sassoftware · saschjmil · Jan 17, 2025 · Nov 21, 2024 · Dec 3, 2024 · Dec 11, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -9,11 +9,18 @@ RUN apt-get update && apt-get upgrade -y \
   && update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1
 
 FROM baseline AS tool_builder
-ARG kubectl_version=1.29.8
+ARG kubectl_version=1.30.6
 
 WORKDIR /build
 
-RUN curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$kubectl_version/bin/linux/amd64/kubectl && chmod 755 ./kubectl
+RUN curl -sLO https://dl.k8s.io/release/v$kubectl_version/bin/linux/amd64/kubectl && chmod 755 ./kubectl
+
+# Build Skopeo from source since the version in the apt repository is outdated
+FROM golang:alpine3.20 AS golang
+ARG SKOPEO_VERSION=release-1.16
+RUN apk add --no-cache git build-base containers-common bash btrfs-progs-dev glib-dev go go-md2man gpgme-dev libselinux-dev linux-headers lvm2-dev ostree-dev \
+  && git clone https://github.com/containers/skopeo.git -b $SKOPEO_VERSION \
+  && DISABLE_DOCS=1 make -C skopeo bin/skopeo.linux.386
 
 # Installation
 FROM baseline
@@ -22,7 +29,7 @@ ARG aws_cli_version=2.17.58
 ARG gcp_cli_version=496.0.0-0
 
 # Add extra packages
-RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git jq ssh sshpass skopeo rsync \
+RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git jq ssh sshpass rsync \
   && rm -f /etc/ssh/ssh_host_rsa_key && rm -f /etc/ssh/ssh_host_ecdsa_key && rm -f /etc/ssh/ssh_host_ed25519_key \
   && curl -ksLO https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 755 get-helm-3 \
   && ./get-helm-3 --version v$helm_version --no-sudo \
@@ -41,6 +48,7 @@ RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git j
   && rm -rf /var/lib/apt/lists/*
 
 COPY --from=tool_builder /build/kubectl /usr/local/bin/kubectl
+COPY --from=golang /go/skopeo/bin/skopeo.linux.386 /usr/local/bin/skopeo
 
 WORKDIR /viya4-deployment/
 COPY . /viya4-deployment/

diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -374,7 +374,7 @@ Notes:
 | CERT_MANAGER_NAMESPACE | cert-manager Helm installation namespace | string | cert-manager | false | | baseline |
 | CERT_MANAGER_CHART_URL | cert-manager Helm chart URL | string | https://charts.jetstack.io/ | false | | baseline |
 | CERT_MANAGER_CHART_NAME| cert-manager Helm chart name | string | cert-manager| false | | baseline |
-| CERT_MANAGER_CHART_VERSION | cert-manager Helm chart version | string | 1.14.4 | false | | baseline |
+| CERT_MANAGER_CHART_VERSION | cert-manager Helm chart version | string | 1.16.2 | false | | baseline |
 | CERT_MANAGER_CONFIG | cert-manager Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline |
 
 Notes:
@@ -407,7 +407,7 @@ The EBS CSI driver is currently only used for kubernetes v1.23 or later AWS EKS
 | :--- | ---: | ---: | ---: | ---: | ---: | ---: |
 | EBS_CSI_DRIVER_CHART_URL | aws ebs csi driver helm chart url | string | https://kubernetes-sigs.github.io/aws-ebs-csi-driver | false | | baseline |
 | EBS_CSI_DRIVER_CHART_NAME| aws ebs csi driver helm chart name | string | aws-ebs-csi-driver | false | | baseline |
-| EBS_CSI_DRIVER_CHART_VERSION | aws ebs csi driver helm chart version | string | 2.11.1 | false | | baseline |
+| EBS_CSI_DRIVER_CHART_VERSION | aws ebs csi driver helm chart version | string | 2.38.1 | false | | baseline |
 | EBS_CSI_DRIVER_CONFIG | aws ebs csi driver helm values | string | see [here](../roles/baseline/defaults/main.yml) | false | | baseline |
 | EBS_CSI_DRIVER_ACCOUNT | cluster autoscaler aws role arn | string | | false | Required to enable the aws ebs csi driver on AWS | baseline |
 | EBS_CSI_DRIVER_LOCATION | aws region where kubernetes cluster resides | string | us-east-1 | false | | baseline |
@@ -419,7 +419,7 @@ The EBS CSI driver is currently only used for kubernetes v1.23 or later AWS EKS
 | INGRESS_NGINX_NAMESPACE | NGINX Ingress Helm installation namespace | string | ingress-nginx | false | | baseline |
 | INGRESS_NGINX_CHART_URL | NGINX Ingress Helm chart URL | string | See [this document](https://kubernetes.github.io/ingress-nginx) for more information. | false | | baseline |
 | INGRESS_NGINX_CHART_NAME | NGINX Ingress Helm chart name | string | ingress-nginx | false | | baseline |
-| INGRESS_NGINX_CHART_VERSION | NGINX Ingress Helm chart version | string | "" | false | If left as "" (empty string), version `4.11.1` is used for Kubernetes clusters whose version is >= 1.26.X, and for Kubernetes clusters whose version is <= 1.25.X please set this variable to avoid errors. See [Supported Versions table](https://github.com/kubernetes/ingress-nginx/?tab=readme-ov-file#supported-versions-table) for the supported versions list. | baseline |
+| INGRESS_NGINX_CHART_VERSION | NGINX Ingress Helm chart version | string | "" | false | If left as "" (empty string), version `4.12.0` is used for Kubernetes clusters whose version is >= 1.28.X, for Kubernetes clusters whose version is <= 1.27.X you must set this variable to avoid errors. See [Supported Versions table](https://github.com/kubernetes/ingress-nginx/?tab=readme-ov-file#supported-versions-table) for the supported versions list. | baseline |
 | INGRESS_NGINX_CONFIG | NGINX Ingress Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. Altering this value will affect the cluster. | false | | baseline |
 
