diff --git a/charts/argocd/Chart.lock b/charts/argocd/Chart.lock index f8b65043..b1acf52f 100644 --- a/charts/argocd/Chart.lock +++ b/charts/argocd/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm - version: 8.0.1 -digest: sha256:ba6c49d64851ea12a80e5c30e96ce38ebff712aa90678955595479f613e12089 -generated: "2025-05-14T10:23:53.65818767Z" + version: 8.3.0 +digest: sha256:a3c5f60a2784f06beac977cf637cdb1817c49dfdadd81e126467a9c38d7f146f +generated: "2025-08-20T10:25:01.418466408Z" diff --git a/charts/argocd/Chart.yaml b/charts/argocd/Chart.yaml index b29e4f01..b15209e8 100644 --- a/charts/argocd/Chart.yaml +++ b/charts/argocd/Chart.yaml @@ -2,11 +2,11 @@ apiVersion: v2 name: argocd description: A Helm chart for Kubernetes type: application -version: 0.1.3 +version: 0.1.4 appVersion: "2.14.4" dependencies: - name: argo-cd - version: 8.0.1 + version: 8.3.0 repository: "https://argoproj.github.io/argo-helm" alias: argocd maintainers: diff --git a/charts/argocd/README.md b/charts/argocd/README.md index c88faadb..ebd6708d 100644 --- a/charts/argocd/README.md +++ b/charts/argocd/README.md @@ -1,6 +1,6 @@ # argocd -![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.14.4](https://img.shields.io/badge/AppVersion-2.14.4-informational?style=flat-square) +![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.14.4](https://img.shields.io/badge/AppVersion-2.14.4-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argocd(argo-cd) | 8.0.1 | +| https://argoproj.github.io/argo-helm | argocd(argo-cd) | 8.3.0 | ## Maintainers @@ -49,6 +49,7 @@ A Helm chart for Kubernetes | argocd.applicationSet.containerPorts.webhook | int | `7000` | Webhook container port | | argocd.applicationSet.containerSecurityContext | object | See [values.yaml] | ApplicationSet controller container-level security context | | argocd.applicationSet.deploymentAnnotations | object | `{}` | Annotations to be added to ApplicationSet controller Deployment | +| argocd.applicationSet.deploymentLabels | object | `{}` | Labels for the ApplicationSet controller Deployment | | argocd.applicationSet.deploymentStrategy | object | `{}` | Deployment strategy to be added to the ApplicationSet controller Deployment | | argocd.applicationSet.dnsConfig | object | `{}` | [DNS configuration] | | argocd.applicationSet.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for ApplicationSet controller pods | @@ -102,6 +103,7 @@ A Helm chart for Kubernetes | argocd.applicationSet.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.applicationSet.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.applicationSet.name | string | `"applicationset-controller"` | ApplicationSet controller name string | +| argocd.applicationSet.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by ApplicationSet controller | | argocd.applicationSet.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.applicationSet.pdb.annotations | object | `{}` | Annotations to be added to ApplicationSet controller pdb | | argocd.applicationSet.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the ApplicationSet controller | @@ -137,6 +139,7 @@ A Helm chart for Kubernetes | argocd.commitServer.automountServiceAccountToken | bool | `false` | Automount API credentials for the Service Account into the pod. | | argocd.commitServer.containerSecurityContext | object | See [values.yaml] | commit server container-level security context | | argocd.commitServer.deploymentAnnotations | object | `{}` | Annotations to be added to commit server Deployment | +| argocd.commitServer.deploymentLabels | object | `{}` | Labels for the commit server Deployment | | argocd.commitServer.deploymentStrategy | object | `{}` | Deployment strategy to be added to the commit server Deployment | | argocd.commitServer.dnsConfig | object | `{}` | [DNS configuration] | | argocd.commitServer.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for commit server pods | @@ -162,6 +165,7 @@ A Helm chart for Kubernetes | argocd.commitServer.metrics.service.servicePort | int | `8087` | Metrics service port | | argocd.commitServer.metrics.service.type | string | `"ClusterIP"` | Metrics service type | | argocd.commitServer.name | string | `"commit-server"` | Commit server name | +| argocd.commitServer.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by commit server | | argocd.commitServer.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.commitServer.podAnnotations | object | `{}` | Annotations for the commit server pods | | argocd.commitServer.podLabels | object | `{}` | Labels for the commit server pods | @@ -175,6 +179,8 @@ A Helm chart for Kubernetes | argocd.commitServer.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the commit server | | argocd.commitServer.service.annotations | object | `{}` | commit server service annotations | | argocd.commitServer.service.labels | object | `{}` | commit server service labels | +| argocd.commitServer.service.port | int | `8086` | commit server service port | +| argocd.commitServer.service.portName | string | `"server"` | commit server service port name | | argocd.commitServer.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | argocd.commitServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | argocd.commitServer.serviceAccount.create | bool | `true` | Create commit server service account | @@ -220,6 +226,7 @@ A Helm chart for Kubernetes | argocd.configs.params."controller.self.heal.timeout.seconds" | int | `5` | Specifies timeout between application self heal attempts | | argocd.configs.params."controller.status.processors" | int | `20` | Number of application status processors | | argocd.configs.params."controller.sync.timeout.seconds" | int | `0` | Specifies the timeout after which a sync would be terminated. 0 means no timeout | +| argocd.configs.params."hydrator.enabled" | bool | `false` | Enable the hydrator feature (hydrator is in Alpha phase) | | argocd.configs.params."otlp.address" | string | `""` | Open-Telemetry collector address: (e.g. "otel-collector:4317") | | argocd.configs.params."reposerver.parallelism.limit" | int | `0` | Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. | | argocd.configs.params."server.basehref" | string | `"/"` | Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / | @@ -268,6 +275,7 @@ A Helm chart for Kubernetes | argocd.controller.containerPorts.metrics | int | `8082` | Metrics container port | | argocd.controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context | | argocd.controller.deploymentAnnotations | object | `{}` | Annotations for the application controller Deployment | +| argocd.controller.deploymentLabels | object | `{}` | Labels for the application controller Deployment | | argocd.controller.dnsConfig | object | `{}` | [DNS configuration] | | argocd.controller.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for application controller pods | | argocd.controller.dynamicClusterDistribution | bool | `false` | Enable dynamic cluster distribution (alpha) Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution # This is done using a deployment instead of a statefulSet # When replicas are added or removed, the sharding algorithm is re-run to ensure that the # clusters are distributed according to the algorithm. If the algorithm is well-balanced, # like round-robin, then the shards will be well-balanced. | @@ -311,6 +319,7 @@ A Helm chart for Kubernetes | argocd.controller.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.controller.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.controller.name | string | `"application-controller"` | Application controller name string | +| argocd.controller.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by application controller | | argocd.controller.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.controller.pdb.annotations | object | `{}` | Annotations to be added to application controller pdb | | argocd.controller.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the application controller | @@ -340,7 +349,7 @@ A Helm chart for Kubernetes | argocd.controller.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the application controller # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ # If labelSelector is left out, it will default to the labelSelector configuration of the deployment | | argocd.controller.volumeMounts | list | `[]` | Additional volumeMounts to the application controller main container | | argocd.controller.volumes | list | `[]` | Additional volumes to the application controller pod | -| argocd.crds.additionalLabels | object | `{}` | Addtional labels to be added to all CRDs | +| argocd.crds.additionalLabels | object | `{}` | Additional labels to be added to all CRDs | | argocd.crds.annotations | object | `{}` | Annotations to be added to all CRDs | | argocd.crds.install | bool | `true` | Install and upgrade CRDs | | argocd.crds.keep | bool | `true` | Keep CRDs on chart uninstall | @@ -359,6 +368,7 @@ A Helm chart for Kubernetes | argocd.dex.containerPorts.metrics | int | `5558` | Metrics container port | | argocd.dex.containerSecurityContext | object | See [values.yaml] | Dex container-level security context | | argocd.dex.deploymentAnnotations | object | `{}` | Annotations to be added to the Dex server Deployment | +| argocd.dex.deploymentLabels | object | `{}` | Labels for the Dex server Deployment | | argocd.dex.deploymentStrategy | object | `{}` | Deployment strategy to be added to the Dex server Deployment | | argocd.dex.dnsConfig | object | `{}` | [DNS configuration] | | argocd.dex.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Dex server pods | @@ -370,7 +380,7 @@ A Helm chart for Kubernetes | argocd.dex.extraContainers | list | `[]` | Additional containers to be added to the dex pod # Note: Supports use of custom Helm templates | | argocd.dex.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Dex imagePullPolicy | | argocd.dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Dex image repository | -| argocd.dex.image.tag | string | `"v2.42.1"` | Dex image tag | +| argocd.dex.image.tag | string | `"v2.43.1"` | Dex image tag | | argocd.dex.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | argocd.dex.initContainers | list | `[]` | Init containers to add to the dex pod # Note: Supports use of custom Helm templates | | argocd.dex.initImage.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Argo CD init image imagePullPolicy | @@ -402,6 +412,7 @@ A Helm chart for Kubernetes | argocd.dex.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.dex.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.dex.name | string | `"dex-server"` | Dex name | +| argocd.dex.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by Dex server | | argocd.dex.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.dex.pdb.annotations | object | `{}` | Annotations to be added to Dex server pdb | | argocd.dex.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Dex server | @@ -436,7 +447,7 @@ A Helm chart for Kubernetes | argocd.dex.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to dex # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ # If labelSelector is left out, it will default to the labelSelector configuration of the deployment | | argocd.dex.volumeMounts | list | `[]` | Additional volumeMounts to the dex main container | | argocd.dex.volumes | list | `[]` | Additional volumes to the dex pod | -| argocd.externalRedis.existingSecret | string | `""` | The name of an existing secret with Redis (must contain key `redis-password`) and Sentinel credentials. When it's set, the `externalRedis.password` parameter is ignored | +| argocd.externalRedis.existingSecret | string | `""` | The name of an existing secret with Redis (must contain key `redis-password`. And should contain `redis-username` if username is not `default`) and Sentinel credentials. When it's set, the `externalRedis.username` and `externalRedis.password` parameters are ignored | | argocd.externalRedis.host | string | `""` | External Redis server host | | argocd.externalRedis.password | string | `""` | External Redis password | | argocd.externalRedis.port | int | `6379` | External Redis server port | @@ -451,6 +462,7 @@ A Helm chart for Kubernetes | argocd.global.affinity.podAntiAffinity | string | `"soft"` | Default pod anti-affinity rules. Either: `none`, `soft` or `hard` | | argocd.global.certificateAnnotations | object | `{}` | Annotations for the all deployed Certificates | | argocd.global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments | +| argocd.global.deploymentLabels | object | `{}` | Labels for the all deployed Deployments | | argocd.global.deploymentStrategy | object | `{}` | Deployment strategy for the all deployed Deployments | | argocd.global.domain | string | `"argocd.example.com"` | Default domain used by all components # Used for ingresses, certificates, SSO, notifications, etc. | | argocd.global.dualStack.ipFamilies | list | `[]` | IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. | @@ -487,6 +499,7 @@ A Helm chart for Kubernetes | argocd.notifications.containerSecurityContext | object | See [values.yaml] | Notification controller container-level security Context | | argocd.notifications.context | object | `{}` | Define user-defined context # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/#defining-user-defined-context | | argocd.notifications.deploymentAnnotations | object | `{}` | Annotations to be applied to the notifications controller Deployment | +| argocd.notifications.deploymentLabels | object | `{}` | Labels for the notifications controller Deployment | | argocd.notifications.deploymentStrategy | object | `{"type":"Recreate"}` | Deployment strategy to be added to the notifications controller Deployment | | argocd.notifications.dnsConfig | object | `{}` | [DNS configuration] | | argocd.notifications.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for notifications controller Pods | @@ -525,6 +538,7 @@ A Helm chart for Kubernetes | argocd.notifications.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.notifications.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.notifications.name | string | `"notifications-controller"` | Notifications controller name string | +| argocd.notifications.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by notifications controller | | argocd.notifications.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.notifications.notifiers | object | See [values.yaml] | Configures notification services such as slack, email or custom webhook # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/ | | argocd.notifications.pdb.annotations | object | `{}` | Annotations to be added to notifications controller pdb | @@ -568,17 +582,18 @@ A Helm chart for Kubernetes | argocd.redis-ha.existingSecret | string | `"argocd-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. | | argocd.redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar | | argocd.redis-ha.exporter.image | string | `"ghcr.io/oliver006/redis_exporter"` | Repository to use for the redis-exporter | -| argocd.redis-ha.exporter.tag | string | `"v1.69.0"` | Tag to use for the redis-exporter | +| argocd.redis-ha.exporter.tag | string | `"v1.75.0"` | Tag to use for the redis-exporter | | argocd.redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. | | argocd.redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. | | argocd.redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context | | argocd.redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy | | argocd.redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. | +| argocd.redis-ha.haproxy.image.repository | string | `"ecr-public.aws.com/docker/library/haproxy"` | HAProxy Image Repository | | argocd.redis-ha.haproxy.labels | object | `{"app.kubernetes.io/name":"argocd-redis-ha-haproxy"}` | Custom labels for the haproxy pod. This is relevant for Argo CD CLI. | | argocd.redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping | | argocd.redis-ha.haproxy.tolerations | list | `[]` | [Tolerations] for use with node taints for haproxy pods. | | argocd.redis-ha.hardAntiAffinity | bool | `true` | Whether the Redis server pods should be forced to run on separate nodes. | -| argocd.redis-ha.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | +| argocd.redis-ha.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argocd.redis-ha.image.tag | string | `"7.2.8-alpine"` | Redis tag # Do not upgrade to >= 7.4.0, otherwise you are no longer using an open source version of Redis | | argocd.redis-ha.persistentVolume.enabled | bool | `false` | Configures persistence on Redis nodes | | argocd.redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) | @@ -596,6 +611,7 @@ A Helm chart for Kubernetes | argocd.redis.containerPorts.redis | int | `6379` | Redis container port | | argocd.redis.containerSecurityContext | object | See [values.yaml] | Redis container-level security context | | argocd.redis.deploymentAnnotations | object | `{}` | Annotations to be added to the Redis server Deployment | +| argocd.redis.deploymentLabels | object | `{}` | Labels for the Redis server Deployment | | argocd.redis.dnsConfig | object | `{}` | [DNS configuration] | | argocd.redis.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Redis server pods | | argocd.redis.enabled | bool | `true` | Enable redis | @@ -606,7 +622,7 @@ A Helm chart for Kubernetes | argocd.redis.exporter.env | list | `[]` | Environment variables to pass to the Redis exporter | | argocd.redis.exporter.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the redis-exporter | | argocd.redis.exporter.image.repository | string | `"ghcr.io/oliver006/redis_exporter"` | Repository to use for the redis-exporter | -| argocd.redis.exporter.image.tag | string | `"v1.71.0"` | Tag to use for the redis-exporter | +| argocd.redis.exporter.image.tag | string | `"v1.75.0"` | Tag to use for the redis-exporter | | argocd.redis.exporter.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis exporter | | argocd.redis.exporter.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | argocd.redis.exporter.livenessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated | @@ -623,7 +639,7 @@ A Helm chart for Kubernetes | argocd.redis.extraArgs | list | `[]` | Additional command line arguments to pass to redis-server | | argocd.redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod # Note: Supports use of custom Helm templates | | argocd.redis.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Redis image pull policy | -| argocd.redis.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | +| argocd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argocd.redis.image.tag | string | `"7.2.8-alpine"` | Redis tag # Do not upgrade to >= 7.4.0, otherwise you are no longer using an open source version of Redis | | argocd.redis.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | argocd.redis.initContainers | list | `[]` | Init containers to add to the redis pod # Note: Supports use of custom Helm templates | @@ -652,6 +668,7 @@ A Helm chart for Kubernetes | argocd.redis.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.redis.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.redis.name | string | `"redis"` | Redis name | +| argocd.redis.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by redis | | argocd.redis.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.redis.pdb.annotations | object | `{}` | Annotations to be added to Redis pdb | | argocd.redis.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Redis | @@ -723,6 +740,7 @@ A Helm chart for Kubernetes | argocd.repoServer.containerPorts.server | int | `8081` | Repo server container port | | argocd.repoServer.containerSecurityContext | object | See [values.yaml] | Repo server container-level security context | | argocd.repoServer.deploymentAnnotations | object | `{}` | Annotations to be added to repo server Deployment | +| argocd.repoServer.deploymentLabels | object | `{}` | Labels for the repo server Deployment | | argocd.repoServer.deploymentStrategy | object | `{}` | Deployment strategy to be added to the repo server Deployment | | argocd.repoServer.dnsConfig | object | `{}` | [DNS configuration] | | argocd.repoServer.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Repo server pods | @@ -764,6 +782,7 @@ A Helm chart for Kubernetes | argocd.repoServer.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.repoServer.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.repoServer.name | string | `"repo-server"` | Repo server name | +| argocd.repoServer.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by repo server | | argocd.repoServer.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.repoServer.pdb.annotations | object | `{}` | Annotations to be added to repo server pdb | | argocd.repoServer.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the repo server | @@ -786,6 +805,7 @@ A Helm chart for Kubernetes | argocd.repoServer.service.labels | object | `{}` | Repo server service labels | | argocd.repoServer.service.port | int | `8081` | Repo server service port | | argocd.repoServer.service.portName | string | `"tcp-repo-server"` | Repo server service port name | +| argocd.repoServer.service.trafficDistribution | string | `""` | Traffic distribution preference for the repo server service. If the field is not set, the implementation will apply its default routing strategy. | | argocd.repoServer.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | argocd.repoServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | argocd.repoServer.serviceAccount.create | bool | `true` | Create repo server service account | @@ -832,6 +852,7 @@ A Helm chart for Kubernetes | argocd.server.containerPorts.server | int | `8080` | Server container port | | argocd.server.containerSecurityContext | object | See [values.yaml] | Server container-level security context | | argocd.server.deploymentAnnotations | object | `{}` | Annotations to be added to server Deployment | +| argocd.server.deploymentLabels | object | `{}` | Labels for the server Deployment | | argocd.server.deploymentStrategy | object | `{}` | Deployment strategy to be added to the server Deployment | | argocd.server.dnsConfig | object | `{}` | [DNS configuration] | | argocd.server.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Server pods | @@ -910,6 +931,7 @@ A Helm chart for Kubernetes | argocd.server.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | argocd.server.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | argocd.server.name | string | `"server"` | Argo CD server name | +| argocd.server.networkPolicy.create | bool | `false` (defaults to global.networkPolicy.create) | Default network policy rules used by ArgoCD Server | | argocd.server.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | | argocd.server.pdb.annotations | object | `{}` | Annotations to be added to Argo CD server pdb | | argocd.server.