From aa379269e5d5dc649e051e6b7134cf9614cb3954 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 14:43:50 +0000 Subject: [PATCH 01/15] Use my own email as cert issuer. Signed-off-by: Kurt Garloff --- kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml b/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml index 663dd0d..b1e2edb 100644 --- a/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml +++ b/kubernetes/certmanager-issuer/base/letsencrypt-prod.yaml @@ -6,7 +6,7 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: goncharov@osb-alliance.com + email: kgarloff@osb-alliance.com privateKeySecretRef: name: letsencrypt-prodr-account-key solvers: From 0c883bf9bf4297aac8a77496ae35efb8f6a0acdd Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 14:44:36 +0000 Subject: [PATCH 02/15] cnpg-1.23.2 -> 1.29.1 Signed-off-by: Kurt Garloff --- kubernetes/cloudnative-pg/base/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/cloudnative-pg/base/kustomization.yaml b/kubernetes/cloudnative-pg/base/kustomization.yaml index 08fcf3d..f660251 100644 --- a/kubernetes/cloudnative-pg/base/kustomization.yaml +++ b/kubernetes/cloudnative-pg/base/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.23/releases/cnpg-1.23.2.yaml + - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.29/releases/cnpg-1.29.1.yaml From b78602eca11df47ed89388b73ceaf3f7640217e7 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 14:53:45 +0000 Subject: [PATCH 03/15] Update ingress-ngins to the latest. Signed-off-by: Kurt Garloff --- kubernetes/ingress/base/kustomization.yaml | 2 +- kubernetes/ingress/overlays/mgmt/all.yaml | 112 ++++---- .../ingress/overlays/mgmt/kustomization.yaml | 2 +- kubernetes/ingress/overlays/zuul/all.yaml | 239 +++++++++--------- .../ingress/overlays/zuul/kustomization.yaml | 2 +- 5 files changed, 185 insertions(+), 172 deletions(-) diff --git a/kubernetes/ingress/base/kustomization.yaml b/kubernetes/ingress/base/kustomization.yaml index 5946ee3..111f5ce 100644 --- a/kubernetes/ingress/base/kustomization.yaml +++ b/kubernetes/ingress/base/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization #resources: -# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml +# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml # diff --git a/kubernetes/ingress/overlays/mgmt/all.yaml b/kubernetes/ingress/overlays/mgmt/all.yaml index 8da2c2f..1ad5e32 100644 --- a/kubernetes/ingress/overlays/mgmt/all.yaml +++ b/kubernetes/ingress/overlays/mgmt/all.yaml @@ -4,10 +4,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -20,28 +20,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-mgmt-controller namespace: ingress-nginx data: - allow-snippet-annotations: "false" - use-forwarded-headers: "true" --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-mgmt @@ -122,10 +120,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm name: ingress-nginx-mgmt @@ -143,10 +141,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -237,10 +235,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -260,10 +258,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -287,10 +285,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -322,10 +320,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -343,10 +341,10 @@ spec: template: metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -354,13 +352,13 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - - /wait-shutdown + - /wait-shutdown args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller @@ -371,18 +369,18 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false securityContext: runAsNonRoot: true runAsUser: 101 + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - - ALL + - ALL add: - - NET_BIND_SERVICE + - NET_BIND_SERVICE readOnlyRootFilesystem: false env: - name: POD_NAME @@ -436,6 +434,7 @@ spec: nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx-mgmt + automountServiceAccountToken: true terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert @@ -447,10 +446,10 @@ apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -470,10 +469,10 @@ kind: ValidatingWebhookConfiguration metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -499,6 +498,7 @@ webhooks: service: name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx + port: 443 path: /networking/v1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -511,10 +511,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -529,10 +529,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -554,10 +554,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -580,10 +580,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -606,10 +606,10 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -632,29 +632,30 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-mgmt-admission-create labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - create @@ -670,14 +671,16 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux --- @@ -691,29 +694,30 @@ metadata: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: name: ingress-nginx-mgmt-admission-patch labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx-mgmt - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - patch @@ -731,13 +735,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/ingress/overlays/mgmt/kustomization.yaml b/kubernetes/ingress/overlays/mgmt/kustomization.yaml index c45220e..97e0331 100644 --- a/kubernetes/ingress/overlays/mgmt/kustomization.yaml +++ b/kubernetes/ingress/overlays/mgmt/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace --kube-version 1.30 > kubernetes/ingress/overlays/mgmt/all.yaml` +# all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace --kube-version 1.34 > kubernetes/ingress/overlays/mgmt/all.yaml` resources: - namespace.yaml - all.yaml diff --git a/kubernetes/ingress/overlays/zuul/all.yaml b/kubernetes/ingress/overlays/zuul/all.yaml index 394cc1b..1ad5e32 100644 --- a/kubernetes/ingress/overlays/zuul/all.yaml +++ b/kubernetes/ingress/overlays/zuul/all.yaml @@ -4,14 +4,14 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx automountServiceAccountToken: true --- @@ -20,30 +20,29 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller + name: ingress-nginx-mgmt-controller namespace: ingress-nginx data: - allow-snippet-annotations: "false" --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm - name: ingress-nginx-zuul + name: ingress-nginx-mgmt rules: - apiGroups: - "" @@ -121,20 +120,20 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm - name: ingress-nginx-zuul + name: ingress-nginx-mgmt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: ingress-nginx-zuul + name: ingress-nginx-mgmt subjects: - kind: ServiceAccount - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-role.yaml @@ -142,14 +141,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx rules: - apiGroups: @@ -205,7 +204,7 @@ rules: resources: - leases resourceNames: - - ingress-nginx-zuul-leader + - ingress-nginx-mgmt-leader verbs: - get - update @@ -236,22 +235,22 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: ingress-nginx-zuul + name: ingress-nginx-mgmt subjects: - kind: ServiceAccount - name: ingress-nginx-zuul + name: ingress-nginx-mgmt namespace: ingress-nginx --- # Source: ingress-nginx/templates/controller-service-webhook.yaml @@ -259,14 +258,14 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller-admission + name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx spec: type: ClusterIP @@ -277,7 +276,7 @@ spec: appProtocol: https selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul + app.kubernetes.io/instance: ingress-nginx-mgmt app.kubernetes.io/component: controller --- # Source: ingress-nginx/templates/controller-service.yaml @@ -286,14 +285,14 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller + name: ingress-nginx-mgmt-controller namespace: ingress-nginx spec: type: LoadBalancer @@ -313,7 +312,7 @@ spec: appProtocol: https selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul + app.kubernetes.io/instance: ingress-nginx-mgmt