 ### Metrics Server

diff --git a/docs/user/Dependencies.md b/docs/user/Dependencies.md
@@ -13,7 +13,7 @@ The following list details our dependencies and versions (~ indicates multiple p
 | ~              | docker           | >=25.0.3     |
 | ~              | git              | any          |
 | ~              | rsync            | any          |
-| ~              | kubectl          | 1.28 - 1.30  |
+| ~              | kubectl          | 1.29 - 1.31  |
 | ~              | Helm             | 3.16.2       |
 | pip3           | ansible          | 10.5.0       |
 | pip3           | openshift        | 0.13.2       |
@@ -49,7 +49,7 @@ As described in the [Docker Installation](./DockerUsage.md) section add addition
 ```bash
 # Override kubectl version
 docker build \
-	--build-arg kubectl_version=1.29.8 \
+	--build-arg kubectl_version=1.30.6 \
 	-t viya4-deployment .
 ```
 

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
@@ -14,9 +14,10 @@ CERT_MANAGER_NAME: cert-manager
 CERT_MANAGER_NAMESPACE: cert-manager
 CERT_MANAGER_CHART_NAME: cert-manager
 CERT_MANAGER_CHART_URL: https://charts.jetstack.io/
-CERT_MANAGER_CHART_VERSION: 1.14.4
+CERT_MANAGER_CHART_VERSION: 1.16.2
 CERT_MANAGER_CONFIG:
-  installCRDs: "true"
+  crds:
+    enabled: true
   extraArgs:
     - --enable-certificate-owner-ref=true
 
@@ -33,9 +34,9 @@ METRICS_SERVER_CONFIG:
 ## Ingress-nginx - Defaults
 ingressVersions:
   k8sMinorVersion:
-    value: 26
+    value: 28
     api:
-      chartVersion: 4.11.1
+      chartVersion: 4.12.0
 
 ## Ingress-nginx - Ingress
 ##
@@ -97,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH:
       large-client-header-buffers: 4 32k
       annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\
 
+# Ingress-nginx - Required for <= 2024.11 with v1.12+
+INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE:
+  controller:
+    config:
+      strict-validate-path-type: "false"
+
+# Ingress-nginx - Required for ingress-nginx v1.12+
+INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL:
+  controller:
+    config:
+      annotations-risk-level: "Critical"
+
 ## Nfs-subdir-external-provisioner
 NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas
 NFS_CLIENT_NAMESPACE: nfs-client
@@ -183,7 +196,7 @@ EBS_CSI_DRIVER_NAME: aws-ebs-csi-driver
 EBS_CSI_DRIVER_NAMESPACE: kube-system
 EBS_CSI_DRIVER_CHART_NAME: aws-ebs-csi-driver
 EBS_CSI_DRIVER_CHART_URL: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
-EBS_CSI_DRIVER_CHART_VERSION: 2.11.1
+EBS_CSI_DRIVER_CHART_VERSION: 2.38.1
 EBS_CSI_DRIVER_ACCOUNT: null
 EBS_CSI_DRIVER_LOCATION: us-east-1
 EBS_CSI_DRIVER_CONFIG:

diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
@@ -82,6 +82,22 @@
         - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0',
           "<"))
 
+- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}"
+  when: (V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  tags:
+    - install
+    - update
+
+- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}"
+  when: INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  tags:
+    - install
+    - update
+
 - name: Deploy ingress-nginx
   kubernetes.core.helm:
     name: "{{ INGRESS_NGINX_NAME }}"

diff --git a/roles/orchestration-common/tasks/orchestration_tooling.yaml b/roles/orchestration-common/tasks/orchestration_tooling.yaml
@@ -75,7 +75,7 @@
 # if the parsed creds contain symbols. This is expected and required to avoid Jinja2 templating issues.
 - name: Orchestration tooling - Download orchestration tooling image
   command: |
-    skopeo copy docker://{{ V4_CFG_CR_HOST }}/{{ ORCHESTRATION_IMAGE }} oci-archive:{{ ORCHESTRATION_TOOLING_ARCHIVE }} --src-creds {{ ORCHESTRATION_CR_USER | string }}:{{ ORCHESTRATION_CR_PASSWORD | string }}
+    skopeo copy docker://{{ V4_CFG_CR_HOST }}/{{ ORCHESTRATION_IMAGE }} oci-archive:{{ ORCHESTRATION_TOOLING_ARCHIVE }} --src-creds {{ ORCHESTRATION_CR_USER | string }}:{{ ORCHESTRATION_CR_PASSWORD | string }} --insecure-policy
   when:
     - deployment_tooling == "docker"
   tags:

diff --git a/roles/vdm/tasks/tls.yaml b/roles/vdm/tasks/tls.yaml
@@ -164,6 +164,7 @@
       find:
         paths: "{{ DEPLOY_DIR }}/site-config/vdm/security/cacerts/"
         depth: 2
+        hidden: true
       register: V4_CFG_TLS_TRUSTED_CA_CERT_FILES
     - name: TLS - add customer provided ca cert generator
       overlay_facts: