFrontEndURL - kind: changed - description: update Lagoon appVersion to v2.15.4 + description: added lagoonWebhookURL to UI deployment + - kind: added + description: added "persistence" option to apiRedis diff --git a/charts/lagoon-core/README.md b/charts/lagoon-core/README.md index eb0451b2..672eefe0 100644 --- a/charts/lagoon-core/README.md +++ b/charts/lagoon-core/README.md @@ -45,7 +45,7 @@ kind create cluster helm upgrade --install --create-namespace --namespace lagoon-core \ --values ./charts/lagoon-core/ci/linter-values.yaml \ --set lagoonAPIURL=http://localhost:7070/graphql \ - --set keycloakAPIURL=http://localhost:8080/auth \ + --set keycloakFrontEndURL=http://localhost:8080 \ lagoon-core \ ./charts/lagoon-core diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index 1c42e096..610c1ce0 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -20,8 +20,10 @@ lagoonWebhookURL: http://webhook:11213 defaultIngressClassName: nginx # used in ui -lagoonAPIURL: https://api.example.com/graphql -keycloakAPIURL: https://keycloak.example.com/auth +# lagoonAPIURL: https://api.example.com/graphql +# keycloakFrontEndURL: https://keycloak.example.com + +keycloakAdminEmail: admin@example.com api: replicaCount: 1 @@ -53,6 +55,22 @@ actionsHandler: repository: uselagoon/actions-handler keycloak: + keycloakFrontEndURL: https://keycloak.example.com + realmSettings: + enabled: true + options: + resetPasswordAllowed: true + rememberMe: true + email: + enabled: true + settings: + host: mailhog + port: '1025' + fromDisplayName: Lagoon + from: lagoon@example.com + replyToDisplayName: Lagoon No-Reply + replyTo: lagoon@example.com + envelopeFrom: lagoon@example.com image: repository: uselagoon/keycloak resources: diff --git a/charts/lagoon-core/templates/api-redis.deployment.yaml b/charts/lagoon-core/templates/api-redis.deployment.yaml index 5d618590..20f7369f 100644 --- a/charts/lagoon-core/templates/api-redis.deployment.yaml +++ b/charts/lagoon-core/templates/api-redis.deployment.yaml @@ -36,6 +36,10 @@ spec: secretKeyRef: name: {{ include "lagoon-core.api.fullname" . }} key: REDIS_PASSWORD + {{- if .Values.apiRedis.persistence.enabled }} + - name: FLAVOR + value: persistent + {{- end }} {{- range $key, $val := .Values.apiRedis.additionalEnvs }} - name: {{ $key }} value: {{ $val | quote }} @@ -43,6 +47,11 @@ spec: ports: - name: redis containerPort: 6379 + {{- if .Values.apiRedis.persistence.enabled }} + volumeMounts: + - name: {{ include "lagoon-core.apiRedis.fullname" . }}-data + mountPath: /data + {{- end }} livenessProbe: tcpSocket: port: redis @@ -51,6 +60,12 @@ spec: port: redis resources: {{- toYaml .Values.apiRedis.resources | nindent 10 }} + {{- if .Values.apiRedis.persistence.enabled }} + volumes: + - name: {{ include "lagoon-core.apiRedis.fullname" . }}-data + persistentVolumeClaim: + claimName: {{ include "lagoon-core.apiRedis.fullname" . }}-data + {{- end }} {{- with .Values.apiRedis.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/lagoon-core/templates/api-redis.pvc.yaml b/charts/lagoon-core/templates/api-redis.pvc.yaml new file mode 100644 index 00000000..0b615321 --- /dev/null +++ b/charts/lagoon-core/templates/api-redis.pvc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.apiRedis.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "lagoon-core.apiRedis.fullname" . }}-data + labels: + {{- include "lagoon-core.apiRedis.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.apiRedis.persistence.size | quote }} + {{- with .Values.apiRedis.persistence.storageClass }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/lagoon-core/templates/api.deployment.yaml b/charts/lagoon-core/templates/api.deployment.yaml index 87bfdd46..5f469bf6 100644 --- a/charts/lagoon-core/templates/api.deployment.yaml +++ b/charts/lagoon-core/templates/api.deployment.yaml @@ -92,7 +92,13 @@ spec: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET - name: KEYCLOAK_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }} + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }} + {{- else }} value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} + {{- end }} - name: KIBANA_URL value: {{ required "A valid .Values.kibanaURL required!" .Values.kibanaURL | quote }} - name: LAGOON_VERSION diff --git a/charts/lagoon-core/templates/keycloak.configmap.yaml b/charts/lagoon-core/templates/keycloak.configmap.yaml new file mode 100644 index 00000000..87d12c99 --- /dev/null +++ b/charts/lagoon-core/templates/keycloak.configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.keycloak.email.enabled -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "lagoon-core.keycloak.fullname" . }}-smtp-settings + labels: + {{- include "lagoon-core.keycloak.labels" . | nindent 4 }} +data: + keycloak-smtp-settings.json: | + {"smtpServer":{{ .Values.keycloak.email.settings | toJson }}} +{{ end -}} +{{- if .Values.keycloak.realmSettings.enabled -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "lagoon-core.keycloak.fullname" . }}-realm-settings + labels: + {{- include "lagoon-core.keycloak.labels" . | nindent 4 }} +data: + keycloak-realm-settings.json: | + {{ .Values.keycloak.realmSettings.options | toJson }} +{{ end -}} \ No newline at end of file diff --git a/charts/lagoon-core/templates/keycloak.deployment.yaml b/charts/lagoon-core/templates/keycloak.deployment.yaml index ab2ed50c..fc044c04 100644 --- a/charts/lagoon-core/templates/keycloak.deployment.yaml +++ b/charts/lagoon-core/templates/keycloak.deployment.yaml @@ -41,6 +41,18 @@ spec: value: {{ include "lagoon-core.keycloakDB.fullname" . }} - name: KEYCLOAK_ADMIN_USER value: {{ .Values.keycloakAdminUser | quote }} + - name: KEYCLOAK_FRONTEND_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/auth + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/auth + {{- else }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/auth + {{- end }} + {{- with .Values.keycloakAdminEmail }} + - name: KEYCLOAK_ADMIN_EMAIL + value: {{ . | quote }} + {{- end }} {{- range $key, $val := .Values.keycloak.additionalEnvs }} - name: {{ $key }} value: {{ $val | quote }} @@ -67,6 +79,17 @@ spec: - /tmp/keycloak-config-complete failureThreshold: 90 periodSeconds: 20 + volumeMounts: + {{- if .Values.keycloak.email.enabled }} + - mountPath: /lagoon/keycloak/keycloak-smtp-settings.json + name: {{ include "lagoon-core.keycloak.fullname" . }}-smtp-settings + subPath: keycloak-smtp-settings.json + {{- end }} + {{- if .Values.keycloak.realmSettings.enabled }} + - mountPath: /lagoon/keycloak/keycloak-realm-settings.json + name: {{ include "lagoon-core.keycloak.fullname" . }}-realm-settings + subPath: keycloak-realm-settings.json + {{- end }} resources: {{- toYaml .Values.keycloak.resources | nindent 10 }} {{- with .Values.keycloak.nodeSelector }} @@ -81,3 +104,16 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + {{- if .Values.keycloak.email.enabled }} + - configMap: + defaultMode: 420 + name: {{ include "lagoon-core.keycloak.fullname" . }}-smtp-settings + name: {{ include "lagoon-core.keycloak.fullname" . }}-smtp-settings + {{- end }} + {{- if .Values.keycloak.realmSettings.enabled }} + - configMap: + defaultMode: 420 + name: {{ include "lagoon-core.keycloak.fullname" . }}-realm-settings + name: {{ include "lagoon-core.keycloak.fullname" . }}-realm-settings + {{- end }} diff --git a/charts/lagoon-core/templates/opensearch-sync.deployment.yaml b/charts/lagoon-core/templates/opensearch-sync.deployment.yaml index 6b6e7bc6..22a29d14 100644 --- a/charts/lagoon-core/templates/opensearch-sync.deployment.yaml +++ b/charts/lagoon-core/templates/opensearch-sync.deployment.yaml @@ -45,7 +45,13 @@ spec: name: {{ include "lagoon-core.apiDB.fullname" . }} key: API_DB_PASSWORD - name: KEYCLOAK_BASE_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/ + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/ + {{- else }} value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/ + {{- end }} - name: KEYCLOAK_CLIENT_ID value: lagoon-opensearch-sync - name: KEYCLOAK_CLIENT_SECRET diff --git a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml index cd114421..f9bd5695 100644 --- a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml @@ -48,7 +48,13 @@ spec: value: "true" {{- end }} - name: KEYCLOAK_BASE_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/ + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/ + {{- else }} value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/ + {{- end }} - name: KEYCLOAK_SERVICE_API_CLIENT_SECRET valueFrom: secretKeyRef: diff --git a/charts/lagoon-core/templates/ssh-token.deployment.yaml b/charts/lagoon-core/templates/ssh-token.deployment.yaml index 5df4197d..1f2c0891 100644 --- a/charts/lagoon-core/templates/ssh-token.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-token.deployment.yaml @@ -43,7 +43,13 @@ spec: value: "true" {{- end }} - name: KEYCLOAK_BASE_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/ + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/ + {{- else }} value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/ + {{- end }} - name: KEYCLOAK_AUTH_SERVER_CLIENT_SECRET valueFrom: secretKeyRef: diff --git a/charts/lagoon-core/templates/ui.deployment.yaml b/charts/lagoon-core/templates/ui.deployment.yaml index c475cb67..f3779290 100644 --- a/charts/lagoon-core/templates/ui.deployment.yaml +++ b/charts/lagoon-core/templates/ui.deployment.yaml @@ -45,10 +45,18 @@ spec: value: https://{{ index .Values.api.ingress.hosts 0 "host" }}/graphql {{- end }} - name: KEYCLOAK_API - {{- if .Values.keycloakAPIURL }} - value: {{ .Values.keycloakAPIURL | quote }} - {{- else }} + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/auth + {{- else if .Values.keycloak.ingress.enabled }} value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/auth + {{- else }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/auth + {{- end }} + - name: WEBHOOK_URL + {{- if .Values.lagoonWebhookURL }} + value: {{ .Values.lagoonWebhookURL | quote }} + {{- else }} + value: https://{{ index .Values.webhookHandler.ingress.hosts 0 "host" }} {{- end }} - name: LAGOON_VERSION value: {{ .Chart.AppVersion | replace "-" "." }} diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 5850b605..6b0886e7 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -28,7 +28,7 @@ # These values may be set on install, otherwise the chart tries to guess # sensible defaults. -# keycloakAPIURL: https://keycloak.example.com/auth +# keycloakFrontEndURL: https://keycloak.example.com # lagoonAPIURL: https://api.example.com/graphql # lagoonUIURL: https://ui.example.com # lagoonWebhookURL: https://webhook-handler.example.com @@ -60,6 +60,8 @@ rabbitMQUsername: lagoon k8upS3Endpoint: "" keycloakAdminUser: admin +# this is required if email sending is to be enabled in keycloak +# keycloakAdminEmail: admin@example.com buildDeployImage: edge: @@ -202,11 +204,34 @@ apiRedis: additionalEnvs: # FOO: Bar + persistence: + enabled: false + size: 100Mi + service: type: ClusterIP port: 6379 keycloak: + # keycloak realm and email settings configuration + realmSettings: + enabled: false + # the full list of config settings is available TODO + options: + resetPasswordAllowed: true + rememberMe: true + email: + enabled: false + settings: + host: mailhog + port: '1025' + from: lagoon@example.com + fromDisplayName: Lagoon + replyTo: lagoon@example.com + ssl: 'false' + starttls: 'false' + auth: 'false' + replicaCount: 1 image: repository: uselagoon/keycloak diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index 076b6886..4a554260 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -15,13 +15,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.50.0 +version: 0.51.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.15.4 +appVersion: v2.16.0 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -29,4 +29,4 @@ appVersion: v2.15.4 annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.15.4 + description: update Lagoon appVersion to v2.16.0 From b8612dbd358dff959764f83d70267669047ac633 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Wed, 18 Oct 2023 08:52:28 +1100 Subject: [PATCH 35/35] Set minimum Kubernetes version to 1.23 and update tests and dependencies (#614) --- .github/workflows/lint-test-matrix.yaml | 5 ++--- .github/workflows/lint-test.yaml | 10 +++++----- .github/workflows/test-suite.yaml | 14 +++++++------- Makefile | 6 +++--- charts/lagoon-build-deploy/Chart.yaml | 8 +++----- charts/lagoon-core/Chart.yaml | 14 ++++---------- charts/lagoon-core/templates/_helpers.tpl | 11 ----------- .../lagoon-core/templates/actions-handler.hpa.yaml | 2 +- charts/lagoon-core/templates/api.hpa.yaml | 2 +- charts/lagoon-core/templates/auth-server.hpa.yaml | 2 +- .../lagoon-core/templates/backup-handler.hpa.yaml | 2 +- charts/lagoon-core/templates/broker.hpa.yaml | 2 +- charts/lagoon-core/templates/drush-alias.hpa.yaml | 2 +- .../templates/insights-handler.hpa.yaml | 2 +- .../templates/logs2notifications.hpa.yaml | 2 +- .../lagoon-core/templates/ssh-portal-api.hpa.yaml | 2 +- charts/lagoon-core/templates/ssh-token.hpa.yaml | 2 +- charts/lagoon-core/templates/ssh.hpa.yaml | 2 +- charts/lagoon-core/templates/ui.hpa.yaml | 2 +- .../lagoon-core/templates/webhook-handler.hpa.yaml | 2 +- .../lagoon-core/templates/webhooks2tasks.hpa.yaml | 2 +- charts/lagoon-docker-host/Chart.yaml | 6 +++--- charts/lagoon-logging/Chart.yaml | 9 +++------ charts/lagoon-logs-concentrator/Chart.yaml | 8 +++++--- .../templates/_helpers.tpl | 11 ----------- charts/lagoon-logs-concentrator/templates/hpa.yaml | 2 +- charts/lagoon-remote/Chart.yaml | 6 +++--- charts/lagoon-test/Chart.yaml | 6 +++--- 28 files changed, 56 insertions(+), 88 deletions(-) diff --git a/.github/workflows/lint-test-matrix.yaml b/.github/workflows/lint-test-matrix.yaml index 84d9b17e..4b30c1e2 100644 --- a/.github/workflows/lint-test-matrix.yaml +++ b/.github/workflows/lint-test-matrix.yaml @@ -11,12 +11,11 @@ jobs: fail-fast: false matrix: kindest_node_version: - - v1.21.14@sha256:8a4e9bb3f415d2bb81629ce33ef9c76ba514c14d707f9797a01e3216376ba093 - - v1.22.17@sha256:f5b2e5698c6c9d6d0adc419c0deae21a425c07d81bbf3b6a6834042f25d4fba2 - v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb - v1.24.15@sha256:7db4f8bea3e14b82d12e044e25e34bd53754b7f2b0e9d56df21774e6f66a70ab - v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8 - - v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 + - v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb + - v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 4721000b..adaf9e72 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -87,8 +87,8 @@ jobs: uses: helm/kind-action@v1.8.0 with: version: v0.20.0 - node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb - kubectl_version: v1.26.6 + node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 + kubectl_version: v1.27.3 if: | (steps.list-changed.outputs.changed == 'true') || (contains(github.event.pull_request.labels.*.name, 'needs-testing')) @@ -107,9 +107,9 @@ jobs: - name: Install gojq run: | cd /tmp - curl -sSLO https://github.com/itchyny/gojq/releases/download/v0.12.10/gojq_v0.12.10_linux_amd64.tar.gz - tar -xf ./gojq_v0.12.10_linux_amd64.tar.gz - sudo cp /tmp/gojq_v0.12.10_linux_amd64/gojq /usr/local/bin/gojq + curl -sSLO https://github.com/itchyny/gojq/releases/download/v0.12.13/gojq_v0.12.13_linux_amd64.tar.gz + tar -xf ./gojq_v0.12.13_linux_amd64.tar.gz + sudo cp /tmp/gojq_v0.12.13_linux_amd64/gojq /usr/local/bin/gojq - name: Run artifacthub.io changelog check run: | diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 5e4be252..ddc97a6d 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -75,9 +75,9 @@ jobs: (contains(github.event.pull_request.labels.*.name, 'needs-testing')) with: version: v0.20.0 - node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb + node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 + kubectl_version: v1.27.3 config: test-suite.kind-config.yaml - kubectl_version: v1.26.6 - name: Check node IP matches kind configuration if: | @@ -107,15 +107,15 @@ jobs: (contains(github.event.pull_request.labels.*.name, 'needs-testing')) run: | cd /tmp - curl -sSLO https://github.com/itchyny/gojq/releases/download/v0.12.12/gojq_v0.12.12_linux_amd64.tar.gz - tar -xf ./gojq_v0.12.12_linux_amd64.tar.gz - sudo cp /tmp/gojq_v0.12.12_linux_amd64/gojq /usr/local/bin/jq + curl -sSLO https://github.com/itchyny/gojq/releases/download/v0.12.13/gojq_v0.12.13_linux_amd64.tar.gz + tar -xf ./gojq_v0.12.13_linux_amd64.tar.gz + sudo cp /tmp/gojq_v0.12.13_linux_amd64/gojq /usr/local/bin/jq - name: Install kubens and kubectl alias run: | cd /tmp - curl -sSLO https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_x86_64.tar.gz - tar -xf ./kubens_v0.9.4_linux_x86_64.tar.gz + curl -sSLO https://github.com/ahmetb/kubectx/releases/download/v0.9.5/kubens_v0.9.5_linux_x86_64.tar.gz + tar -xf ./kubens_v0.9.5_linux_x86_64.tar.gz sudo cp /tmp/kubens /usr/local/bin/kubens sudo ln -s $(which kubectl) /usr/local/bin/kc diff --git a/Makefile b/Makefile index 58a6bb69..fa677c27 100644 --- a/Makefile +++ b/Makefile @@ -83,7 +83,7 @@ install-ingress: --set controller.config.hsts="false" \ --set controller.watchIngressWithoutClass=true \ --set controller.ingressClassResource.default=true \ - --version=4.6.1 \ + --version=4.7.2 \ ingress-nginx \ ingress-nginx/ingress-nginx @@ -103,7 +103,7 @@ install-registry: install-ingress --set clair.enabled=false \ --set notary.enabled=false \ --set trivy.enabled=false \ - --version=1.12.1 \ + --version=1.13.0 \ registry \ harbor/harbor @@ -159,7 +159,7 @@ install-minio: install-ingress --timeout $(TIMEOUT) \ --set auth.rootUser=lagoonFilesAccessKey,auth.rootPassword=lagoonFilesSecretKey \ --set defaultBuckets=lagoon-files \ - --version=12.6.0 \ + --version=12.8.7 \ minio \ bitnami/minio diff --git a/charts/lagoon-build-deploy/Chart.yaml b/charts/lagoon-build-deploy/Chart.yaml index d4262503..7dbb8bc2 100644 --- a/charts/lagoon-build-deploy/Chart.yaml +++ b/charts/lagoon-build-deploy/Chart.yaml @@ -12,17 +12,15 @@ maintainers: - name: smlx email: scott.leggett@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" type: application -version: 0.25.2 +version: 0.26.0 appVersion: v0.15.2 annotations: artifacthub.io/changes: | - kind: changed - description: update remote-controller appVersion to v0.15.2 - - kind: changed - description: added flag support for enabling k8up v2 support + description: require minimum Kubernetes 1.23 diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index e78ae75f..8ed78ecd 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -11,7 +11,7 @@ maintainers: - name: shreddedbacon email: ben.jackson@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" # Application charts are a collection of templates that can be packaged into # versioned archives to be deployed. @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.37.0 +version: 1.38.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -41,12 +41,6 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.16.0 + description: require minimum Kubernetes 1.23 - kind: changed - description: add additional keycloak configuration options - - kind: changed - description: replace keycloakAPIURL with keycloakFrontEndURL - - kind: changed - description: added lagoonWebhookURL to UI deployment - - kind: added - description: added "persistence" option to apiRedis + description: removed autoscaling api version helper diff --git a/charts/lagoon-core/templates/_helpers.tpl b/charts/lagoon-core/templates/_helpers.tpl index b385141b..d08f1362 100644 --- a/charts/lagoon-core/templates/_helpers.tpl +++ b/charts/lagoon-core/templates/_helpers.tpl @@ -679,14 +679,3 @@ app.kubernetes.io/name: {{ include "lagoon-core.name" . }} app.kubernetes.io/component: {{ include "lagoon-core.sshToken.fullname" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} - -{{/* -Get HorizontalPodAutoscaler API Version - can be removed once Kubernetes 1.23 is the minimum -*/}} -{{- define "lagoon-core.hpa.apiVersion" -}} - {{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}} - autoscaling/v2 - {{- else -}} - autoscaling/v2beta2 - {{- end -}} -{{- end -}} diff --git a/charts/lagoon-core/templates/actions-handler.hpa.yaml b/charts/lagoon-core/templates/actions-handler.hpa.yaml index 0766cf98..f93afefd 100644 --- a/charts/lagoon-core/templates/actions-handler.hpa.yaml +++ b/charts/lagoon-core/templates/actions-handler.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.actionsHandler.enabled .Values.actionsHandler.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.actionsHandler.fullname" . }} diff --git a/charts/lagoon-core/templates/api.hpa.yaml b/charts/lagoon-core/templates/api.hpa.yaml index 37c8c9ba..2d63eb10 100644 --- a/charts/lagoon-core/templates/api.hpa.yaml +++ b/charts/lagoon-core/templates/api.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.api.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.api.fullname" . }} diff --git a/charts/lagoon-core/templates/auth-server.hpa.yaml b/charts/lagoon-core/templates/auth-server.hpa.yaml index a921136a..7d811614 100644 --- a/charts/lagoon-core/templates/auth-server.hpa.yaml +++ b/charts/lagoon-core/templates/auth-server.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.ssh.enabled .Values.authServer.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.authServer.fullname" . }} diff --git a/charts/lagoon-core/templates/backup-handler.hpa.yaml b/charts/lagoon-core/templates/backup-handler.hpa.yaml index dfe335a9..ea9fb2e1 100644 --- a/charts/lagoon-core/templates/backup-handler.hpa.yaml +++ b/charts/lagoon-core/templates/backup-handler.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.backupHandler.enabled .Values.backupHandler.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.backupHandler.fullname" . }} diff --git a/charts/lagoon-core/templates/broker.hpa.yaml b/charts/lagoon-core/templates/broker.hpa.yaml index 0ac81290..a93c1974 100644 --- a/charts/lagoon-core/templates/broker.hpa.yaml +++ b/charts/lagoon-core/templates/broker.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.broker.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.broker.fullname" . }} diff --git a/charts/lagoon-core/templates/drush-alias.hpa.yaml b/charts/lagoon-core/templates/drush-alias.hpa.yaml index a5daaa8d..a81ecf03 100644 --- a/charts/lagoon-core/templates/drush-alias.hpa.yaml +++ b/charts/lagoon-core/templates/drush-alias.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.drushAlias.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.drushAlias.fullname" . }} diff --git a/charts/lagoon-core/templates/insights-handler.hpa.yaml b/charts/lagoon-core/templates/insights-handler.hpa.yaml index e17df3ef..f08435c9 100644 --- a/charts/lagoon-core/templates/insights-handler.hpa.yaml +++ b/charts/lagoon-core/templates/insights-handler.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.insightsHandler.