app.kubernetes.io/component: controller --- # Source: ingress-nginx/templates/controller-deployment.yaml @@ -321,20 +320,20 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-zuul-controller + name: ingress-nginx-mgmt-controller namespace: ingress-nginx spec: selector: matchLabels: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul + app.kubernetes.io/instance: ingress-nginx-mgmt app.kubernetes.io/component: controller replicas: 1 revisionHistoryLimit: 10 @@ -342,10 +341,10 @@ spec: template: metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -353,35 +352,35 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - - /wait-shutdown + - /wait-shutdown args: - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-zuul-controller - - --election-id=ingress-nginx-zuul-leader + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller + - --election-id=ingress-nginx-mgmt-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-zuul-controller + - --configmap=$(POD_NAMESPACE)/ingress-nginx-mgmt-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false securityContext: runAsNonRoot: true runAsUser: 101 + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - - ALL + - ALL add: - - NET_BIND_SERVICE + - NET_BIND_SERVICE readOnlyRootFilesystem: false env: - name: POD_NAME @@ -434,22 +433,23 @@ spec: memory: 90Mi nodeSelector: kubernetes.io/os: linux - serviceAccountName: ingress-nginx-zuul + serviceAccountName: ingress-nginx-mgmt + automountServiceAccountToken: true terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: - secretName: ingress-nginx-zuul-admission + secretName: ingress-nginx-mgmt-admission --- # Source: ingress-nginx/templates/controller-ingressclass.yaml apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller @@ -469,14 +469,14 @@ kind: ValidatingWebhookConfiguration metadata: annotations: labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission webhooks: - name: validate.nginx.ingress.kubernetes.io matchPolicy: Equivalent @@ -496,24 +496,25 @@ webhooks: - v1 clientConfig: service: - name: ingress-nginx-zuul-controller-admission + name: ingress-nginx-mgmt-controller-admission namespace: ingress-nginx + port: 443 path: /networking/v1/ingresses --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -523,15 +524,15 @@ automountServiceAccountToken: true apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -548,41 +549,41 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission subjects: - kind: ServiceAccount - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook @@ -599,67 +600,68 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission subjects: - kind: ServiceAccount - name: ingress-nginx-zuul-admission + name: ingress-nginx-mgmt-admission namespace: ingress-nginx --- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-zuul-admission-create + name: ingress-nginx-mgmt-admission-create namespace: ingress-nginx annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: - name: ingress-nginx-zuul-admission-create + name: ingress-nginx-mgmt-admission-create labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - create - - --host=ingress-nginx-zuul-controller-admission,ingress-nginx-zuul-controller-admission.$(POD_NAMESPACE).svc + - --host=ingress-nginx-mgmt-controller-admission,ingress-nginx-mgmt-controller-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-zuul-admission + - --secret-name=ingress-nginx-mgmt-admission env: - name: POD_NAMESPACE valueFrom: @@ -669,14 +671,16 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure - serviceAccountName: ingress-nginx-zuul-admission + serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux --- @@ -684,42 +688,43 @@ spec: apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-zuul-admission-patch + name: ingress-nginx-mgmt-admission-patch namespace: ingress-nginx annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: + ttlSecondsAfterFinished: 0 template: metadata: - name: ingress-nginx-zuul-admission-patch + name: ingress-nginx-mgmt-admission-patch labels: - helm.sh/chart: ingress-nginx-4.11.1 + helm.sh/chart: ingress-nginx-4.15.1 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx-zuul - app.kubernetes.io/version: "1.11.1" + app.kubernetes.io/instance: ingress-nginx-mgmt + app.kubernetes.io/version: "1.15.1" app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: containers: - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent args: - patch - - --webhook-name=ingress-nginx-zuul-admission + - --webhook-name=ingress-nginx-mgmt-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - - --secret-name=ingress-nginx-zuul-admission + - --secret-name=ingress-nginx-mgmt-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE @@ -730,13 +735,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault restartPolicy: OnFailure - serviceAccountName: ingress-nginx-zuul-admission + serviceAccountName: ingress-nginx-mgmt-admission + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/ingress/overlays/zuul/kustomization.yaml b/kubernetes/ingress/overlays/zuul/kustomization.yaml index 3824697..084ef10 100644 --- a/kubernetes/ingress/overlays/zuul/kustomization.yaml +++ b/kubernetes/ingress/overlays/zuul/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization # all.yaml generated with `helm template ingress-nginx-mgmt ingress-nginx # --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx -# --create-namespace --kube-version 1.30 > +# --create-namespace --kube-version 1.34 > # kubernetes/ingress/overlays/mgmt/all.yaml` resources: - namespace.yaml From 0430194425c589f096734f85ee94d60191ef8914 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 14:57:27 +0000 Subject: [PATCH 04/15] Go from keycloak 25.0.2 to keycloak 26.6.1. Initcontainer was outdated before Signed-off-by: Kurt Garloff --- kubernetes/keycloak/base/statefulset.yaml | 2 +- kubernetes/keycloak/overlays/infra/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/keycloak/base/statefulset.yaml b/kubernetes/keycloak/base/statefulset.yaml index c5dcc73..bc762a5 100644 --- a/kubernetes/keycloak/base/statefulset.yaml +++ b/kubernetes/keycloak/base/statefulset.yaml @@ -131,7 +131,7 @@ spec: initContainers: - name: init-quarkus-directory - image: keycloak/keycloak:24.0.3 + image: keycloak/keycloak:26.6.1 imagePullPolicy: IfNotPresent command: - /bin/bash diff --git a/kubernetes/keycloak/overlays/infra/kustomization.yaml b/kubernetes/keycloak/overlays/infra/kustomization.yaml index 09e9cb9..9134ec3 100644 --- a/kubernetes/keycloak/overlays/infra/kustomization.yaml +++ b/kubernetes/keycloak/overlays/infra/kustomization.yaml @@ -12,7 +12,7 @@ labels: images: - name: keycloak/keycloak newName: quay.io/keycloak/keycloak - newTag: 25.0.2 + newTag: 26.6.1 resources: - pgsql-cloudnative.yaml From 114a7ef059b5cfe0861508beff88c7970f21b953 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 14:58:44 +0000 Subject: [PATCH 05/15] dependencytrack 4.11.7 -> 4.14.2 Signed-off-by: Kurt Garloff --- kubernetes/dep-track/base/kustomization.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/dep-track/base/kustomization.yaml b/kubernetes/dep-track/base/kustomization.yaml index 6cd4319..904df2e 100644 --- a/kubernetes/dep-track/base/kustomization.yaml +++ b/kubernetes/dep-track/base/kustomization.yaml @@ -4,10 +4,10 @@ kind: Kustomization images: - name: "dependencytrack/apiserver" newName: "docker.io/dependencytrack/apiserver" - newTag: "4.11.7" + newTag: "4.14.2" - name: "dependencytrack/frontend" newName: "docker.io/dependencytrack/frontend" - newTag: "4.11.7" + newTag: "4.14.2" labels: - includeSelectors: true From 803cddd865df8c053e486cface6bb9bf9f16e406 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 15:02:13 +0000 Subject: [PATCH 06/15] Update zuul from 11.2.0 to 14.2.0. Signed-off-by: Kurt Garloff --- kubernetes/zuul/base/kustomization.yaml | 2 +- .../zuul/overlays/zuul_ci/kustomization.yaml | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/kubernetes/zuul/base/kustomization.yaml b/kubernetes/zuul/base/kustomization.yaml