diff --git a/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml b/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml index 663dd0d..b1e2edb 100644 --- a/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml +++ b/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml @@ -6,7 +6,7 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: goncharov@osb-alliance.com + email: kgarloff@osb-alliance.com privateKeySecretRef: name: letsencrypt-prodr-account-key solvers: diff --git a/kubernetes/cloudnative-pg/base/kustomization.yaml b/kubernetes/cloudnative-pg/base/kustomization.yaml index 08fcf3d..f660251 100644 --- a/kubernetes/cloudnative-pg/base/kustomization.yaml +++ b/kubernetes/cloudnative-pg/base/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.23/releases/cnpg-1.23.2.yaml + - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.29/releases/cnpg-1.29.1.yaml diff --git a/kubernetes/dep-track/base/kustomization.yaml b/kubernetes/dep-track/base/kustomization.yaml index 6cd4319..904df2e 100644 --- a/kubernetes/dep-track/base/kustomization.yaml +++ b/kubernetes/dep-track/base/kustomization.yaml @@ -4,10 +4,10 @@ kind: Kustomization images: - name: "dependencytrack/apiserver" newName: "docker.io/dependencytrack/apiserver" - newTag: "4.11.7" + newTag: "4.14.2" - name: "dependencytrack/frontend" newName: "docker.io/dependencytrack/frontend" - newTag: "4.11.7" + newTag: "4.14.2" labels: - includeSelectors: true diff --git a/kubernetes/ingress/base/kustomization.yaml b/kubernetes/ingress/base/kustomization.yaml index 5946ee3..111f5ce 100644 --- a/kubernetes/ingress/base/kustomization.yaml +++ b/kubernetes/ingress/base/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization #resources: -# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml +# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml # diff --git a/kubernetes/ingress/overlays/mgmt/all.yaml b/kubernetes/ingress/overlays/mgmt/all.yaml index 8da2c2f..1ad5e32 100644 --- a/kubernetes/ingress/overlays/mgmt/all.yaml +++ b/kubernetes/ingress/overlays/mgmt/all.yaml @@ -4,10 +4,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -20,28 +20,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-mgmt-controller namespace: ingress-nginx data: - allow-snippet-annotations: "false" - use-forwarded-headers: "true" --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-mgmt @@ -122,10 +120,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-mgmt @@ -143,10 +141,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -237,10 +235,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -260,10 +258,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -287,10 +285,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -322,10 +320,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -343,10 +341,10 @@ spec: template: metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -354,13 +352,13 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - - /wait-shutdown + - /wait-shutdown args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller @@ -371,18 +369,18 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false securityContext: runAsNonRoot: true runAsUser: 101 + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - - ALL + - ALL add: - - NET_BIND_SERVICE + - NET_BIND_SERVICE readOnlyRootFilesystem: false env: - name: POD_NAME @@ -436,6 +434,7 @@ spec: nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx-mgmt + automountServiceAccountToken: true terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert @@ -447,10 +446,10 @@ apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -470,10 +469,10 @@ kind: ValidatingWebhookConfiguration metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -499,6 +498,7 @@ webhooks: service: name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx + port: 443 path: /networking/v1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -511,10 +511,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -529,10 +529,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -554,10 +554,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -580,10 +580,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -606,10 +606,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -632,29 +632,30 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-mgmt-admission-create labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - create @@ -670,14 +671,16 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux --- @@ -691,29 +694,30 @@ metadata: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-mgmt-admission-patch labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - patch @@ -731,13 +735,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/ingress/overlays/mgmt/kustomization.yaml b/kubernetes/ingress/overlays/mgmt/kustomization.yaml index c45220e..97e0331 100644 --- a/kubernetes/ingress/overlays/mgmt/kustomization.yaml +++ b/kubernetes/ingress/overlays/mgmt/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace --kube-version 1.30 > kubernetes/ingress/overlays/mgmt/all.yaml` +# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace --kube-version 1.34 > kubernetes/ingress/overlays/mgmt/all.yaml` resources: - namespace.yaml - all.yaml diff --git a/kubernetes/ingress/overlays/zuul/all.yaml b/kubernetes/ingress/overlays/zuul/all.yaml index 394cc1b..78ccd11 100644 --- a/kubernetes/ingress/overlays/zuul/all.yaml +++ b/kubernetes/ingress/overlays/zuul/all.yaml @@ -4,10 +4,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -20,27 +20,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-zuul-controller namespace: ingress-nginx data: - allow-snippet-annotations: "false" --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-zuul @@ -121,10 +120,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-zuul @@ -142,10 +141,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -236,10 +235,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -259,10 +258,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -286,10 +285,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -321,10 +320,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -342,10 +341,10 @@ spec: template: metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -353,13 +352,13 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - - /wait-shutdown + - /wait-shutdown args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-zuul-controller @@ -370,18 +369,18 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false securityContext: runAsNonRoot: true runAsUser: 101 + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - - ALL + - ALL add: - - NET_BIND_SERVICE + - NET_BIND_SERVICE readOnlyRootFilesystem: false env: - name: POD_NAME @@ -435,6 +434,7 @@ spec: nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx-zuul + automountServiceAccountToken: true terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert @@ -446,10 +446,10 @@ apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -469,10 +469,10 @@ kind: ValidatingWebhookConfiguration metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -498,6 +498,7 @@ webhooks: service: name: ingress-nginx-zuul-controller-admission namespace: ingress-nginx + port: 443 path: /networking/v1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -510,10 +511,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -528,10 +529,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -553,10 +554,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -579,10 +580,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -605,10 +606,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -631,29 +632,30 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-zuul-admission-create labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - create @@ -669,14 +671,16 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-zuul-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux --- @@ -690,29 +694,30 @@ metadata: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-zuul-admission-patch labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - patch @@ -730,13 +735,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-zuul-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/ingress/overlays/zuul/kustomization.yaml b/kubernetes/ingress/overlays/zuul/kustomization.yaml index 3824697..e3c7f00 100644 --- a/kubernetes/ingress/overlays/zuul/kustomization.yaml +++ b/kubernetes/ingress/overlays/zuul/kustomization.yaml @@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx +# all.yaml generated with `helm template ingress-nginx-zuul ingress-nginx # --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx -# --create-namespace --kube-version 1.30 > -# kubernetes/ingress/overlays/mgmt/all.yaml` +# --create-namespace --kube-version 1.34 > +# kubernetes/ingress/overlays/zuul/all.yaml` resources: - namespace.yaml - all.yaml diff --git a/kubernetes/keycloak/base/statefulset.yaml b/kubernetes/keycloak/base/statefulset.yaml index c5dcc73..bc762a5 100644 --- a/kubernetes/keycloak/base/statefulset.yaml +++ b/kubernetes/keycloak/base/statefulset.yaml @@ -131,7 +131,7 @@ spec: initContainers: - name: init-quarkus-directory - image: keycloak/keycloak:24.0.3 + image: keycloak/keycloak:26.6.1 imagePullPolicy: IfNotPresent command: - /bin/bash diff --git a/kubernetes/keycloak/overlays/infra/kustomization.yaml b/kubernetes/keycloak/overlays/infra/kustomization.yaml index 09e9cb9..9134ec3 100644 --- a/kubernetes/keycloak/overlays/infra/kustomization.yaml +++ b/kubernetes/keycloak/overlays/infra/kustomization.yaml @@ -12,7 +12,7 @@ labels: images: - name: keycloak/keycloak newName: quay.io/keycloak/keycloak - newTag: 25.0.2 + newTag: 26.6.1 resources: - pgsql-cloudnative.yaml