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Argo CD server | @@ -989,7 +1011,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.3" + targetRevision: "0.1.4" chart: argocd path: '' helm: diff --git a/charts/argocd/charts/argo-cd-8.0.1.tgz b/charts/argocd/charts/argo-cd-8.0.1.tgz deleted file mode 100644 index cd15af30..00000000 Binary files a/charts/argocd/charts/argo-cd-8.0.1.tgz and /dev/null differ diff --git a/charts/argocd/charts/argo-cd-8.3.0.tgz b/charts/argocd/charts/argo-cd-8.3.0.tgz new file mode 100644 index 00000000..813ae2dd Binary files /dev/null and b/charts/argocd/charts/argo-cd-8.3.0.tgz differ diff --git a/charts/argocd/values.yaml b/charts/argocd/values.yaml index 25e7fd2f..14900999 100644 --- a/charts/argocd/values.yaml +++ b/charts/argocd/values.yaml @@ -54,7 +54,7 @@ argocd: keep: true # -- Annotations to be added to all CRDs annotations: {} - # -- Addtional labels to be added to all CRDs + # -- Additional labels to be added to all CRDs additionalLabels: {} ## Globally shared configuration @@ -98,6 +98,9 @@ argocd: # -- Annotations for the all deployed Deployments deploymentAnnotations: {} + # -- Labels for the all deployed Deployments + deploymentLabels: {} + # -- Annotations for the all deployed pods podAnnotations: {} @@ -438,6 +441,8 @@ argocd: server.enable.gzip: true # -- Enable proxy extension feature. (proxy extension is in Alpha phase) server.enable.proxy.extension: false + # -- Enable the hydrator feature (hydrator is in Alpha phase) + hydrator.enabled: false # -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "". server.x.frame.options: sameorigin @@ -906,6 +911,9 @@ argocd: # -- Annotations for the application controller Deployment deploymentAnnotations: {} + # -- Labels for the application controller Deployment + deploymentLabels: {} + # -- Annotations to be added to application controller pods podAnnotations: {} @@ -1101,6 +1109,12 @@ argocd: # -- List of custom rules for the application controller's ClusterRole resource rules: [] + # Default application controller's network policy + networkPolicy: + # -- Default network policy rules used by application controller + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + ## Dex dex: # -- Enable dex @@ -1172,7 +1186,7 @@ argocd: # -- Dex image repository repository: ghcr.io/dexidp/dex # -- Dex image tag - tag: v2.42.1 + tag: v2.43.1 # -- Dex imagePullPolicy # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -1254,6 +1268,9 @@ argocd: # -- Annotations to be added to the Dex server Deployment deploymentAnnotations: {} + # -- Labels for the Dex server Deployment + deploymentLabels: {} + # -- Annotations to be added to the Dex server pods podAnnotations: {} @@ -1397,6 +1414,12 @@ argocd: # maxSurge: 25% # maxUnavailable: 25% + # Default Dex server's network policy + networkPolicy: + # -- Default network policy rules used by Dex server + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + # DEPRECATED - Use configs.params to override # -- Dex log format. Either `text` or `json` # @default -- `""` (defaults to global.logging.format) @@ -1435,7 +1458,7 @@ argocd: ## Redis image image: # -- Redis repository - repository: public.ecr.aws/docker/library/redis + repository: ecr-public.aws.com/docker/library/redis # -- Redis tag ## Do not upgrade to >= 7.4.0, otherwise you are no longer using an open source version of Redis tag: 7.2.8-alpine @@ -1454,7 +1477,7 @@ argocd: # -- Repository to use for the redis-exporter repository: ghcr.io/oliver006/redis_exporter # -- Tag to use for the redis-exporter - tag: v1.71.0 + tag: v1.75.0 # -- Image pull policy for the redis-exporter # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -1575,6 +1598,9 @@ argocd: # -- Annotations to be added to the Redis server Deployment deploymentAnnotations: {} + # -- Labels for the Redis server Deployment + deploymentLabels: {} + # -- Annotations to be added to the Redis server pods podAnnotations: {} @@ -1714,6 +1740,12 @@ argocd: # -- Prometheus ServiceMonitor annotations annotations: {} + # Default redis's network policy + networkPolicy: + # -- Default network policy rules used by redis + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + ## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true` # Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml redis-ha: @@ -1722,7 +1754,7 @@ argocd: ## Redis image image: # -- Redis repository - repository: public.ecr.aws/docker/library/redis + repository: ecr-public.aws.com/docker/library/redis # -- Redis tag ## Do not upgrade to >= 7.4.0, otherwise you are no longer using an open source version of Redis tag: 7.2.8-alpine @@ -1733,7 +1765,7 @@ argocd: # -- Repository to use for the redis-exporter image: ghcr.io/oliver006/redis_exporter # -- Tag to use for the redis-exporter - tag: v1.69.0 + tag: v1.75.0 persistentVolume: # -- Configures persistence on Redis nodes enabled: false @@ -1754,6 +1786,9 @@ argocd: # -- Custom labels for the haproxy pod. This is relevant for Argo CD CLI. labels: app.kubernetes.io/name: argocd-redis-ha-haproxy + image: + # -- HAProxy Image Repository + repository: ecr-public.aws.com/docker/library/haproxy metrics: # -- HAProxy enable prometheus metric scraping enabled: true @@ -1818,8 +1853,8 @@ argocd: password: "" # -- External Redis server port port: 6379 - # -- The name of an existing secret with Redis (must contain key `redis-password`) and Sentinel credentials. - # When it's set, the `externalRedis.password` parameter is ignored + # -- The name of an existing secret with Redis (must contain key `redis-password`. And should contain `redis-username` if username is not `default`) and Sentinel credentials. + # When it's set, the `externalRedis.username` and `externalRedis.password` parameters are ignored existingSecret: "" # -- External Redis Secret annotations secretAnnotations: {} @@ -2107,6 +2142,9 @@ argocd: # -- Annotations to be added to server Deployment deploymentAnnotations: {} + # -- Labels for the server Deployment + deploymentLabels: {} + # -- Annotations to be added to server pods podAnnotations: {} @@ -2574,6 +2612,12 @@ argocd: # -- List of custom rules for the server's ClusterRole resource rules: [] + # Default ArgoCD Server's network policy + networkPolicy: + # -- Default network policy rules used by ArgoCD Server + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + ## Repo Server repoServer: # -- Repo server name @@ -2755,6 +2799,9 @@ argocd: # -- Annotations to be added to repo server Deployment deploymentAnnotations: {} + # -- Labels for the repo server Deployment + deploymentLabels: {} + # -- Annotations to be added to repo server pods podAnnotations: {} @@ -2885,6 +2932,8 @@ argocd: port: 8081 # -- Repo server service port name portName: tcp-repo-server + # -- Traffic distribution preference for the repo server service. If the field is not set, the implementation will apply its default routing strategy. + trafficDistribution: "" ## Repo server metrics service configuration metrics: @@ -2968,6 +3017,12 @@ argocd: # - list # - watch + # Default repo server's network policy + networkPolicy: + # -- Default network policy rules used by repo server + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + ## ApplicationSet controller applicationSet: # -- ApplicationSet controller name string @@ -3125,6 +3180,9 @@ argocd: # -- Annotations to be added to ApplicationSet controller Deployment deploymentAnnotations: {} + # -- Labels for the ApplicationSet controller Deployment + deploymentLabels: {} + # -- Annotations for the ApplicationSet controller pods podAnnotations: {} @@ -3337,6 +3395,13 @@ argocd: # - argocd-applicationset.example.com # -- Enable ApplicationSet in any namespace feature allowAnyNamespace: false + + # Default ApplicationSet controller's network policy + networkPolicy: + # -- Default network policy rules used by ApplicationSet controller + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + ## Notifications controller notifications: # -- Enable notifications controller @@ -3507,6 +3572,9 @@ argocd: # -- Annotations to be applied to the notifications controller Deployment deploymentAnnotations: {} + # -- Labels for the notifications controller Deployment + deploymentLabels: {} + # -- Annotations to be applied to the notifications controller Pods podAnnotations: {} @@ -3903,6 +3971,12 @@ argocd: # defaultTriggers: | # - on-sync-status-unknown + # Default notifications controller's network policy + networkPolicy: + # -- Default network policy rules used by notifications controller + # @default -- `false` (defaults to global.networkPolicy.create) + create: false + commitServer: # -- Enable commit server enabled: false @@ -3971,6 +4045,10 @@ argocd: annotations: {} # -- commit server service labels labels: {} + # -- commit server service port + port: 8086 + # -- commit server service port name + portName: server # -- Automount API credentials for the Service Account into the pod. automountServiceAccountToken: false @@ -3990,6 +4068,9 @@ argocd: # -- Annotations to be added to commit server Deployment deploymentAnnotations: {} + # -- Labels for the commit server Deployment + deploymentLabels: {} + # -- Annotations for the commit server pods podAnnotations: {} @@ -4082,3 +4163,9 @@ argocd: # -- Priority class for the commit server pods # @default -- `""` (defaults to global.priorityClassName) priorityClassName: "" + + # Default commit server's network policy + networkPolicy: + # -- Default network policy rules used by commit server + # @default -- `false` (defaults to global.networkPolicy.create) + create: false diff --git a/charts/cert-manager/Chart.lock b/charts/cert-manager/Chart.lock index ba361324..bb26b124 100644 --- a/charts/cert-manager/Chart.lock +++ b/charts/cert-manager/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: cert-manager repository: https://charts.jetstack.io - version: v1.17.2 + version: v1.18.2 - name: gcp-workload-identity repository: https://edixos.github.io/ekp-helm version: 0.1.1 - name: gcp-iam-policy-members repository: https://edixos.github.io/ekp-helm version: 0.1.2 -digest: sha256:332d9476ee0ae270e6ab49c0a8474c4a9ded472b0198920ab2f457119509c2f8 -generated: "2025-05-07T10:23:12.154607043Z" +digest: sha256:5b9e199c6d408c50b7c9c75a3190622da366f47070192f6bade462ea79400e8a +generated: "2025-08-20T10:24:31.488509216Z" diff --git a/charts/cert-manager/Chart.yaml b/charts/cert-manager/Chart.yaml index e45f8d04..565e51ec 100644 --- a/charts/cert-manager/Chart.yaml +++ b/charts/cert-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: cert-manager description: A Helm chart for cert-manager type: application -version: 0.1.3 +version: 0.1.4 appVersion: "1.17.1" maintainers: - name: wiemaouadi @@ -13,7 +13,7 @@ maintainers: url: https://github.com/smileisak dependencies: - name: cert-manager - version: "v1.17.2" + version: "v1.18.2" repository: "https://charts.jetstack.io" alias: certmanager - name: gcp-workload-identity diff --git a/charts/cert-manager/README.md b/charts/cert-manager/README.md index 3e99aee1..bc3e6065 100644 --- a/charts/cert-manager/README.md +++ b/charts/cert-manager/README.md @@ -1,6 +1,6 @@ # cert-manager -![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.1](https://img.shields.io/badge/AppVersion-1.17.1-informational?style=flat-square) +![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.1](https://img.shields.io/badge/AppVersion-1.17.1-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | certmanager(cert-manager) | v1.17.2 | +| https://charts.jetstack.io | certmanager(cert-manager) | v1.18.2 | | https://edixos.github.io/ekp-helm | iamPolicyMembers(gcp-iam-policy-members) | 0.1.2 | | https://edixos.github.io/ekp-helm | workloadIdentity(gcp-workload-identity) | 0.1.1 | @@ -124,7 +124,7 @@ A Helm chart for cert-manager | certmanager.prometheus.servicemonitor.path | string | `"/metrics"` | | | certmanager.prometheus.servicemonitor.prometheusInstance | string | `"default"` | | | certmanager.prometheus.servicemonitor.scrapeTimeout | string | `"30s"` | | -| certmanager.prometheus.servicemonitor.targetPort | int | `9402` | | +| certmanager.prometheus.servicemonitor.targetPort | string | `"http-metrics"` | | | certmanager.replicaCount | int | `1` | | | certmanager.resources | object | `{}` | | | certmanager.securityContext.runAsNonRoot | bool | `true` | | @@ -273,7 +273,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.3" + targetRevision: "0.1.4" chart: cert-manager path: '' helm: diff --git a/charts/cert-manager/charts/cert-manager-v1.17.2.tgz b/charts/cert-manager/charts/cert-manager-v1.17.2.tgz deleted file mode 100644 index 770113d1..00000000 Binary files a/charts/cert-manager/charts/cert-manager-v1.17.2.tgz and /dev/null differ diff --git a/charts/cert-manager/charts/cert-manager-v1.18.2.tgz b/charts/cert-manager/charts/cert-manager-v1.18.2.tgz new file mode 100644 index 00000000..6560ee51 Binary files /dev/null and b/charts/cert-manager/charts/cert-manager-v1.18.2.tgz differ diff --git a/charts/cert-manager/values.yaml b/charts/cert-manager/values.yaml index 8d554e22..549c6dd0 100644 --- a/charts/cert-manager/values.yaml +++ b/charts/cert-manager/values.yaml @@ -134,14 +134,14 @@ certmanager: enabled: false # This configures the minimum available pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # It cannot be used if `maxUnavailable` is set. # +docs:property # +docs:type=unknown # minAvailable: 1 # This configures the maximum unavailable pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # it cannot be used if `minAvailable` is set. # +docs:property # +docs:type=unknown @@ -193,7 +193,7 @@ certmanager: # Override the "cert-manager.name" value, which is used to annotate some of # the resources that are created by this Chart (using "app.kubernetes.io/name"). # NOTE: There are some inconsistencies in the Helm chart when it comes to - # these annotations (some resources use eg. "cainjector.name" which resolves + # these annotations (some resources use, e.g., "cainjector.name" which resolves # to the value "cainjector"). # +docs:property # nameOverride: "my-cert-manager" @@ -248,10 +248,10 @@ certmanager: # kubernetesAPIBurst: 9000 # numberOfConcurrentWorkers: 200 # enableGatewayAPI: true - # # Feature gates as of v1.17.0. Listed with their default values. + # # Feature gates as of v1.18.1. Listed with their default values. # # See https://cert-manager.io/docs/cli/controller/ # featureGates: - # AdditionalCertificateOutputFormats: true # BETA - default=true + # AdditionalCertificateOutputFormats: true # GA - default=true # AllAlpha: false # ALPHA - default=false # AllBeta: false # BETA - default=false # ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false @@ -263,8 +263,10 @@ certmanager: # ServerSideApply: false # ALPHA - default=false # StableCertificateRequestName: true # BETA - default=true # UseCertificateRequestBasicConstraints: false # ALPHA - default=false - # UseDomainQualifiedFinalizer: true # BETA - default=false + # UseDomainQualifiedFinalizer: true # GA - default=true # ValidateCAA: false # ALPHA - default=false + # DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true + # ACMEHTTP01IngressPathTypeExact: true # BETA - default=true # # Configure the metrics server for TLS # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls # metricsTLSConfig: @@ -295,7 +297,7 @@ certmanager: # referencing these signer names will be auto-approved by cert-manager. Defaults to just # approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty # array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, - # because eg. you are using approver-policy, you can enable 'disableAutoApproval'. + # because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'. # ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval # +docs:property approveSignerNames: @@ -519,7 +521,7 @@ certmanager: # ServiceMonitor resource. # Otherwise, 'prometheus.io' annotations are added to the cert-manager and # cert-manager-webhook Deployments. - # Note that you can not enable both PodMonitor and ServiceMonitor as they are + # Note that you cannot enable both PodMonitor and ServiceMonitor as they are # mutually exclusive. Enabling both will result in an error. enabled: true @@ -539,7 +541,8 @@ certmanager: # The target port to set on the ServiceMonitor. This must match the port that the # cert-manager controller is listening on for metrics. - targetPort: 9402 + # +docs:type=string,integer + targetPort: http-metrics # The path to scrape for metrics. path: /metrics @@ -573,7 +576,7 @@ certmanager: # +docs:property endpointAdditionalProperties: {} - # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. + # Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. podmonitor: # Create a PodMonitor to add cert-manager to Prometheus. enabled: false @@ -723,14 +726,14 @@ certmanager: enabled: false # This property configures the minimum available pods for disruptions. Can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # It cannot be used if `maxUnavailable` is set. # +docs:property # +docs:type=unknown # minAvailable: 1 # This property configures the maximum unavailable pods for disruptions. Can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # It cannot be used if `minAvailable` is set. # +docs:property # +docs:type=unknown @@ -1090,14 +1093,14 @@ certmanager: enabled: false # `minAvailable` configures the minimum available pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # Cannot be used if `maxUnavailable` is set. # +docs:property # +docs:type=unknown # minAvailable: 1 # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # Cannot be used if `minAvailable` is set. # +docs:property # +docs:type=unknown diff --git a/charts/dex/Chart.lock b/charts/dex/Chart.lock index 09b5cdf8..82df3ed1 100644 --- a/charts/dex/Chart.lock +++ b/charts/dex/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: dex repository: https://charts.dexidp.io - version: 0.23.0 + version: 0.23.1 - name: gcp-workload-identity repository: https://edixos.github.io/ekp-helm version: 0.1.1 - name: gcp-iam-policy-members repository: https://edixos.github.io/ekp-helm version: 0.1.2 -digest: sha256:33de3c86abf097766978c659379862374f824ee040c17dd22afac6b98bf07c5c -generated: "2025-04-28T15:46:20.243117+02:00" +digest: sha256:187242846900cc90b7ef585cb7d1f0cbabe14bef3daefd11cce62f4c9ce8938f +generated: "2025-08-20T10:23:43.191171468Z" diff --git a/charts/dex/Chart.yaml b/charts/dex/Chart.yaml index b13e0a46..a1506bbe 100644 --- a/charts/dex/Chart.yaml +++ b/charts/dex/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: dex description: A Helm chart for Dex - OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable Connectors type: application -version: 0.1.4 +version: 0.1.5 appVersion: "2.42.0" maintainers: - name: wiemaouadi @@ -13,7 +13,7 @@ maintainers: url: https://github.com/smileisak dependencies: - name: dex - version: 0.23.0 + version: 0.23.1 repository: https://charts.dexidp.io alias: dex - name: gcp-workload-identity diff --git a/charts/dex/README.md b/charts/dex/README.md index 4385a656..29174516 100644 --- a/charts/dex/README.md +++ b/charts/dex/README.md @@ -1,6 +1,6 @@ # dex -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.42.0](https://img.shields.io/badge/AppVersion-2.42.0-informational?style=flat-square) +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.42.0](https://img.shields.io/badge/AppVersion-2.42.0-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://charts.dexidp.io | dex(dex) | 0.23.0 | +| https://charts.dexidp.io | dex(dex) | 0.23.1 | | https://edixos.github.io/ekp-helm | iamPolicyMembers(gcp-iam-policy-members) | 0.1.2 | | https://edixos.github.io/ekp-helm | workloadIdentity(gcp-workload-identity) | 0.1.1 | @@ -41,10 +41,11 @@ A Helm chart for Dex - OpenID Connect Identity (OIDC) and OAuth 2.0 Provider wit | dex.env | object | `{}` | Additional environment variables passed directly to containers. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. | | dex.envFrom | list | `[]` | Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. | | dex.envVars | list | `[]` | Similar to env but with support for all possible configurations. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. | -| dex.fullnameOverride | string | `"test"` | A name to substitute for the full names of resources. | +| dex.fullnameOverride | string | `""` | A name to substitute for the full names of resources. | | dex.grpc.enabled | bool | `false` | Enable the gRPC endpoint. Read more in the [documentation](https://dexidp.io/docs/api/). | | dex.hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) | | dex.https.enabled | bool | `false` | Enable the HTTPS endpoint. | +| dex.image.digest | string | `""` | When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). | | dex.image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. | | dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. | | dex.image.tag | string | `""` | Image tag override for the default value (chart appVersion). | @@ -145,7 +146,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.4" + targetRevision: "0.1.5" chart: dex path: '' diff --git a/charts/dex/charts/dex-0.23.0.tgz b/charts/dex/charts/dex-0.23.0.tgz deleted file mode 100644 index 881f77dc..00000000 Binary files a/charts/dex/charts/dex-0.23.0.tgz and /dev/null differ diff --git a/charts/dex/charts/dex-0.23.1.tgz b/charts/dex/charts/dex-0.23.1.tgz new file mode 100644 index 00000000..b801e1e8 Binary files /dev/null and b/charts/dex/charts/dex-0.23.1.tgz differ diff --git a/charts/dex/values.yaml b/charts/dex/values.yaml index 8f5f7ce7..27c1ab01 100644 --- a/charts/dex/values.yaml +++ b/charts/dex/values.yaml @@ -19,6 +19,10 @@ prometheus: # This is a YAML-formatted file. # Declare variables to be passed into your templates. dex: + # Default values for dex. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + # -- Number of replicas (pods) to launch. replicaCount: 1 @@ -36,6 +40,9 @@ dex: # -- Image tag override for the default value (chart appVersion). tag: "" + # -- When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). + digest: "" + # -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). imagePullSecrets: [] @@ -46,7 +53,7 @@ dex: nameOverride: "" # -- A name to substitute for the full names of resources. - fullnameOverride: "test" + fullnameOverride: "" # -- A list of hosts and IPs that will be injected into the pod's hosts file if specified. # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) @@ -357,7 +364,6 @@ dex: # ports: # - port: 636 # protocol: TCP - tags: # -- Enables Config Connector features configConnector: false diff --git a/charts/eso/Chart.lock b/charts/eso/Chart.lock index 5be1b4bf..41adc1ac 100644 --- a/charts/eso/Chart.lock +++ b/charts/eso/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: external-secrets repository: https://charts.external-secrets.io - version: 0.16.2 -digest: sha256:94cbf896c19437687c2804fc14c7937cd9b12f6d70cc32b1a78aa323777580cb -generated: "2025-05-14T10:23:28.800416977Z" + version: 0.19.2 +digest: sha256:90648b95b04370e10bcafbeb6b413b3645485dcedff38772862423e74ac2143e +generated: "2025-08-20T10:23:50.834300023Z" diff --git a/charts/eso/Chart.yaml b/charts/eso/Chart.yaml index 31b9c963..c22dfd84 100644 --- a/charts/eso/Chart.yaml +++ b/charts/eso/Chart.yaml @@ -2,11 +2,11 @@ apiVersion: v2 name: eso description: A Helm chart ESO for Kubernetes type: application -version: 0.1.4 +version: 0.1.5 appVersion: "0.14.2" dependencies: - name: external-secrets - version: 0.16.2 + version: 0.19.2 repository: https://charts.external-secrets.io alias: eso maintainers: diff --git a/charts/eso/README.md b/charts/eso/README.md index fb6aba26..51e4e6d5 100644 --- a/charts/eso/README.md +++ b/charts/eso/README.md @@ -1,6 +1,6 @@ # eso -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.2](https://img.shields.io/badge/AppVersion-0.14.2-informational?style=flat-square) +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.2](https://img.shields.io/badge/AppVersion-0.14.2-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://charts.external-secrets.io | eso(external-secrets) | 0.16.2 | +| https://charts.external-secrets.io | eso(external-secrets) | 0.19.2 | ## Maintainers @@ -30,11 +30,13 @@ A Helm chart ESO for Kubernetes |-----|------|---------|-------------| | eso.affinity | object | `{}` | | | eso.bitwarden-sdk-server.enabled | bool | `false` | | +| eso.bitwarden-sdk-server.namespaceOverride | string | `""` | | | eso.certController.affinity | object | `{}` | | | eso.certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. | | eso.certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment | | eso.certController.extraArgs | object | `{}` | | | eso.certController.extraEnv | list | `[]` | | +| eso.certController.extraInitContainers | list | `[]` | | | eso.certController.extraVolumeMounts | list | `[]` | | | eso.certController.extraVolumes | list | `[]` | | | eso.certController.fullnameOverride | string | `""` | | @@ -52,7 +54,7 @@ A Helm chart ESO for Kubernetes | eso.certController.nameOverride | string | `""` | | | eso.certController.nodeSelector | object | `{}` | | | eso.certController.podAnnotations | object | `{}` | Annotations to add to Pod | -| eso.certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| eso.certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1,"nameOverride":""}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | eso.certController.podLabels | object | `{}` | | | eso.certController.podSecurityContext.enabled | bool | `true` | | | eso.certController.priorityClassName | string | `""` | Pod priority class name. | @@ -75,6 +77,7 @@ A Helm chart ESO for Kubernetes | eso.certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | eso.certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. | | eso.certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | +| eso.certController.strategy | object | `{}` | Set deployment strategy | | eso.certController.tolerations | list | `[]` | | | eso.certController.topologySpreadConstraints | list | `[]` | | | eso.commonLabels | object | `{}` | Additional labels added to all helm chart resources. | @@ -95,6 +98,7 @@ A Helm chart ESO for Kubernetes | eso.extraArgs | object | `{}` | | | eso.extraContainers | list | `[]` | | | eso.extraEnv | list | `[]` | | +| eso.extraInitContainers | list | `[]` | | | eso.extraObjects | list | `[]` | | | eso.extraVolumeMounts | list | `[]` | | | eso.extraVolumes | list | `[]` | | @@ -126,7 +130,7 @@ A Helm chart ESO for Kubernetes | eso.nodeSelector | object | `{}` | | | eso.openshiftFinalizers | bool | `true` | If true the OpenShift finalizer permissions will be added to RBAC | | eso.podAnnotations | object | `{}` | Annotations to add to Pod | -| eso.