index d2d3c49..8535b40 100644 --- a/kubernetes/zuul/base/kustomization.yaml +++ b/kubernetes/zuul/base/kustomization.yaml @@ -21,7 +21,7 @@ configMapGenerator: images: - name: "git-sync" newName: "registry.k8s.io/git-sync/git-sync" - newTag: "v4.2.4@sha256:827729ef28026c3aa73aecde6d1757a2e6967996cc64de43b39cf101ac28a9d1" + newTag: "v4.6.0@sha256:228a26d5f55ac5ae9c51635812570ba0073e0b1e0bd8fc3a653a0523b918c092" labels: - includeSelectors: true diff --git a/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml b/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml index 13f701d..674f492 100644 --- a/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml +++ b/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml @@ -38,38 +38,38 @@ images: - name: "git-sync" newName: "registry.k8s.io/git-sync/git-sync" - newTag: "v4.2.4@sha256:827729ef28026c3aa73aecde6d1757a2e6967996cc64de43b39cf101ac28a9d1" + newTag: "v4.6.0@sha256:228a26d5f55ac5ae9c51635812570ba0073e0b1e0bd8fc3a653a0523b918c092" - name: "ghcr.io/gtema/openstack" - newTag: "0.6.4@sha256:1fcf0f6268dacd2b0934e7fe1395032d3abc4168895a6ebf9286657d64d6e1ae" + newTag: "sha-a6f68b5@sha256-222b82f765e29c7ff1f9c2f7b0c731ee02ad9e5fcb3b1185cc845af3207296d2" - name: "hashicorp/vault" newName: "quay.io/openbao/openbao" - newTag: "2.0.0@sha256:5eedbca9922d85eca5e4bc68c11f968d245b4046641dd4173c1dcff7ae7091aa" + newTag: "2.5.3@sha256:fdc6da21ca6963560c32336fd7feb9cf2d5e52668f1a1647205a4b41171f0806" - name: "zuul/zuul-executor" newName: "quay.io/zuul-ci/zuul-executor" - newTag: "11.2.0" + newTag: "14.2.0" - name: "zuul/zuul-merger" newName: "quay.io/zuul-ci/zuul-merger" - newTag: "11.2.0" + newTag: "14.2.0" - name: "zuul/zuul-scheduler" newName: "quay.io/zuul-ci/zuul-scheduler" - newTag: "11.2.0" + newTag: "14.2.0" - name: "zuul/zuul-web" newName: "quay.io/zuul-ci/zuul-web" - newTag: "11.2.0" + newTag: "14.2.0" - name: "zuul/nodepool-builder" newName: "quay.io/zuul-ci/nodepool-builder" - newTag: "11.0.0" + newTag: "14.2.0" - name: "zuul/nodepool-launcher" newName: "quay.io/zuul-ci/nodepool-launcher" - newTag: "11.0.0" + newTag: "14.2.0" patches: From c65fab516fde6e7110007c00b09eebcd512eb260 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 17:44:35 +0000 Subject: [PATCH 07/15] Request the noris secrets from vault, not wavestack. Signed-off-by: Kurt Garloff --- .../overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl | 2 +- .../overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl | 2 +- .../zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl | 2 +- .../zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl index e41a40b..b73a23c 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl @@ -1,7 +1,7 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { "role" = "zuul" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl index fb548b0..0a4dfea 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl @@ -1,7 +1,7 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { "role" = "zuul" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl index dee6e74..ae0dbcc 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl @@ -1,7 +1,7 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { "role" = "zuul" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl index 98f7d53..9004127 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl @@ -2,7 +2,7 @@ pid_file = "/home/vault/.pid" "auto_auth" = { "method" = { - "mount_path" = "auth/kubernetes_wavestack_zuul" + "mount_path" = "auth/kubernetes_noris_zuul" "config" = { # Here we explicitly request zuul-base role which gives access to # only certain policies From 26d6d5e09c7023367b25659148f72f3d3d6cb4ce Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 17:45:20 +0000 Subject: [PATCH 08/15] Playbooks to only roll out database. This can be used for data migration. Signed-off-by: Kurt Garloff --- .../zuul_ci_dbonly/kustomization.yaml | 55 +++++++++++++++++++ .../zuul_ci_dbonly/pgsql-cloudnative.yaml | 10 ++++ .../zuul/overlays/zuul_ci_dbonly/sa.yaml | 5 ++ 3 files changed, 70 insertions(+) create mode 100644 kubernetes/zuul/overlays/zuul_ci_dbonly/kustomization.yaml create mode 100644 kubernetes/zuul/overlays/zuul_ci_dbonly/pgsql-cloudnative.yaml create mode 100644 kubernetes/zuul/overlays/zuul_ci_dbonly/sa.yaml diff --git a/kubernetes/zuul/overlays/zuul_ci_dbonly/kustomization.yaml b/kubernetes/zuul/overlays/zuul_ci_dbonly/kustomization.yaml new file mode 100644 index 0000000..031c364 --- /dev/null +++ b/kubernetes/zuul/overlays/zuul_ci_dbonly/kustomization.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: zuul-ci + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/instance: zuul-ci + +images: + - name: "busybox" + newName: "quay.io/prometheus/busybox" + newTag: "latest" + + - name: "git-sync" + newName: "registry.k8s.io/git-sync/git-sync" + newTag: "v4.6.0@sha256:228a26d5f55ac5ae9c51635812570ba0073e0b1e0bd8fc3a653a0523b918c092" + + - name: "ghcr.io/gtema/openstack" + newTag: "sha-a6f68b5@sha256-222b82f765e29c7ff1f9c2f7b0c731ee02ad9e5fcb3b1185cc845af3207296d2" + + - name: "hashicorp/vault" + newName: "quay.io/openbao/openbao" + newTag: "2.5.3@sha256:fdc6da21ca6963560c32336fd7feb9cf2d5e52668f1a1647205a4b41171f0806" + + - name: "zuul/zuul-executor" + newName: "quay.io/zuul-ci/zuul-executor" + newTag: "14.2.0" + + - name: "zuul/zuul-merger" + newName: "quay.io/zuul-ci/zuul-merger" + newTag: "14.2.0" + + - name: "zuul/zuul-scheduler" + newName: "quay.io/zuul-ci/zuul-scheduler" + newTag: "14.2.0" + + - name: "zuul/zuul-web" + newName: "quay.io/zuul-ci/zuul-web" + newTag: "14.2.0" + + - name: "zuul/nodepool-builder" + newName: "quay.io/zuul-ci/nodepool-builder" + newTag: "14.2.0" + + - name: "zuul/nodepool-launcher" + newName: "quay.io/zuul-ci/nodepool-launcher" + newTag: "14.2.0" + + +resources: + - pgsql-cloudnative.yaml + diff --git a/kubernetes/zuul/overlays/zuul_ci_dbonly/pgsql-cloudnative.yaml b/kubernetes/zuul/overlays/zuul_ci_dbonly/pgsql-cloudnative.yaml new file mode 100644 index 0000000..7ab0dc0 --- /dev/null +++ b/kubernetes/zuul/overlays/zuul_ci_dbonly/pgsql-cloudnative.yaml @@ -0,0 +1,10 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: zuul-db +spec: + instances: 2 + + storage: + size: 5Gi + storageClass: csi-cinder-sc-retain diff --git a/kubernetes/zuul/overlays/zuul_ci_dbonly/sa.yaml b/kubernetes/zuul/overlays/zuul_ci_dbonly/sa.yaml new file mode 100644 index 0000000..85ff9fc --- /dev/null +++ b/kubernetes/zuul/overlays/zuul_ci_dbonly/sa.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: zuul From 00023f8c4401c7a0ef0a8ca0db493609cb2405fd Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 18:32:58 +0000 Subject: [PATCH 09/15] Use new roles defined in vault. zuul -> zuul-noris zuul-base -> zuul-noris-base Signed-off-by: Kurt Garloff --- .../overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl | 2 +- .../overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl | 2 +- .../zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl | 2 +- .../zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl index b73a23c..3d34114 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-nodepool.hcl @@ -3,7 +3,7 @@ pid_file = "/home/vault/.pid" "method" = { "mount_path" = "auth/kubernetes_noris_zuul" "config" = { - "role" = "zuul" + "role" = "zuul-noris" } "type" = "kubernetes" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl index 0a4dfea..4f18f65 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul-backup.hcl @@ -3,7 +3,7 @@ pid_file = "/home/vault/.pid" "method" = { "mount_path" = "auth/kubernetes_noris_zuul" "config" = { - "role" = "zuul" + "role" = "zuul-noris" } "type" = "kubernetes" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl index ae0dbcc..a0f6813 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl @@ -3,7 +3,7 @@ pid_file = "/home/vault/.pid" "method" = { "mount_path" = "auth/kubernetes_noris_zuul" "config" = { - "role" = "zuul" + "role" = "zuul-noris" } "type" = "kubernetes" } diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl index 9004127..14a1685 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/executor-base-vault-agent.hcl @@ -6,7 +6,7 @@ pid_file = "/home/vault/.pid" "config" = { # Here we explicitly request zuul-base role which gives access to # only certain policies - "role" = "zuul-base" + "role" = "zuul-noris-base" } "type" = "kubernetes" } From 100bf9d36b7c187c74abbe33f2460ebf15250431 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 18:51:18 +0000 Subject: [PATCH 10/15] Only use still available clouds and kubernetes clusters. Signed-off-by: Kurt Garloff --- kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl | 4 ++-- .../overlays/zuul_ci/configs/openstack/clouds.yaml.hcl | 8 -------- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl index 77a1a52..8b4d977 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/kube.config.hcl @@ -6,7 +6,7 @@ preferences: {} clusters: - name: zuul cluster: -{{- with secret "secret/kubernetes/zuul_k8s" }} +{{- with secret "secret/kubernetes/zuul2_k8s" }} server: "{{ .Data.data.server }}" certificate-authority-data: "{{ .Data.data.ca }}" {{- end }} @@ -20,7 +20,7 @@ contexts: users: - name: zuul-admin user: -{{- with secret "secret/kubernetes/zuul_k8s" }} +{{- with secret "secret/kubernetes/zuul2_k8s" }} client-certificate-data: "{{ .Data.data.client_crt }}" client-key-data: "{{ .Data.data.client_key }}" {{- end }} diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl index f88f677..2e38ea5 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds.yaml.hcl @@ -14,14 +14,6 @@ cache: port: 5 floating-ip: 5 clouds: - gx-scs: - auth_type: v3applicationcredential - auth: -{{- with secret "secret/clouds/gx_scs_nodepool_pool1" }} - auth_url: "{{ .Data.data.auth_url }}" - application_credential_id: "{{ .Data.data.application_credential_id }}" - application_credential_secret: "{{ .Data.data.application_credential_secret }}" -{{- end }} gx-scs2: auth_type: v3applicationcredential auth: From d6a4b9aa4a2b76fe93488b6672a6bd1d590670f7 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 21:19:52 +0000 Subject: [PATCH 11/15] REvert to 13.1.1 for now. nodepool stays at 11.0.0. Signed-off-by: Kurt Garloff --- kubernetes/zuul/overlays/zuul_ci/kustomization.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml b/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml index 674f492..37561ec 100644 --- a/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml +++ b/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml @@ -49,27 +49,27 @@ images: - name: "zuul/zuul-executor" newName: "quay.io/zuul-ci/zuul-executor" - newTag: "14.2.0" + newTag: "13.1.1" - name: "zuul/zuul-merger" newName: "quay.io/zuul-ci/zuul-merger" - newTag: "14.2.0" + newTag: "13.1.1" - name: "zuul/zuul-scheduler" newName: "quay.io/zuul-ci/zuul-scheduler" - newTag: "14.2.0" + newTag: "13.1.1" - name: "zuul/zuul-web" newName: "quay.io/zuul-ci/zuul-web" - newTag: "14.2.0" + newTag: "13.1.1" - name: "zuul/nodepool-builder" newName: "quay.io/zuul-ci/nodepool-builder" - newTag: "14.2.0" + newTag: "11.0.0" - name: "zuul/nodepool-launcher" newName: "quay.io/zuul-ci/nodepool-launcher" - newTag: "14.2.0" + newTag: "11.0.0" patches: From fe9a58a8fd4d74b56102f83df581397652abe5f8 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 21:20:59 +0000 Subject: [PATCH 12/15] Use new secret for github integration. New path in secret/zuul/connections/github2 Signed-off-by: Kurt Garloff --- .../zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl | 2 +- kubernetes/zuul/overlays/zuul_ci/configs/zuul.conf.