From 4da173eb0ef5a20128f22b932a860ab401f61440 Mon Sep 17 00:00:00 2001 From: Chris Miller <53184971+saschjmil@users.noreply.github.com> Date: Thu, 21 Nov 2024 16:57:19 -0500 Subject: [PATCH 1/7] feat: (PSKD-813) add support for K8s 1.31 (#582) * feat: (PSKD-951) Update kubectl to version 1.30.6 Signed-off-by: chjmil * fix: update kubectl download location Signed-off-by: chjmil --------- Signed-off-by: chjmil --- Dockerfile | 4 ++-- docs/user/Dependencies.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c393355c..2be237f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,11 +9,11 @@ RUN apt-get update && apt-get upgrade -y \ && update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1 FROM baseline AS tool_builder -ARG kubectl_version=1.29.8 +ARG kubectl_version=1.30.6 WORKDIR /build -RUN curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$kubectl_version/bin/linux/amd64/kubectl && chmod 755 ./kubectl +RUN curl -sLO https://dl.k8s.io/release/v$kubectl_version/bin/linux/amd64/kubectl && chmod 755 ./kubectl # Installation FROM baseline diff --git a/docs/user/Dependencies.md b/docs/user/Dependencies.md index 950fd686..0dde394e 100644 --- a/docs/user/Dependencies.md +++ b/docs/user/Dependencies.md @@ -13,7 +13,7 @@ The following list details our dependencies and versions (~ indicates multiple p | ~ | docker | >=25.0.3 | | ~ | git | any | | ~ | rsync | any | -| ~ | kubectl | 1.28 - 1.30 | +| ~ | kubectl | 1.29 - 1.31 | | ~ | Helm | 3.16.2 | | pip3 | ansible | 10.5.0 | | pip3 | openshift | 0.13.2 | @@ -49,7 +49,7 @@ As described in the [Docker Installation](./DockerUsage.md) section add addition ```bash # Override kubectl version docker build \ - --build-arg kubectl_version=1.29.8 \ + --build-arg kubectl_version=1.30.6 \ -t viya4-deployment . ``` From 6e44dbb31fa2e201c75940fc1ec8d58eb67146b5 Mon Sep 17 00:00:00 2001 From: Jeff Owens Date: Tue, 3 Dec 2024 10:27:29 -0500 Subject: [PATCH 2/7] 580: search for hidden files in cacerts dir (#581) --- roles/vdm/tasks/tls.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/vdm/tasks/tls.yaml b/roles/vdm/tasks/tls.yaml index 65bca17a..9278b5ea 100644 --- a/roles/vdm/tasks/tls.yaml +++ b/roles/vdm/tasks/tls.yaml @@ -164,6 +164,7 @@ find: paths: "{{ DEPLOY_DIR }}/site-config/vdm/security/cacerts/" depth: 2 + hidden: true register: V4_CFG_TLS_TRUSTED_CA_CERT_FILES - name: TLS - add customer provided ca cert generator overlay_facts: From fd4e21eb4f9db75fe1485764b9e1b7b3f3e47caf Mon Sep 17 00:00:00 2001 From: Chris Miller <53184971+saschjmil@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:46:19 -0500 Subject: [PATCH 3/7] feat: (PSKD-881) Update Skopeo Installation (#584) * feat: (PSKD-881) update skopeo installation Signed-off-by: chjmil * feat: (PSKD-881) Update skopeo installation Signed-off-by: chjmil * feat: (PSKD-988) add --insecure-policy for skopeo copy Signed-off-by: chjmil * chore: linting fix Signed-off-by: chjmil * chore: remove extra line Signed-off-by: chjmil --------- Signed-off-by: chjmil --- Dockerfile | 10 +++++++++- .../tasks/orchestration_tooling.yaml | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2be237f8..0ae6add6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,13 @@ WORKDIR /build RUN curl -sLO https://dl.k8s.io/release/v$kubectl_version/bin/linux/amd64/kubectl && chmod 755 ./kubectl +# Build Skopeo from source since the version in the apt repository is outdated +FROM golang:alpine3.20 AS golang +ARG SKOPEO_VERSION=release-1.16 +RUN apk add --no-cache git build-base containers-common bash btrfs-progs-dev glib-dev go go-md2man gpgme-dev libselinux-dev linux-headers lvm2-dev ostree-dev \ + && git clone https://github.com/containers/skopeo.git -b $SKOPEO_VERSION \ + && DISABLE_DOCS=1 make -C skopeo bin/skopeo.linux.386 + # Installation FROM baseline ARG helm_version=3.16.2 @@ -22,7 +29,7 @@ ARG aws_cli_version=2.17.58 ARG gcp_cli_version=496.0.0-0 # Add extra packages -RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git jq ssh sshpass skopeo rsync \ +RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git jq ssh sshpass rsync \ && rm -f /etc/ssh/ssh_host_rsa_key && rm -f /etc/ssh/ssh_host_ecdsa_key && rm -f /etc/ssh/ssh_host_ed25519_key \ && curl -ksLO https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 755 get-helm-3 \ && ./get-helm-3 --version v$helm_version --no-sudo \ @@ -41,6 +48,7 @@ RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git j && rm -rf /var/lib/apt/lists/* COPY --from=tool_builder /build/kubectl /usr/local/bin/kubectl +COPY --from=golang /go/skopeo/bin/skopeo.linux.386 /usr/local/bin/skopeo WORKDIR /viya4-deployment/ COPY . /viya4-deployment/ diff --git a/roles/orchestration-common/tasks/orchestration_tooling.yaml b/roles/orchestration-common/tasks/orchestration_tooling.yaml index 785429c1..fd966511 100644 --- a/roles/orchestration-common/tasks/orchestration_tooling.yaml +++ b/roles/orchestration-common/tasks/orchestration_tooling.yaml @@ -75,7 +75,7 @@ # if the parsed creds contain symbols. This is expected and required to avoid Jinja2 templating issues. - name: Orchestration tooling - Download orchestration tooling image command: | - skopeo copy docker://{{ V4_CFG_CR_HOST }}/{{ ORCHESTRATION_IMAGE }} oci-archive:{{ ORCHESTRATION_TOOLING_ARCHIVE }} --src-creds {{ ORCHESTRATION_CR_USER | string }}:{{ ORCHESTRATION_CR_PASSWORD | string }} + skopeo copy docker://{{ V4_CFG_CR_HOST }}/{{ ORCHESTRATION_IMAGE }} oci-archive:{{ ORCHESTRATION_TOOLING_ARCHIVE }} --src-creds {{ ORCHESTRATION_CR_USER | string }}:{{ ORCHESTRATION_CR_PASSWORD | string }} --insecure-policy when: - deployment_tooling == "docker" tags: From 4615bf9e66bcc6616f2e73a78ee3fafd2ec77237 Mon Sep 17 00:00:00 2001 From: David Houck Date: Thu, 12 Dec 2024 09:10:26 -0500 Subject: [PATCH 4/7] feat: (PSKD-792) Update default version of cert-manager to v1.16.2 (#585) --- docs/CONFIG-VARS.md | 2 +- roles/baseline/defaults/main.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index fcf5452f..9df8e9d5 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -374,7 +374,7 @@ Notes: | CERT_MANAGER_NAMESPACE | cert-manager Helm installation namespace | string | cert-manager | false | | baseline | | CERT_MANAGER_CHART_URL | cert-manager Helm chart URL | string | https://charts.jetstack.io/ | false | | baseline | | CERT_MANAGER_CHART_NAME| cert-manager Helm chart name | string | cert-manager| false | | baseline | -| CERT_MANAGER_CHART_VERSION | cert-manager Helm chart version | string | 1.14.4 | false | | baseline | +| CERT_MANAGER_CHART_VERSION | cert-manager Helm chart version | string | 1.16.2 | false | | baseline | | CERT_MANAGER_CONFIG | cert-manager Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline | Notes: diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 02f5d6ac..5df47f33 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -14,9 +14,10 @@ CERT_MANAGER_NAME: cert-manager CERT_MANAGER_NAMESPACE: cert-manager CERT_MANAGER_CHART_NAME: cert-manager CERT_MANAGER_CHART_URL: https://charts.jetstack.io/ -CERT_MANAGER_CHART_VERSION: 1.14.4 +CERT_MANAGER_CHART_VERSION: 1.16.2 CERT_MANAGER_CONFIG: - installCRDs: "true" + crds: + enabled: true extraArgs: - --enable-certificate-owner-ref=true From 18575d2ddd4398158d07a4f0333a607ff665990b Mon Sep 17 00:00:00 2001 From: David Houck Date: Tue, 17 Dec 2024 10:19:02 -0500 Subject: [PATCH 5/7] feat: (PSKD-957) ingress-nginx configmap changes for v1.12+ (#586) --- roles/baseline/defaults/main.yml | 12 ++++++++++++ roles/baseline/tasks/ingress-nginx.yaml | 16 ++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 5df47f33..ec37a676 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -98,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH: large-client-header-buffers: 4 32k annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\ +# Ingress-nginx - Required for <= 2024.11 with v1.12+ +INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE: + controller: + config: + strict-validate-path-type: "false" + +# Ingress-nginx - Required for ingress-nginx v1.12+ +INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL: + controller: + config: + annotations-risk-level: "Critical" + ## Nfs-subdir-external-provisioner NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas NFS_CLIENT_NAMESPACE: nfs-client diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml index 5530b5ce..45a51f80 100644 --- a/roles/baseline/tasks/ingress-nginx.yaml +++ b/roles/baseline/tasks/ingress-nginx.yaml @@ -82,6 +82,22 @@ - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0', "<")) +- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}" + when: (V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=") + tags: + - install + - update + +- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}" + when: INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=") + tags: + - install + - update + - name: Deploy ingress-nginx kubernetes.core.helm: name: "{{ INGRESS_NGINX_NAME }}" From 1b9d0b80540cee4c041e7705a75740ce181ac146 Mon Sep 17 00:00:00 2001 From: David Houck Date: Tue, 7 Jan 2025 15:15:56 -0500 Subject: [PATCH 6/7] feat: (PSKD-1006) Use ingress-nginx v1.12 for K8s 1.31 support (#587) Signed-off-by: David.Houck --- docs/CONFIG-VARS.md | 2 +- roles/baseline/defaults/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 9df8e9d5..594461b5 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -419,7 +419,7 @@ The EBS CSI driver is currently only used for kubernetes v1.23 or later AWS EKS | INGRESS_NGINX_NAMESPACE | NGINX Ingress Helm installation namespace | string | ingress-nginx | false | | baseline | | INGRESS_NGINX_CHART_URL | NGINX Ingress Helm chart URL | string | See [this document](https://kubernetes.github.io/ingress-nginx) for more information. | false | | baseline | | INGRESS_NGINX_CHART_NAME | NGINX Ingress Helm chart name | string | ingress-nginx | false | | baseline | -| INGRESS_NGINX_CHART_VERSION | NGINX Ingress Helm chart version | string | "" | false | If left as "" (empty string), version `4.11.1` is used for Kubernetes clusters whose version is >= 1.26.X, and for Kubernetes clusters whose version is <= 1.25.X please set this variable to avoid errors. See [Supported Versions table](https://github.com/kubernetes/ingress-nginx/?tab=readme-ov-file#supported-versions-table) for the supported versions list. | baseline | +| INGRESS_NGINX_CHART_VERSION | NGINX Ingress Helm chart version | string | "" | false | If left as "" (empty string), version `4.12.0` is used for Kubernetes clusters whose version is >= 1.28.X, for Kubernetes clusters whose version is <= 1.27.X you must set this variable to avoid errors. See [Supported Versions table](https://github.com/kubernetes/ingress-nginx/?tab=readme-ov-file#supported-versions-table) for the supported versions list. | baseline | | INGRESS_NGINX_CONFIG | NGINX Ingress Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. Altering this value will affect the cluster. | false | | baseline | ### Metrics Server diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index ec37a676..50061630 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -34,9 +34,9 @@ METRICS_SERVER_CONFIG: ## Ingress-nginx - Defaults ingressVersions: k8sMinorVersion: - value: 26 + value: 28 api: - chartVersion: 4.11.1 + chartVersion: 4.12.0 ## Ingress-nginx - Ingress ## From ef1ccd0830fc526e630bd7d34e45e0faf8e61f5f Mon Sep 17 00:00:00 2001 From: John Boone <136630698+joboon@users.noreply.github.com> Date: Fri, 10 Jan 2025 09:23:00 -0500 Subject: [PATCH 7/7] chore: update aws-ebs-csi-driver version (PSKD-667) (#588) Signed-off-by: John Boone --- docs/CONFIG-VARS.md | 2 +- roles/baseline/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 594461b5..57e17aab 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -407,7 +407,7 @@ The EBS CSI driver is currently only used for kubernetes v1.23 or later AWS EKS | :--- | ---: | ---: | ---: | ---: | ---: | ---: | | EBS_CSI_DRIVER_CHART_URL | aws ebs csi driver helm chart url | string | https://kubernetes-sigs.github.io/aws-ebs-csi-driver | false | | baseline | | EBS_CSI_DRIVER_CHART_NAME| aws ebs csi driver helm chart name | string | aws-ebs-csi-driver | false | | baseline | -| EBS_CSI_DRIVER_CHART_VERSION | aws ebs csi driver helm chart version | string | 2.11.1 | false | | baseline | +| EBS_CSI_DRIVER_CHART_VERSION | aws ebs csi driver helm chart version | string | 2.38.1 | false | | baseline | | EBS_CSI_DRIVER_CONFIG | aws ebs csi driver helm values | string | see [here](../roles/baseline/defaults/main.yml) | false | | baseline | | EBS_CSI_DRIVER_ACCOUNT | cluster autoscaler aws role arn | string | | false | Required to enable the aws ebs csi driver on AWS | baseline | | EBS_CSI_DRIVER_LOCATION | aws region where kubernetes cluster resides | string | us-east-1 | false | | baseline | diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 50061630..fb284472 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -196,7 +196,7 @@ EBS_CSI_DRIVER_NAME: aws-ebs-csi-driver EBS_CSI_DRIVER_NAMESPACE: kube-system EBS_CSI_DRIVER_CHART_NAME: aws-ebs-csi-driver EBS_CSI_DRIVER_CHART_URL: https://kubernetes-sigs.github.io/aws-ebs-csi-driver -EBS_CSI_DRIVER_CHART_VERSION: 2.11.1 +EBS_CSI_DRIVER_CHART_VERSION: 2.38.1 EBS_CSI_DRIVER_ACCOUNT: null EBS_CSI_DRIVER_LOCATION: us-east-1 EBS_CSI_DRIVER_CONFIG: