diff --git a/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml b/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml index 663dd0d..b1e2edb 100644 --- a/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml +++ b/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml @@ -6,7 +6,7 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: goncharov@osb-alliance.com + email: kgarloff@osb-alliance.com privateKeySecretRef: name: letsencrypt-prodr-account-key solvers: diff --git a/kubernetes/cloudnative-pg/base/kustomization.yaml b/kubernetes/cloudnative-pg/base/kustomization.yaml index 08fcf3d..f660251 100644 --- a/kubernetes/cloudnative-pg/base/kustomization.yaml +++ b/kubernetes/cloudnative-pg/base/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.23/releases/cnpg-1.23.2.yaml + - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.29/releases/cnpg-1.29.1.yaml diff --git a/kubernetes/dep-track/base/kustomization.yaml b/kubernetes/dep-track/base/kustomization.yaml index 6cd4319..904df2e 100644 --- a/kubernetes/dep-track/base/kustomization.yaml +++ b/kubernetes/dep-track/base/kustomization.yaml @@ -4,10 +4,10 @@ kind: Kustomization images: - name: "dependencytrack/apiserver" newName: "docker.io/dependencytrack/apiserver" - newTag: "4.11.7" + newTag: "4.14.2" - name: "dependencytrack/frontend" newName: "docker.io/dependencytrack/frontend" - newTag: "4.11.7" + newTag: "4.14.2" labels: - includeSelectors: true diff --git a/kubernetes/ingress/base/kustomization.yaml b/kubernetes/ingress/base/kustomization.yaml index 5946ee3..111f5ce 100644 --- a/kubernetes/ingress/base/kustomization.yaml +++ b/kubernetes/ingress/base/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization #resources: -# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml +# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml # diff --git a/kubernetes/ingress/overlays/mgmt/all.yaml b/kubernetes/ingress/overlays/mgmt/all.yaml index 8da2c2f..1ad5e32 100644 --- a/kubernetes/ingress/overlays/mgmt/all.yaml +++ b/kubernetes/ingress/overlays/mgmt/all.yaml @@ -4,10 +4,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -20,28 +20,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-mgmt-controller namespace: ingress-nginx data: - allow-snippet-annotations: "false" - use-forwarded-headers: "true" --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-mgmt @@ -122,10 +120,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-mgmt @@ -143,10 +141,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -237,10 +235,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -260,10 +258,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -287,10 +285,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -322,10 +320,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -343,10 +341,10 @@ spec: template: metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -354,13 +352,13 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - - /wait-shutdown + - /wait-shutdown args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller @@ -371,18 +369,18 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false securityContext: runAsNonRoot: true runAsUser: 101 + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - - ALL + - ALL add: - - NET_BIND_SERVICE + - NET_BIND_SERVICE readOnlyRootFilesystem: false env: - name: POD_NAME @@ -436,6 +434,7 @@ spec: nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx-mgmt + automountServiceAccountToken: true terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert @@ -447,10 +446,10 @@ apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -470,10 +469,10 @@ kind: ValidatingWebhookConfiguration metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -499,6 +498,7 @@ webhooks: service: name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx + port: 443 path: /networking/v1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -511,10 +511,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -529,10 +529,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -554,10 +554,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -580,10 +580,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -606,10 +606,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -632,29 +632,30 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-mgmt-admission-create labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - create @@ -670,14 +671,16 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux --- @@ -691,29 +694,30 @@ metadata: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-mgmt-admission-patch labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - patch @@ -731,13 +735,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/ingress/overlays/mgmt/kustomization.yaml b/kubernetes/ingress/overlays/mgmt/kustomization.yaml index c45220e..97e0331 100644 --- a/kubernetes/ingress/overlays/mgmt/kustomization.yaml +++ b/kubernetes/ingress/overlays/mgmt/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace --kube-version 1.30 > kubernetes/ingress/overlays/mgmt/all.yaml` +# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace --kube-version 1.34 > kubernetes/ingress/overlays/mgmt/all.yaml` resources: - namespace.yaml - all.yaml diff --git a/kubernetes/ingress/overlays/zuul/all.yaml b/kubernetes/ingress/overlays/zuul/all.yaml index 394cc1b..1ad5e32 100644 --- a/kubernetes/ingress/overlays/zuul/all.yaml +++ b/kubernetes/ingress/overlays/zuul/all.yaml @@ -4,14 +4,14 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx automountServiceAccountToken: true --- @@ -20,30 +20,29 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller + name: ingress-nginx-mgmt-controller namespace: ingress-nginx data: - allow-snippet-annotations: "false" --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm - name: ingress-nginx-zuul + name: ingress-nginx-mgmt rules: - apiGroups: - "" @@ -121,20 +120,20 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm - name: ingress-nginx-zuul + name: ingress-nginx-mgmt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: ingress-nginx-zuul + name: ingress-nginx-mgmt subjects: - kind: ServiceAccount - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-role.yaml @@ -142,14 +141,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx rules: - apiGroups: @@ -205,7 +204,7 @@ rules: resources: - leases resourceNames: - - ingress-nginx-zuul-leader + - ingress-nginx-mgmt-leader verbs: - get - update @@ -236,22 +235,22 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: ingress-nginx-zuul + name: ingress-nginx-mgmt subjects: - kind: ServiceAccount - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-service-webhook.yaml @@ -259,14 +258,14 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller-admission + name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx spec: type: ClusterIP @@ -277,7 +276,7 @@ spec: appProtocol: https selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul + app.kubernetes.io/instance: ingress-nginx-mgmt app.kubernetes.io/component: controller --- # Source: ingress-nginx/templates/controller-service.yaml @@ -286,14 +285,14 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller + name: ingress-nginx-mgmt-controller namespace: ingress-nginx spec: type: LoadBalancer @@ -313,7 +312,7 @@ spec: appProtocol: https selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul + app.kubernetes.io/instance: ingress-nginx-mgmt app.kubernetes.io/component: controller --- # Source: ingress-nginx/templates/controller-deployment.yaml @@ -321,20 +320,20 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller + name: ingress-nginx-mgmt-controller namespace: ingress-nginx spec: selector: matchLabels: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul + app.kubernetes.io/instance: ingress-nginx-mgmt app.kubernetes.io/component: controller replicas: 1 revisionHistoryLimit: 10 @@ -342,10 +341,10 @@ spec: template: metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -353,35 +352,35 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - - /wait-shutdown + - /wait-shutdown args: - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-zuul-controller - - --election-id=ingress-nginx-zuul-leader + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller + - --election-id=ingress-nginx-mgmt-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-zuul-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false securityContext: runAsNonRoot: true runAsUser: 101 + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - - ALL + - ALL add: - - NET_BIND_SERVICE + - NET_BIND_SERVICE readOnlyRootFilesystem: false env: - name: POD_NAME @@ -434,22 +433,23 @@ spec: memory: 90Mi nodeSelector: kubernetes.io/os: linux - serviceAccountName: ingress-nginx-zuul + serviceAccountName: ingress-nginx-mgmt + automountServiceAccountToken: true terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: - secretName: ingress-nginx-zuul-admission + secretName: ingress-nginx-mgmt-admission --- # Source: ingress-nginx/templates/controller-ingressclass.yaml apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -469,14 +469,14 @@ kind: ValidatingWebhookConfiguration metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission webhooks: - name: validate.nginx.ingress.kubernetes.io matchPolicy: Equivalent @@ -496,24 +496,25 @@ webhooks: - v1 clientConfig: service: - name: ingress-nginx-zuul-controller-admission + name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx + port: 443 path: /networking/v1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -523,15 +524,15 @@ automountServiceAccountToken: true apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -548,41 +549,41 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission subjects: - kind: ServiceAccount - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -599,67 +600,68 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission subjects: - kind: ServiceAccount - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-zuul-admission-create + name: ingress-nginx-mgmt-admission-create namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: - name: ingress-nginx-zuul-admission-create + name: ingress-nginx-mgmt-admission-create labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-zuul-controller-admission,ingress-nginx-zuul-controller-admission.$(POD_NAMESPACE).svc + - --host=ingress-nginx-mgmt-controller-admission,ingress-nginx-mgmt-controller-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-zuul-admission + - --secret-name=ingress-nginx-mgmt-admission env: - name: POD_NAMESPACE valueFrom: @@ -669,14 +671,16 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure - serviceAccountName: ingress-nginx-zuul-admission + serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux --- @@ -684,42 +688,43 @@ spec: apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-zuul-admission-patch + name: ingress-nginx-mgmt-admission-patch namespace: ingress-nginx annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: - name: ingress-nginx-zuul-admission-patch + name: ingress-nginx-mgmt-admission-patch labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - patch - - --webhook-name=ingress-nginx-zuul-admission + - --webhook-name=ingress-nginx-mgmt-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - - --secret-name=ingress-nginx-zuul-admission + - --secret-name=ingress-nginx-mgmt-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE @@ -730,13 +735,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure - serviceAccountName: ingress-nginx-zuul-admission + serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/ingress/overlays/zuul/kustomization.yaml b/kubernetes/ingress/overlays/zuul/kustomization.yaml index 3824697..084ef10 100644 --- a/kubernetes/ingress/overlays/zuul/kustomization.yaml +++ b/kubernetes/ingress/overlays/zuul/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization # all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx # --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx -# --create-namespace --kube-version 1.30 > +# --create-namespace --kube-version 1.34 > # kubernetes/ingress/overlays/mgmt/all.yaml` resources: - namespace.yaml diff --git a/kubernetes/keycloak/base/statefulset.yaml b/kubernetes/keycloak/base/statefulset.yaml index c5dcc73..bc762a5 100644 --- a/kubernetes/keycloak/base/statefulset.yaml +++ b/kubernetes/keycloak/base/statefulset.yaml @@ -131,7 +131,7 @@ spec: initContainers: - name: init-quarkus-directory - image: keycloak/keycloak:24.0.3 + image: keycloak/keycloak:26.6.1 imagePullPolicy: IfNotPresent command: - /bin/bash diff --git a/kubernetes/keycloak/overlays/infra/kustomization.yaml b/kubernetes/keycloak/overlays/infra/kustomization.yaml index 09e9cb9..9134ec3 100644 --- a/kubernetes/keycloak/overlays/infra/kustomization.yaml +++ b/kubernetes/keycloak/overlays/infra/kustomization.yaml @@ -12,7 +12,7 @@ labels: images: - name: keycloak/keycloak newName: quay.io/keycloak/keycloak - newTag: 25.0.2 + newTag: 26.6.1 resources: - pgsql-cloudnative.yaml diff --git a/kubernetes/zuul/base/kustomization.yaml b/kubernetes/zuul/base/kustomization.yaml index d2d3c49..8535b40 100644 --- a/kubernetes/zuul/base/kustomization.yaml +++ b/kubernetes/zuul/base/kustomization.yaml @@ -21,7 +21,7 @@ configMapGenerator: images: - name: "git-sync" newName: "registry.k8s.io/git-sync/git-sync" - newTag: "v4.2.4@sha256:827729ef28026c3aa73aecde6d1757a2e6967996cc64de43b39cf101ac28a9d1" + newTag: "v4.6.0@sha256:228a26d5f55ac5ae9c51635812570ba0073e0b1e0bd8fc3a653a0523b918c092" labels: - includeSelectors: true diff --git a/kubernetes/zuul/components/zookeeper/kustomization.yaml b/kubernetes/zuul/components/zookeeper/kustomization.yaml index f35e7e0..1566b13 100644 --- a/kubernetes/zuul/components/zookeeper/kustomization.yaml +++ b/kubernetes/zuul/components/zookeeper/kustomization.yaml @@ -13,13 +13,14 @@ labels: - includeSelectors: true pairs: app.kubernetes.io/name: "zookeeper" - app.kubernetes.io/version: "3.8.1" + app.kubernetes.io/version: "3.9.5" app.kubernetes.io/part-of: "zuul" images: - name: "zookeeper" #newName: "quay.io/opentelekomcloud/zookeeper" - newTag: "3.9.2@sha256:b34b773e67cf5139de0688f3e0caf2d0316db763d5dde8b8ee6af0bbd91c720c" + #newTag: "3.8.1@sha256:bf742c6e9df263e2245d6a8a487c43bf43d9cd1f685caa07ddecd760f3a21950" + newTag: "3.9.5@sha256:861113a4972110c2258ee3f62807c0eec33235ea3aa3d360da48211ce401e23d" resources: - cert.yaml diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl index 77a1a52..8b4d977 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl @@ -6,7 +6,7 @@ preferences: {} clusters: - name: zuul cluster: -{{- with secret "secret/kubernetes/zuul_k8s" }} +{{- with secret "secret/kubernetes/zuul2_k8s" }} server: "{{ .Data.data.server }}" certificate-authority-data: "{{ .Data.data.ca }}" {{- end }} @@ -20,7 +20,7 @@ contexts: users: - name: zuul-admin user: -{{- with secret "secret/kubernetes/zuul_k8s" }} +{{- with secret "secret/kubernetes/zuul2_k8s" }} client-certificate-data: "{{ .Data.data.client_crt }}" client-key-data: "{{ .Data.data.client_key }}" {{- end }} diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl index dbe31cc..54ce334 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl @@ -9,4 +9,12 @@ clouds: auth_url: "{{ .Data.data.auth_url }}" application_credential_id: "{{ .Data.data.application_credential_id }}" application_credential_secret: "{{ .Data.data.application_credential_secret }}" +{{- end }} + new_backup: + auth_type: v3applicationcredential + auth: +{{- with secret "secret/clouds/new_infra_backup" }} + auth_url: "{{ .Data.data.auth_url }}" + application_credential_id: "{{ .Data.data.application_credential_id }}" + application_credential_secret: "{{ .Data.data.application_credential_secret }}" {{- end }} diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl index f88f677..2e38ea5 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl @@ -14,14 +14,6 @@ cache: port: 5 floating-ip: 5 clouds: - gx-scs: - auth_type: v3applicationcredential - auth: -{{- with secret "secret/clouds/gx_scs_nodepool_pool1" }} - auth_url: "{{ .Data.data.auth_url }}" - application_credential_id: "{{ .Data.data.application_credential_id }}" - application_credential_secret: "{{ .Data.data.application_credential_secret }}" -{{- end }} gx-scs2: auth_type: v3applicationcredential auth: diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl index e41a40b..3d34114 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl @@ -1,9 +1,9 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { - "role" = "zuul" + "role" = "zuul-noris" } "type" = "kubernetes" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl index fb548b0..4f18f65 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl @@ -1,9 +1,9 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { - "role" = "zuul" + "role" = "zuul-noris" } "type" = "kubernetes" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl index dee6e74..90c8fdd 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl @@ -1,9 +1,9 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { - "role" = "zuul" + "role" = "zuul-noris" } "type" = "kubernetes" } @@ -30,7 +30,7 @@ listener "unix" { template { destination = "/vault/secrets/connections/github.key" contents = <