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl index a0f6813..90c8fdd 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/vault-agent/config-zuul.hcl @@ -30,7 +30,7 @@ listener "unix" { template { destination = "/vault/secrets/connections/github.key" contents = < Date: Wed, 13 May 2026 10:54:05 +0000 Subject: [PATCH 13/15] Back to 14.2.0. Update zookeeper to 3.9.5. Signed-off-by: Kurt Garloff --- .../zuul/components/zookeeper/kustomization.yaml | 5 +++-- kubernetes/zuul/overlays/zuul_ci/kustomization.yaml | 10 +++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/kubernetes/zuul/components/zookeeper/kustomization.yaml b/kubernetes/zuul/components/zookeeper/kustomization.yaml index f35e7e0..1566b13 100644 --- a/kubernetes/zuul/components/zookeeper/kustomization.yaml +++ b/kubernetes/zuul/components/zookeeper/kustomization.yaml @@ -13,13 +13,14 @@ labels: - includeSelectors: true pairs: app.kubernetes.io/name: "zookeeper" - app.kubernetes.io/version: "3.8.1" + app.kubernetes.io/version: "3.9.5" app.kubernetes.io/part-of: "zuul" images: - name: "zookeeper" #newName: "quay.io/opentelekomcloud/zookeeper" - newTag: "3.9.2@sha256:b34b773e67cf5139de0688f3e0caf2d0316db763d5dde8b8ee6af0bbd91c720c" + #newTag: "3.8.1@sha256:bf742c6e9df263e2245d6a8a487c43bf43d9cd1f685caa07ddecd760f3a21950" + newTag: "3.9.5@sha256:861113a4972110c2258ee3f62807c0eec33235ea3aa3d360da48211ce401e23d" resources: - cert.yaml diff --git a/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml b/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml index 37561ec..c1f3d81 100644 --- a/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml +++ b/kubernetes/zuul/overlays/zuul_ci/kustomization.yaml @@ -41,7 +41,7 @@ images: newTag: "v4.6.0@sha256:228a26d5f55ac5ae9c51635812570ba0073e0b1e0bd8fc3a653a0523b918c092" - name: "ghcr.io/gtema/openstack" - newTag: "sha-a6f68b5@sha256-222b82f765e29c7ff1f9c2f7b0c731ee02ad9e5fcb3b1185cc845af3207296d2" + newTag: "sha-a6f68b5@sha256:222b82f765e29c7ff1f9c2f7b0c731ee02ad9e5fcb3b1185cc845af3207296d2" - name: "hashicorp/vault" newName: "quay.io/openbao/openbao" @@ -49,19 +49,19 @@ images: - name: "zuul/zuul-executor" newName: "quay.io/zuul-ci/zuul-executor" - newTag: "13.1.1" + newTag: "14.2.0" - name: "zuul/zuul-merger" newName: "quay.io/zuul-ci/zuul-merger" - newTag: "13.1.1" + newTag: "14.2.0" - name: "zuul/zuul-scheduler" newName: "quay.io/zuul-ci/zuul-scheduler" - newTag: "13.1.1" + newTag: "14.2.0" - name: "zuul/zuul-web" newName: "quay.io/zuul-ci/zuul-web" - newTag: "13.1.1" + newTag: "14.2.0" - name: "zuul/nodepool-builder" newName: "quay.io/zuul-ci/nodepool-builder" From 4eae375c6f071e6232ef3c362cbb94ed611c722f Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 13 May 2026 10:55:11 +0000 Subject: [PATCH 14/15] Include reference to new backup cloud (for swift). Signed-off-by: Kurt Garloff --- .../zuul_ci/configs/openstack/clouds-backup.yaml.hcl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl index dbe31cc..54ce334 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/openstack/clouds-backup.yaml.hcl @@ -9,4 +9,12 @@ clouds: auth_url: "{{ .Data.data.auth_url }}" application_credential_id: "{{ .Data.data.application_credential_id }}" application_credential_secret: "{{ .Data.data.application_credential_secret }}" +{{- end }} + new_backup: + auth_type: v3applicationcredential + auth: +{{- with secret "secret/clouds/new_infra_backup" }} + auth_url: "{{ .Data.data.auth_url }}" + application_credential_id: "{{ .Data.data.application_credential_id }}" + application_credential_secret: "{{ .Data.data.application_credential_secret }}" {{- end }} From b6fc33c02337e7bc003504f40cd7da3f6c9426c1 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 13 May 2026 10:55:51 +0000 Subject: [PATCH 15/15] Keep commented out main-light.yaml for bootstrapping help. Signed-off-by: Kurt Garloff --- kubernetes/zuul/overlays/zuul_ci/configs/zuul.conf.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/zuul/overlays/zuul_ci/configs/zuul.conf.hcl b/kubernetes/zuul/overlays/zuul_ci/configs/zuul.conf.hcl index fa1422c..38262d3 100644 --- a/kubernetes/zuul/overlays/zuul_ci/configs/zuul.conf.hcl +++ b/kubernetes/zuul/overlays/zuul_ci/configs/zuul.conf.hcl @@ -6,6 +6,7 @@ tls_ca=/tls/client/ca.crt session_timeout=40 [scheduler] +#tenant_config=/etc/zuul-config/current/zuul/main-light.yaml tenant_config=/etc/zuul-config/current/zuul/main.yaml state_dir=/var/lib/zuul relative_priority=true