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.insightsHandler.fullname" . }} diff --git a/charts/lagoon-core/templates/logs2notifications.hpa.yaml b/charts/lagoon-core/templates/logs2notifications.hpa.yaml index bc7521de..f225e370 100644 --- a/charts/lagoon-core/templates/logs2notifications.hpa.yaml +++ b/charts/lagoon-core/templates/logs2notifications.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.logs2notifications.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.logs2notifications.fullname" . }} diff --git a/charts/lagoon-core/templates/ssh-portal-api.hpa.yaml b/charts/lagoon-core/templates/ssh-portal-api.hpa.yaml index 455900f2..849411bd 100644 --- a/charts/lagoon-core/templates/ssh-portal-api.hpa.yaml +++ b/charts/lagoon-core/templates/ssh-portal-api.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.sshPortalAPI.enabled .Values.sshPortalAPI.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.sshPortalAPI.fullname" . }} diff --git a/charts/lagoon-core/templates/ssh-token.hpa.yaml b/charts/lagoon-core/templates/ssh-token.hpa.yaml index e2c19916..a025a0fb 100644 --- a/charts/lagoon-core/templates/ssh-token.hpa.yaml +++ b/charts/lagoon-core/templates/ssh-token.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.sshToken.enabled .Values.sshToken.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.sshToken.fullname" . }} diff --git a/charts/lagoon-core/templates/ssh.hpa.yaml b/charts/lagoon-core/templates/ssh.hpa.yaml index fa0b2c57..555fbc6a 100644 --- a/charts/lagoon-core/templates/ssh.hpa.yaml +++ b/charts/lagoon-core/templates/ssh.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.ssh.enabled .Values.ssh.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.ssh.fullname" . }} diff --git a/charts/lagoon-core/templates/ui.hpa.yaml b/charts/lagoon-core/templates/ui.hpa.yaml index 5dcba06c..b8b7e875 100644 --- a/charts/lagoon-core/templates/ui.hpa.yaml +++ b/charts/lagoon-core/templates/ui.hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.ui.enabled .Values.ui.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.ui.fullname" . }} diff --git a/charts/lagoon-core/templates/webhook-handler.hpa.yaml b/charts/lagoon-core/templates/webhook-handler.hpa.yaml index 1a16132f..58c428d6 100644 --- a/charts/lagoon-core/templates/webhook-handler.hpa.yaml +++ b/charts/lagoon-core/templates/webhook-handler.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webhookHandler.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.webhookHandler.fullname" . }} diff --git a/charts/lagoon-core/templates/webhooks2tasks.hpa.yaml b/charts/lagoon-core/templates/webhooks2tasks.hpa.yaml index 6e39947a..7a29522e 100644 --- a/charts/lagoon-core/templates/webhooks2tasks.hpa.yaml +++ b/charts/lagoon-core/templates/webhooks2tasks.hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webhooks2tasks.autoscaling.enabled -}} -apiVersion: {{ include "lagoon-core.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-core.webhooks2tasks.fullname" . }} diff --git a/charts/lagoon-docker-host/Chart.yaml b/charts/lagoon-docker-host/Chart.yaml index 5310513d..3b2e4c57 100644 --- a/charts/lagoon-docker-host/Chart.yaml +++ b/charts/lagoon-docker-host/Chart.yaml @@ -7,7 +7,7 @@ maintainers: - name: shreddedbacon email: ben.jackson@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" # Application charts are a collection of templates that can be packaged into # versioned archives to be deployed. @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.1.0 +version: 0.2.0 appVersion: v3.3.0 @@ -27,4 +27,4 @@ appVersion: v3.3.0 annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-docker-host to appversion v3.3.0 + description: require minimum Kubernetes 1.23 diff --git a/charts/lagoon-logging/Chart.yaml b/charts/lagoon-logging/Chart.yaml index 76cd9361..475b4c4f 100644 --- a/charts/lagoon-logging/Chart.yaml +++ b/charts/lagoon-logging/Chart.yaml @@ -9,7 +9,7 @@ maintainers: - name: smlx email: scott.leggett@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" # Application charts are a collection of templates that can be packaged into # versioned archives to be deployed. @@ -19,7 +19,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.78.0 +version: 0.79.0 dependencies: - name: logging-operator @@ -33,7 +33,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: bump the logging-operator chart dependency to v4.2.3 - links: - - name: Release Notes - url: https://github.com/uselagoon/lagoon-charts/releases/tag/lagoon-logging-0.78.0 + description: require minimum Kubernetes 1.23 diff --git a/charts/lagoon-logs-concentrator/Chart.yaml b/charts/lagoon-logs-concentrator/Chart.yaml index 987d3527..cc6a5f7d 100644 --- a/charts/lagoon-logs-concentrator/Chart.yaml +++ b/charts/lagoon-logs-concentrator/Chart.yaml @@ -9,7 +9,7 @@ maintainers: - name: smlx email: scott.leggett@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" # Application charts are a collection of templates that can be packaged into # versioned archives to be deployed. @@ -19,7 +19,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.45.0 +version: 0.46.0 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -27,4 +27,6 @@ version: 0.45.0 annotations: artifacthub.io/changes: | - kind: changed - description: introduced minimum kubernetes version 1.21 + description: require minimum Kubernetes 1.23 + - kind: changed + description: removed autoscaling api version helper diff --git a/charts/lagoon-logs-concentrator/templates/_helpers.tpl b/charts/lagoon-logs-concentrator/templates/_helpers.tpl index 6c1edd76..e9dfc9e1 100644 --- a/charts/lagoon-logs-concentrator/templates/_helpers.tpl +++ b/charts/lagoon-logs-concentrator/templates/_helpers.tpl @@ -61,14 +61,3 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} - -{{/* -Get HorizontalPodAutoscaler API Version - can be removed once Kubernetes 1.23 is the minimum -*/}} -{{- define "lagoon-logs-concentrator.hpa.apiVersion" -}} - {{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}} - autoscaling/v2 - {{- else -}} - autoscaling/v2beta2 - {{- end -}} -{{- end -}} diff --git a/charts/lagoon-logs-concentrator/templates/hpa.yaml b/charts/lagoon-logs-concentrator/templates/hpa.yaml index ee824389..44be3217 100644 --- a/charts/lagoon-logs-concentrator/templates/hpa.yaml +++ b/charts/lagoon-logs-concentrator/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: {{ include "lagoon-logs-concentrator.hpa.apiVersion" . }} +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "lagoon-logs-concentrator.fullname" . }} diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 56b01e09..44e8e444 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -10,7 +10,7 @@ maintainers: - name: smlx email: scott.leggett@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" # Application charts are a collection of templates that can be packaged into # versioned archives to be deployed. @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.83.2 +version: 0.84.0 dependencies: - name: lagoon-build-deploy @@ -45,4 +45,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-build-deploy to v0.25.2 + description: require minimum Kubernetes 1.23 diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index 4a554260..836924df 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -7,7 +7,7 @@ maintainers: - name: smlx email: scott.leggett@amazee.io url: https://amazee.io -kubeVersion: ">= 1.21.0-0" +kubeVersion: ">= 1.23.0-0" type: application @@ -15,7 +15,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.51.0 +version: 0.52.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -29,4 +29,4 @@ appVersion: v2.16.0 annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.16.0 + description: require minimum Kubernetes 1.23