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| eso.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1,"nameOverride":""}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | eso.podLabels | object | `{}` | | | eso.podSecurityContext.enabled | bool | `true` | | | eso.podSpecExtra | object | `{}` | Any extra pod spec on the deployment | @@ -166,6 +170,7 @@ A Helm chart ESO for Kubernetes | eso.serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors | | eso.serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) | | eso.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| eso.strategy | object | `{}` | Set deployment strategy | | eso.tolerations | list | `[]` | | | eso.topologySpreadConstraints | list | `[]` | | | eso.webhook.affinity | object | `{}` | | @@ -184,6 +189,7 @@ A Helm chart ESO for Kubernetes | eso.webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment | | eso.webhook.extraArgs | object | `{}` | | | eso.webhook.extraEnv | list | `[]` | | +| eso.webhook.extraInitContainers | list | `[]` | | | eso.webhook.extraVolumeMounts | list | `[]` | | | eso.webhook.extraVolumes | list | `[]` | | | eso.webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore | @@ -203,7 +209,7 @@ A Helm chart ESO for Kubernetes | eso.webhook.nameOverride | string | `""` | | | eso.webhook.nodeSelector | object | `{}` | | | eso.webhook.podAnnotations | object | `{}` | Annotations to add to Pod | -| eso.webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| eso.webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1,"nameOverride":""}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | eso.webhook.podLabels | object | `{}` | | | eso.webhook.podSecurityContext.enabled | bool | `true` | | | eso.webhook.port | int | `10250` | The port the webhook will listen to | @@ -233,6 +239,7 @@ A Helm chart ESO for Kubernetes | eso.webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | eso.webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. | | eso.webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | +| eso.webhook.strategy | object | `{}` | Set deployment strategy | | eso.webhook.tolerations | list | `[]` | | | eso.webhook.topologySpreadConstraints | list | `[]` | | | prometheus.enabled | bool | `false` | Enables Prometheus Operator monitoring | @@ -266,7 +273,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.4" + targetRevision: "0.1.5" chart: eso path: '' diff --git a/charts/eso/charts/external-secrets-0.16.2.tgz b/charts/eso/charts/external-secrets-0.16.2.tgz deleted file mode 100644 index 110c6b39..00000000 Binary files a/charts/eso/charts/external-secrets-0.16.2.tgz and /dev/null differ diff --git a/charts/eso/charts/external-secrets-0.19.2.tgz b/charts/eso/charts/external-secrets-0.19.2.tgz new file mode 100644 index 00000000..a0915168 Binary files /dev/null and b/charts/eso/charts/external-secrets-0.19.2.tgz differ diff --git a/charts/eso/values.yaml b/charts/eso/values.yaml index 328a4aa0..886410e3 100644 --- a/charts/eso/values.yaml +++ b/charts/eso/values.yaml @@ -33,6 +33,7 @@ eso: bitwarden-sdk-server: enabled: false + namespaceOverride: "" # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) revisionHistoryLimit: 10 @@ -168,12 +169,18 @@ eso: ## -- Extra volumes to mount to the container. extraVolumeMounts: [] + ## -- Extra init containers to add to the pod. + extraInitContainers: [] + ## -- Extra containers to add to the pod. extraContainers: [] # -- Annotations to add to Deployment deploymentAnnotations: {} + # -- Set deployment strategy + strategy: {} + # -- Annotations to add to Pod podAnnotations: {} @@ -281,8 +288,9 @@ eso: # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ podDisruptionBudget: enabled: false - minAvailable: 1 - # maxUnavailable: 1 + minAvailable: 1 # @schema type:[integer, string] + nameOverride: "" + # maxUnavailable: "50%" # -- Run the controller on the host network hostNetwork: false @@ -383,14 +391,18 @@ eso: affinity: {} + # -- Set deployment strategy + strategy: {} + # -- Pod priority class name. priorityClassName: "" # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ podDisruptionBudget: enabled: false - minAvailable: 1 - # maxUnavailable: 1 + minAvailable: 1 # @schema type:[integer, string] + nameOverride: "" + # maxUnavailable: "50%" metrics: @@ -421,6 +433,9 @@ eso: ## -- Map of extra arguments to pass to container. extraArgs: {} + ## -- Extra init containers to add to the pod. + extraInitContainers: [] + ## -- Extra volumes to pass to pod. extraVolumes: [] @@ -516,6 +531,9 @@ eso: affinity: {} + # -- Set deployment strategy + strategy: {} + # -- Run the certController on the host network hostNetwork: false @@ -525,8 +543,9 @@ eso: # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ podDisruptionBudget: enabled: false - minAvailable: 1 - # maxUnavailable: 1 + minAvailable: 1 # @schema type:[integer, string] + nameOverride: "" + # maxUnavailable: "50%" metrics: @@ -555,6 +574,8 @@ eso: ## -- Map of extra arguments to pass to container. extraArgs: {} + ## -- Extra init containers to add to the pod. + extraInitContainers: [] ## -- Extra volumes to pass to pod. extraVolumes: [] diff --git a/charts/ingress-nginx/Chart.lock b/charts/ingress-nginx/Chart.lock index 17b9b6c0..5f4a107f 100644 --- a/charts/ingress-nginx/Chart.lock +++ b/charts/ingress-nginx/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx - version: 4.12.2 -digest: sha256:b58107199720c48a5d00da482ca4cfef20f3971db28ac19aa2158d8f3ee70158 -generated: "2025-05-07T10:25:43.915827482Z" + version: 4.13.1 +digest: sha256:850228f252048706bad5051faefe0d73cc26a64223dd5062a1e1cde533f8ae5f +generated: "2025-08-20T10:24:43.63420549Z" diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index dd3bf33f..9b56258d 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ingress-nginx description: A Helm chart for Kubernetes type: application -version: 0.1.3 +version: 0.1.4 appVersion: "1.12.1" maintainers: - name: ilyasabdellaoui @@ -10,6 +10,6 @@ maintainers: url: https://github.com/ilyasabdellaoui dependencies: - name: ingress-nginx - version: 4.12.2 + version: 4.13.1 repository: "https://kubernetes.github.io/ingress-nginx" alias: ingressNginx diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 8f5d6dbb..e59f5cb4 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -1,6 +1,6 @@ # ingress-nginx -![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.1](https://img.shields.io/badge/AppVersion-1.12.1-informational?style=flat-square) +![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.1](https://img.shields.io/badge/AppVersion-1.12.1-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kubernetes.github.io/ingress-nginx | ingressNginx(ingress-nginx) | 4.12.2 | +| https://kubernetes.github.io/ingress-nginx | ingressNginx(ingress-nginx) | 4.13.1 | ## Maintainers @@ -31,9 +31,12 @@ A Helm chart for Kubernetes | ingressNginx.controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | ingressNginx.controller.admissionWebhooks.annotations | object | `{}` | | | ingressNginx.controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | +| ingressNginx.controller.admissionWebhooks.certManager.admissionCert.revisionHistoryLimit | int | `0` | Revision history limit of the webhook certificate. Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec | | ingressNginx.controller.admissionWebhooks.certManager.enabled | bool | `false` | | | ingressNginx.controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | +| ingressNginx.controller.admissionWebhooks.certManager.rootCert.revisionHistoryLimit | int | `0` | Revision history limit of the root certificate. Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec | | ingressNginx.controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | +| ingressNginx.controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds | int | `0` | Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. | | ingressNginx.controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | ingressNginx.controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | ingressNginx.controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | @@ -46,10 +49,10 @@ A Helm chart for Kubernetes | ingressNginx.controller.admissionWebhooks.namespaceSelector | object | `{}` | | | ingressNginx.controller.admissionWebhooks.objectSelector | object | `{}` | | | ingressNginx.controller.admissionWebhooks.patch.enabled | bool | `true` | | -| ingressNginx.controller.admissionWebhooks.patch.image.digest | string | `"sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524"` | | +| ingressNginx.controller.admissionWebhooks.patch.image.digest | string | `"sha256:e63459ec5965840af34d6d6a2f4c017eb6e212db83e054908d0bd148e1f35489"` | | | ingressNginx.controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | ingressNginx.controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| ingressNginx.controller.admissionWebhooks.patch.image.tag | string | `"v1.5.3"` | | +| ingressNginx.controller.admissionWebhooks.patch.image.tag | string | `"v1.6.1"` | | | ingressNginx.controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | ingressNginx.controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | ingressNginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -57,12 +60,14 @@ A Helm chart for Kubernetes | ingressNginx.controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | | ingressNginx.controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC | | ingressNginx.controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not | +| ingressNginx.controller.admissionWebhooks.patch.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | | ingressNginx.controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | | ingressNginx.controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account | | ingressNginx.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not | | ingressNginx.controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not | | ingressNginx.controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name | | ingressNginx.controller.admissionWebhooks.patch.tolerations | list | `[]` | | +| ingressNginx.controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds | int | `0` | Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. | | ingressNginx.controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | ingressNginx.controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | ingressNginx.controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | @@ -116,8 +121,8 @@ A Helm chart for Kubernetes | ingressNginx.controller.hostname | object | `{}` | Optionally customize the pod hostname. | | ingressNginx.controller.image.allowPrivilegeEscalation | bool | `false` | | | ingressNginx.controller.image.chroot | bool | `false` | | -| ingressNginx.controller.image.digest | string | `"sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9"` | | -| ingressNginx.controller.image.digestChroot | string | `"sha256:a697e2bfa419768315250d079ccbbca45f6099c60057769702b912d20897a574"` | | +| ingressNginx.controller.image.digest | string | `"sha256:37e489b22ac77576576e52e474941cd7754238438847c1ee795ad6d59c02b12a"` | | +| ingressNginx.controller.image.digestChroot | string | `"sha256:cace9bc8ad1914e817e5b461d691a00caab652347002ba811077189b85009d7f"` | | | ingressNginx.controller.image.image | string | `"ingress-nginx/controller"` | | | ingressNginx.controller.image.pullPolicy | string | `"IfNotPresent"` | | | ingressNginx.controller.image.readOnlyRootFilesystem | bool | `false` | | @@ -125,7 +130,7 @@ A Helm chart for Kubernetes | ingressNginx.controller.image.runAsNonRoot | bool | `true` | | | ingressNginx.controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | ingressNginx.controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| ingressNginx.controller.image.tag | string | `"v1.12.2"` | | +| ingressNginx.controller.image.tag | string | `"v1.13.1"` | | | ingressNginx.controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | ingressNginx.controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | ingressNginx.controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -175,12 +180,17 @@ A Helm chart for Kubernetes | ingressNginx.controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | | ingressNginx.controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. | | ingressNginx.controller.metrics.serviceMonitor.enabled | bool | `false` | | +| ingressNginx.controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. | +| ingressNginx.controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. | +| ingressNginx.controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. | | ingressNginx.controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | ingressNginx.controller.metrics.serviceMonitor.namespace | string | `""` | | | ingressNginx.controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | | | ingressNginx.controller.metrics.serviceMonitor.relabelings | list | `[]` | | +| ingressNginx.controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. | | ingressNginx.controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | ingressNginx.controller.metrics.serviceMonitor.targetLabels | list | `[]` | | +| ingressNginx.controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. | | ingressNginx.controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | ingressNginx.controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | ingressNginx.controller.name | string | `"controller"` | | @@ -207,26 +217,31 @@ A Helm chart for Kubernetes | ingressNginx.controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | | ingressNginx.controller.resources.requests.cpu | string | `"100m"` | | | ingressNginx.controller.resources.requests.memory | string | `"90Mi"` | | +| ingressNginx.controller.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | | ingressNginx.controller.scope.enabled | bool | `false` | Enable 'scope' or not | | ingressNginx.controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | ingressNginx.controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | | ingressNginx.controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. | | ingressNginx.controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | ingressNginx.controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| ingressNginx.controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | ingressNginx.controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. | | ingressNginx.controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | | ingressNginx.controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | | ingressNginx.controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | +| ingressNginx.controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. | | ingressNginx.controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | | ingressNginx.controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | ingressNginx.controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | | ingressNginx.controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | ingressNginx.controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| ingressNginx.controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | ingressNginx.controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | | ingressNginx.controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | | ingressNginx.controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | ingressNginx.controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | ingressNginx.controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| ingressNginx.controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. | | ingressNginx.controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | | ingressNginx.controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | | ingressNginx.controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. | @@ -237,6 +252,7 @@ A Helm chart for Kubernetes | ingressNginx.controller.service.internal.ports | object | `{}` | | | ingressNginx.controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | | ingressNginx.controller.service.internal.targetPorts | object | `{}` | | +| ingressNginx.controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution | | ingressNginx.controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | ingressNginx.controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | ingressNginx.controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | @@ -253,6 +269,7 @@ A Helm chart for Kubernetes | ingressNginx.controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | | ingressNginx.controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | | ingressNginx.controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | +| ingressNginx.controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution | | ingressNginx.controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | ingressNginx.controller.shareProcessNamespace | bool | `false` | | | ingressNginx.controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | @@ -312,7 +329,9 @@ A Helm chart for Kubernetes | ingressNginx.defaultBackend.readinessProbe.timeoutSeconds | int | `5` | | | ingressNginx.defaultBackend.replicaCount | int | `1` | | | ingressNginx.defaultBackend.resources | object | `{}` | | +| ingressNginx.defaultBackend.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | | ingressNginx.defaultBackend.service.annotations | object | `{}` | | +| ingressNginx.defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | ingressNginx.defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | ingressNginx.defaultBackend.service.loadBalancerSourceRanges | list | `[]` | | | ingressNginx.defaultBackend.service.servicePort | int | `80` | | @@ -368,7 +387,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.3" + targetRevision: "0.1.4" chart: ingress-nginx path: '' helm: diff --git a/charts/ingress-nginx/charts/ingress-nginx-4.12.2.tgz b/charts/ingress-nginx/charts/ingress-nginx-4.12.2.tgz deleted file mode 100644 index 937ad18d..00000000 Binary files a/charts/ingress-nginx/charts/ingress-nginx-4.12.2.tgz and /dev/null differ diff --git a/charts/ingress-nginx/charts/ingress-nginx-4.13.1.tgz b/charts/ingress-nginx/charts/ingress-nginx-4.13.1.tgz new file mode 100644 index 00000000..e4f006f0 Binary files /dev/null and b/charts/ingress-nginx/charts/ingress-nginx-4.13.1.tgz differ diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 4022f0da..1d9c1d34 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -47,9 +47,9 @@ ingressNginx: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.12.2" - digest: sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 - digestChroot: sha256:a697e2bfa419768315250d079ccbbca45f6099c60057769702b912d20897a574 + tag: "v1.13.1" + digest: sha256:37e489b22ac77576576e52e474941cd7754238438847c1ee795ad6d59c02b12a + digestChroot: sha256:cace9bc8ad1914e817e5b461d691a00caab652347002ba811077189b85009d7f pullPolicy: IfNotPresent runAsNonRoot: true # -- This value must not be changed using the official image. @@ -95,6 +95,8 @@ ingressNginx: # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. dnsPolicy: ClusterFirst + # -- Instruct the kubelet to use the named RuntimeClass to run the pod + runtimeClassName: "" # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false @@ -503,6 +505,8 @@ ingressNginx: external: # -- Enable the external controller service or not. Useful for internal-only deployments. enabled: true + # -- Labels to be added to the external controller service. + labels: {} # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. annotations: {} # -- Labels to be added to both controller services. @@ -514,6 +518,10 @@ ingressNginx: # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address clusterIP: "" + # -- Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIPs: [] # -- List of node IP addresses at which the external controller service is available. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] @@ -540,6 +548,9 @@ ingressNginx: # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 + # -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. # Fields `ipFamilies` and `clusterIP` depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services @@ -583,6 +594,8 @@ ingressNginx: internal: # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. enabled: false + # -- Labels to be added to the internal controller service. + labels: {} # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} @@ -594,6 +607,10 @@ ingressNginx: # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address clusterIP: "" + # -- Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIPs: [] # -- List of node IP addresses at which the internal controller service is available. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] @@ -620,6 +637,9 @@ ingressNginx: # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 + # -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. # Fields `ipFamilies` and `clusterIP` depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services @@ -771,6 +791,8 @@ ingressNginx: type: ClusterIP createSecretJob: name: create + # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. + activeDeadlineSeconds: 0 # -- Security context for secret creation containers securityContext: runAsNonRoot: true @@ -792,6 +814,8 @@ ingressNginx: # memory: 20Mi patchWebhookJob: name: patch + # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. + activeDeadlineSeconds: 0 # -- Security context for webhook patch containers securityContext: runAsNonRoot: true @@ -813,12 +837,14 @@ ingressNginx: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.5.3 - digest: sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + tag: v1.6.1 + digest: sha256:e63459ec5965840af34d6d6a2f4c017eb6e212db83e054908d0bd148e1f35489 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## priorityClassName: "" + # -- Instruct the kubelet to use the named RuntimeClass to run the pod + runtimeClassName: "" podAnnotations: {} # NetworkPolicy for webhook patch networkPolicy: @@ -850,9 +876,15 @@ ingressNginx: rootCert: # default to be 5y duration: "" + # -- Revision history limit of the root certificate. + # Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec + revisionHistoryLimit: 0 admissionCert: # default to be 1y duration: "" + # -- Revision history limit of the webhook certificate. + # Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec + revisionHistoryLimit: 0 # issuerRef: # name: "issuer" # kind: "ClusterIssuer" @@ -899,6 +931,16 @@ ingressNginx: targetLabels: [] relabelings: [] metricRelabelings: [] + # -- Per-scrape limit on number of labels that will be accepted for a sample. + labelLimit: 0 + # -- Per-scrape limit on length of labels name that will be accepted for a sample. + labelNameLengthLimit: 0 + # -- Per-scrape limit on length of labels value that will be accepted for a sample. + labelValueLengthLimit: 0 + # -- Defines a per-scrape limit on the number of scraped samples that will be accepted. + sampleLimit: 0 + # -- Defines a limit on the number of scraped targets that will be accepted. + targetLimit: 0 prometheusRule: enabled: false additionalLabels: {} @@ -1162,7 +1204,10 @@ ingressNginx: service: annotations: {} # clusterIP: "" - + # -- Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIPs: [] # -- List of IP addresses at which the default backend service is available ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## @@ -1172,6 +1217,8 @@ ingressNginx: servicePort: 80 type: ClusterIP priorityClassName: "" + # -- Instruct the kubelet to use the named RuntimeClass to run the pod + runtimeClassName: "" # -- Labels to be added to the default backend resources labels: {} ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 diff --git a/charts/kube-prometheus-stack/Chart.lock b/charts/kube-prometheus-stack/Chart.lock index f988a640..6cb05c2a 100644 --- a/charts/kube-prometheus-stack/Chart.lock +++ b/charts/kube-prometheus-stack/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: kube-prometheus-stack repository: https://prometheus-community.github.io/helm-charts - version: 72.3.1 -digest: sha256:0fa4db9176dd8b6927926ad48aefd95ae8ca6c7205f0b6fda94c18841017b934 -generated: "2025-05-14T10:23:41.25331317Z" + version: 76.4.0 +digest: sha256:c45a75bcdb067c9d3d1c05f4069d61ce3746ae0a608a597243eada83afc5fa3f +generated: "2025-08-20T10:25:23.46805316Z" diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml index aa159653..49afaa28 100644 --- a/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kube-prometheus-stack/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +version: 0.1.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -24,6 +24,6 @@ version: 0.1.2 appVersion: "v0.80.1" dependencies: - name: kube-prometheus-stack - version: 72.3.1 + version: 76.4.0 repository: "https://prometheus-community.github.io/helm-charts" alias: kubePrometheusStack diff --git a/charts/kube-prometheus-stack/README.md b/charts/kube-prometheus-stack/README.md index d124e9e5..bedbf76e 100644 --- a/charts/kube-prometheus-stack/README.md +++ b/charts/kube-prometheus-stack/README.md @@ -1,6 +1,6 @@ # kube-prometheus-stack -![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.80.1](https://img.shields.io/badge/AppVersion-v0.80.1-informational?style=flat-square) +![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.80.1](https://img.shields.io/badge/AppVersion-v0.80.1-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://prometheus-community.github.io/helm-charts | kubePrometheusStack(kube-prometheus-stack) | 72.3.1 | +| https://prometheus-community.github.io/helm-charts | kubePrometheusStack(kube-prometheus-stack) | 76.4.0 | ## Description @@ -22,6 +22,8 @@ A Helm chart for Kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| | kubePrometheusStack.additionalPrometheusRulesMap | object | `{}` | | +| kubePrometheusStack.alertmanager.additionalLabels | object | `{}` | | +| kubePrometheusStack.alertmanager.alertmanagerSpec.additionalArgs | list | `[]` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.additionalConfig | object | `{}` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.additionalConfigString | string | `""` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.additionalPeers | list | `[]` | | @@ -38,8 +40,11 @@ A Helm chart for Kubernetes | kubePrometheusStack.alertmanager.alertmanagerSpec.clusterPushpullInterval | string | `""` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.configMaps | list | `[]` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.containers | list | `[]` | | +| kubePrometheusStack.alertmanager.alertmanagerSpec.dnsConfig | object | `{}` | | +| kubePrometheusStack.alertmanager.alertmanagerSpec.dnsPolicy | string | `""` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.externalUrl | string | `nil` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.forceEnableClusterMode | bool | `false` | | +| kubePrometheusStack.alertmanager.alertmanagerSpec.image.pullPolicy | string | `"IfNotPresent"` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.image.registry | string | `"quay.io"` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.image.repository | string | `"prometheus/alertmanager"` | | | kubePrometheusStack.alertmanager.alertmanagerSpec.image.sha | string | `""` | | @@ -109,6 +114,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.alertmanager.ingress.annotations | object | `{}` | | | kubePrometheusStack.alertmanager.ingress.enabled | bool | `false` | | | kubePrometheusStack.alertmanager.ingress.hosts | list | `[]` | | +| kubePrometheusStack.alertmanager.ingress.ingressClassName | string | `""` | | | kubePrometheusStack.alertmanager.ingress.labels | object | `{}` | | | kubePrometheusStack.alertmanager.ingress.paths | list | `[]` | | | kubePrometheusStack.alertmanager.ingress.tls | list | `[]` | | @@ -116,6 +122,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.alertmanager.ingressPerReplica.enabled | bool | `false` | | | kubePrometheusStack.alertmanager.ingressPerReplica.hostDomain | string | `""` | | | kubePrometheusStack.alertmanager.ingressPerReplica.hostPrefix | string | `""` | | +| kubePrometheusStack.alertmanager.ingressPerReplica.ingressClassName | string | `""` | | | kubePrometheusStack.alertmanager.ingressPerReplica.labels | object | `{}` | | | kubePrometheusStack.alertmanager.ingressPerReplica.paths | list | `[]` | | | kubePrometheusStack.alertmanager.ingressPerReplica.tlsSecretName | string | `""` | | @@ -136,7 +143,6 @@ A Helm chart for Kubernetes | kubePrometheusStack.alertmanager.networkPolicy.monitoringRules.prometheus | bool | `true` | Enable ingress from Prometheus # | | kubePrometheusStack.alertmanager.networkPolicy.policyTypes | list | `["Ingress"]` | Define policy types. If egress is enabled, both Ingress and Egress will be used Valid values are ["Ingress"] or ["Ingress", "Egress"] # | | kubePrometheusStack.alertmanager.podDisruptionBudget.enabled | bool | `false` | | -| kubePrometheusStack.alertmanager.podDisruptionBudget.maxUnavailable | string | `""` | | | kubePrometheusStack.alertmanager.podDisruptionBudget.minAvailable | int | `1` | | | kubePrometheusStack.alertmanager.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `"AlwaysAllow"` | | | kubePrometheusStack.alertmanager.route | object | `{"main":{"additionalRules":[],"annotations":{},"apiVersion":"gateway.networking.k8s.io/v1","enabled":false,"filters":[],"hostnames":[],"httpsRedirect":false,"kind":"HTTPRoute","labels":{},"matches":[{"path":{"type":"PathPrefix","value":"/"}}],"parentRefs":[]}}` | BETA: Configure the gateway routes for the chart here. More routes can be added by adding a dictionary key like the 'main' route. Be aware that this is an early beta of this feature, kube-prometheus-stack does not guarantee this works and is subject to change. Being BETA this can/will change in the future without notice, do not use unless you want to take that risk [[ref]](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2) | @@ -327,6 +333,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.defaultRules.additionalRuleGroupLabels.prometheusOperator | object | `{}` | | | kubePrometheusStack.defaultRules.additionalRuleLabels | object | `{}` | | | kubePrometheusStack.defaultRules.annotations | object | `{}` | | +| kubePrometheusStack.defaultRules.appNamespacesOperator | string | `"=~"` | | | kubePrometheusStack.defaultRules.appNamespacesTarget | string | `".*"` | | | kubePrometheusStack.defaultRules.create | bool | `true` | | | kubePrometheusStack.defaultRules.disabled | object | `{}` | | @@ -374,8 +381,6 @@ A Helm chart for Kubernetes | kubePrometheusStack.global.imageRegistry | string | `""` | | | kubePrometheusStack.global.rbac.create | bool | `true` | | | kubePrometheusStack.global.rbac.createAggregateClusterRoles | bool | `false` | | -| kubePrometheusStack.global.rbac.pspAnnotations | object | `{}` | | -| kubePrometheusStack.global.rbac.pspEnabled | bool | `false` | | | kubePrometheusStack.grafana.additionalDataSources | list | `[]` | | | kubePrometheusStack.grafana.adminPassword | string | `"prom-operator"` | | | kubePrometheusStack.grafana.adminUser | string | `"admin"` | | @@ -693,7 +698,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.nodeExporter.operatingSystems.darwin.enabled | bool | `true` | | | kubePrometheusStack.nodeExporter.operatingSystems.linux.enabled | bool | `true` | | | kubePrometheusStack.prometheus-node-exporter.extraArgs[0] | string | `"--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)"` | | -| kubePrometheusStack.prometheus-node-exporter.extraArgs[1] | string | `"--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$"` | | +| kubePrometheusStack.prometheus-node-exporter.extraArgs[1] | string | `"--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs|erofs)$"` | | | kubePrometheusStack.prometheus-node-exporter.namespaceOverride | string | `""` | | | kubePrometheusStack.prometheus-node-exporter.podLabels.jobLabel | string | `"node-exporter"` | | | kubePrometheusStack.prometheus-node-exporter.prometheus.monitor.enabled | bool | `true` | | @@ -721,6 +726,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus-windows-exporter.prometheus.monitor.enabled | bool | `true` | | | kubePrometheusStack.prometheus-windows-exporter.prometheus.monitor.jobLabel | string | `"jobLabel"` | | | kubePrometheusStack.prometheus-windows-exporter.releaseLabel | bool | `true` | | +| kubePrometheusStack.prometheus.additionalLabels | object | `{}` | | | kubePrometheusStack.prometheus.additionalPodMonitors | list | `[]` | | | kubePrometheusStack.prometheus.additionalRulesForClusterRole | list | `[]` | | | kubePrometheusStack.prometheus.additionalServiceMonitors | list | `[]` | | @@ -732,6 +738,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.ingress.annotations | object | `{}` | | | kubePrometheusStack.prometheus.ingress.enabled | bool | `false` | | | kubePrometheusStack.prometheus.ingress.hosts | list | `[]` | | +| kubePrometheusStack.prometheus.ingress.ingressClassName | string | `""` | | | kubePrometheusStack.prometheus.ingress.labels | object | `{}` | | | kubePrometheusStack.prometheus.ingress.paths | list | `[]` | | | kubePrometheusStack.prometheus.ingress.tls | list | `[]` | | @@ -739,6 +746,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.ingressPerReplica.enabled | bool | `false` | | | kubePrometheusStack.prometheus.ingressPerReplica.hostDomain | string | `""` | | | kubePrometheusStack.prometheus.ingressPerReplica.hostPrefix | string | `""` | | +| kubePrometheusStack.prometheus.ingressPerReplica.ingressClassName | string | `""` | | | kubePrometheusStack.prometheus.ingressPerReplica.labels | object | `{}` | | | kubePrometheusStack.prometheus.ingressPerReplica.paths | list | `[]` | | | kubePrometheusStack.prometheus.ingressPerReplica.tlsSecretName | string | `""` | | @@ -747,12 +755,8 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.networkPolicy.enabled | bool | `false` | | | kubePrometheusStack.prometheus.networkPolicy.flavor | string | `"kubernetes"` | | | kubePrometheusStack.prometheus.podDisruptionBudget.enabled | bool | `false` | | -| kubePrometheusStack.prometheus.podDisruptionBudget.maxUnavailable | string | `""` | | | kubePrometheusStack.prometheus.podDisruptionBudget.minAvailable | int | `1` | | | kubePrometheusStack.prometheus.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `"AlwaysAllow"` | | -| kubePrometheusStack.prometheus.podSecurityPolicy.allowedCapabilities | list | `[]` | | -| kubePrometheusStack.prometheus.podSecurityPolicy.allowedHostPaths | list | `[]` | | -| kubePrometheusStack.prometheus.podSecurityPolicy.volumes | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.additionalAlertManagerConfigs | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.additionalAlertManagerConfigsSecret | object | `{}` | | | kubePrometheusStack.prometheus.prometheusSpec.additionalAlertRelabelConfigs | list | `[]` | | @@ -774,8 +778,11 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.prometheusSpec.configMaps | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.containers | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.disableCompaction | bool | `false` | | +| kubePrometheusStack.prometheus.prometheusSpec.dnsConfig | object | `{}` | | +| kubePrometheusStack.prometheus.prometheusSpec.dnsPolicy | string | `""` | | | kubePrometheusStack.prometheus.prometheusSpec.enableAdminAPI | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.enableFeatures | list | `[]` | | +| kubePrometheusStack.prometheus.prometheusSpec.enableOTLPReceiver | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.enableRemoteWriteReceiver | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.enforcedKeepDroppedTargets | int | `0` | | | kubePrometheusStack.prometheus.prometheusSpec.enforcedLabelLimit | bool | `false` | | @@ -792,10 +799,11 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.prometheusSpec.hostAliases | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.hostNetwork | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.ignoreNamespaceSelectors | bool | `false` | | +| kubePrometheusStack.prometheus.prometheusSpec.image.pullPolicy | string | `"IfNotPresent"` | | | kubePrometheusStack.prometheus.prometheusSpec.image.registry | string | `"quay.io"` | | | kubePrometheusStack.prometheus.prometheusSpec.image.repository | string | `"prometheus/prometheus"` | | | kubePrometheusStack.prometheus.prometheusSpec.image.sha | string | `""` | | -| kubePrometheusStack.prometheus.prometheusSpec.image.tag | string | `"v3.3.1"` | | +| kubePrometheusStack.prometheus.prometheusSpec.image.tag | string | `"v3.5.0"` | | | kubePrometheusStack.prometheus.prometheusSpec.initContainers | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.listenLocal | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.logFormat | string | `"logfmt"` | | @@ -804,6 +812,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.prometheusSpec.minReadySeconds | int | `0` | | | kubePrometheusStack.prometheus.prometheusSpec.nameValidationScheme | string | `""` | | | kubePrometheusStack.prometheus.prometheusSpec.nodeSelector | object | `{}` | | +| kubePrometheusStack.prometheus.prometheusSpec.otlp | object | `{}` | | | kubePrometheusStack.prometheus.prometheusSpec.overrideHonorLabels | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.overrideHonorTimestamps | bool | `false` | | | kubePrometheusStack.prometheus.prometheusSpec.paused | bool | `false` | | @@ -814,6 +823,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.prometheusSpec.podMonitorNamespaceSelector | object | `{}` | | | kubePrometheusStack.prometheus.prometheusSpec.podMonitorSelector | object | `{}` | | | kubePrometheusStack.prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues | bool | `true` | | +| kubePrometheusStack.prometheus.prometheusSpec.podTargetLabels | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.portName | string | `"http-web"` | | | kubePrometheusStack.prometheus.prometheusSpec.priorityClassName | string | `""` | | | kubePrometheusStack.prometheus.prometheusSpec.probeNamespaceSelector | object | `{}` | | @@ -844,6 +854,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.prometheusSpec.scrapeConfigSelectorNilUsesHelmValues | bool | `true` | | | kubePrometheusStack.prometheus.prometheusSpec.scrapeFailureLogFile | string | `""` | | | kubePrometheusStack.prometheus.prometheusSpec.scrapeInterval | string | `""` | | +| kubePrometheusStack.prometheus.prometheusSpec.scrapeProtocols | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.scrapeTimeout | string | `""` | | | kubePrometheusStack.prometheus.prometheusSpec.secrets | list | `[]` | | | kubePrometheusStack.prometheus.prometheusSpec.securityContext.fsGroup | int | `2000` | | @@ -927,6 +938,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.thanosIngress.annotations | object | `{}` | | | kubePrometheusStack.prometheus.thanosIngress.enabled | bool | `false` | | | kubePrometheusStack.prometheus.thanosIngress.hosts | list | `[]` | | +| kubePrometheusStack.prometheus.thanosIngress.ingressClassName | string | `""` | | | kubePrometheusStack.prometheus.thanosIngress.labels | object | `{}` | | | kubePrometheusStack.prometheus.thanosIngress.nodePort | int | `30901` | | | kubePrometheusStack.prometheus.thanosIngress.paths | list | `[]` | | @@ -972,7 +984,6 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheus.thanosServiceMonitor.metricRelabelings | list | `[]` | | | kubePrometheusStack.prometheus.thanosServiceMonitor.relabelings | list | `[]` | | | kubePrometheusStack.prometheus.thanosServiceMonitor.scheme | string | `""` | | -| kubePrometheusStack.prometheus.thanosServiceMonitor.scrapeProtocols | list | `[]` | | | kubePrometheusStack.prometheus.thanosServiceMonitor.tlsConfig | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.annotations | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.caBundle | string | `""` | | @@ -1008,7 +1019,6 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.nodeSelector | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.podAnnotations | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget.enabled | bool | `false` | | -| kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget.maxUnavailable | string | `""` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget.minAvailable | int | `1` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `"AlwaysAllow"` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.podLabels | object | `{}` | | @@ -1052,6 +1062,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheusOperator.admissionWebhooks.deployment.tolerations | list | `[]` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.enabled | bool | `true` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.failurePolicy | string | `""` | | +| kubePrometheusStack.prometheusOperator.admissionWebhooks.matchConditions | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.mutatingWebhookConfiguration.annotations | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.namespaceSelector | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.objectSelector | object | `{}` | | @@ -1062,7 +1073,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.image.repository | string | `"ingress-nginx/kube-webhook-certgen"` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.image.sha | string | `""` | | -| kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.image.tag | string | `"v1.5.3"` | | +| kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.image.tag | string | `"v1.6.1"` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.nodeSelector | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.podAnnotations | object | `{}` | | | kubePrometheusStack.prometheusOperator.admissionWebhooks.patch.priorityClassName | string | `""` | | @@ -1124,7 +1135,6 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheusOperator.nodeSelector | object | `{}` | | | kubePrometheusStack.prometheusOperator.podAnnotations | object | `{}` | | | kubePrometheusStack.prometheusOperator.podDisruptionBudget.enabled | bool | `false` | | -| kubePrometheusStack.prometheusOperator.podDisruptionBudget.maxUnavailable | string | `""` | | | kubePrometheusStack.prometheusOperator.podDisruptionBudget.minAvailable | int | `1` | | | kubePrometheusStack.prometheusOperator.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `"AlwaysAllow"` | | | kubePrometheusStack.prometheusOperator.podLabels | object | `{}` | | @@ -1185,7 +1195,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.prometheusOperator.thanosImage.registry | string | `"quay.io"` | | | kubePrometheusStack.prometheusOperator.thanosImage.repository | string | `"thanos/thanos"` | | | kubePrometheusStack.prometheusOperator.thanosImage.sha | string | `""` | | -| kubePrometheusStack.prometheusOperator.thanosImage.tag | string | `"v0.38.0"` | | +| kubePrometheusStack.prometheusOperator.thanosImage.tag | string | `"v0.39.2"` | | | kubePrometheusStack.prometheusOperator.thanosRulerInstanceNamespaces | list | `[]` | | | kubePrometheusStack.prometheusOperator.thanosRulerInstanceSelector | string | `""` | | | kubePrometheusStack.prometheusOperator.tls.enabled | bool | `true` | | @@ -1204,11 +1214,11 @@ A Helm chart for Kubernetes | kubePrometheusStack.thanosRuler.ingress.annotations | object | `{}` | | | kubePrometheusStack.thanosRuler.ingress.enabled | bool | `false` | | | kubePrometheusStack.thanosRuler.ingress.hosts | list | `[]` | | +| kubePrometheusStack.thanosRuler.ingress.ingressClassName | string | `""` | | | kubePrometheusStack.thanosRuler.ingress.labels | object | `{}` | | | kubePrometheusStack.thanosRuler.ingress.paths | list | `[]` | | | kubePrometheusStack.thanosRuler.ingress.tls | list | `[]` | | | kubePrometheusStack.thanosRuler.podDisruptionBudget.enabled | bool | `false` | | -| kubePrometheusStack.thanosRuler.podDisruptionBudget.maxUnavailable | string | `""` | | | kubePrometheusStack.thanosRuler.podDisruptionBudget.minAvailable | int | `1` | | | kubePrometheusStack.thanosRuler.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `"AlwaysAllow"` | | | kubePrometheusStack.thanosRuler.route | object | `{"main":{"additionalRules":[],"annotations":{},"apiVersion":"gateway.networking.k8s.io/v1","enabled":false,"filters":[],"hostnames":[],"httpsRedirect":false,"kind":"HTTPRoute","labels":{},"matches":[{"path":{"type":"PathPrefix","value":"/"}}],"parentRefs":[]}}` | BETA: Configure the gateway routes for the chart here. More routes can be added by adding a dictionary key like the 'main' route. Be aware that this is an early beta of this feature, kube-prometheus-stack does not guarantee this works and is subject to change. Being BETA this can/will change in the future without notice, do not use unless you want to take that risk [[ref]](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2) | @@ -1265,7 +1275,7 @@ A Helm chart for Kubernetes | kubePrometheusStack.thanosRuler.thanosRulerSpec.image.registry | string | `"quay.io"` | | | kubePrometheusStack.thanosRuler.thanosRulerSpec.image.repository | string | `"thanos/thanos"` | | | kubePrometheusStack.thanosRuler.thanosRulerSpec.image.sha | string | `""` | | -| kubePrometheusStack.thanosRuler.thanosRulerSpec.image.tag | string | `"v0.38.0"` | | +| kubePrometheusStack.thanosRuler.thanosRulerSpec.image.tag | string | `"v0.39.2"` | | | kubePrometheusStack.thanosRuler.thanosRulerSpec.initContainers | list | `[]` | | | kubePrometheusStack.thanosRuler.thanosRulerSpec.labels | object | `{}` | | | kubePrometheusStack.thanosRuler.thanosRulerSpec.listenLocal | bool | `false` | | @@ -1329,7 +1339,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.2" + targetRevision: "0.1.3" chart: kube-prometheus-stack path: '' helm: diff --git a/charts/kube-prometheus-stack/charts/kube-prometheus-stack-72.3.1.tgz b/charts/kube-prometheus-stack/charts/kube-prometheus-stack-72.3.1.tgz deleted file mode 100644 index ea520468..00000000 Binary files a/charts/kube-prometheus-stack/charts/kube-prometheus-stack-72.3.1.tgz and /dev/null differ diff --git a/charts/kube-prometheus-stack/charts/kube-prometheus-stack-76.4.0.tgz b/charts/kube-prometheus-stack/charts/kube-prometheus-stack-76.4.0.tgz new file mode 100644 index 00000000..eccfd833 Binary files /dev/null and b/charts/kube-prometheus-stack/charts/kube-prometheus-stack-76.4.0.tgz differ diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index ac16c284..bc4f3466 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -205,6 +205,11 @@ kubePrometheusStack: prometheusOperator: true windows: true + # Defines the operator for namespace selection in rules + # Use "=~" to include namespaces matching the pattern (default) + # Use "!~" to exclude namespaces matching the pattern + appNamespacesOperator: "=~" + ## Reduce app namespace alert scope appNamespacesTarget: ".*" @@ -334,16 +339,6 @@ kubePrometheusStack: ## Create ClusterRoles that extend the existing view, edit and admin ClusterRoles to interact with prometheus-operator CRDs ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles createAggregateClusterRoles: false - pspEnabled: false - pspAnnotations: {} - ## Specify pod annotations - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl - ## - # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' ## Global image registry to use if it needs to be overridden for some specific use cases (e.g local registries, custom images, ...) ## @@ -401,6 +396,10 @@ kubePrometheusStack: ## annotations: {} + ## Additional labels for Alertmanager + ## + additionalLabels: {} + ## Api that prometheus will use to communicate with alertmanager. Possible values are v1, v2 ## apiVersion: v2 @@ -501,7 +500,7 @@ kubePrometheusStack: podDisruptionBudget: enabled: false minAvailable: 1 - maxUnavailable: "" + # maxUnavailable: "" unhealthyPodEvictionPolicy: AlwaysAllow ## Alertmanager configuration directives @@ -597,9 +596,7 @@ kubePrometheusStack: ingress: enabled: false - # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress - # ingressClassName: nginx + ingressClassName: "" annotations: {} @@ -685,9 +682,7 @@ kubePrometheusStack: ingressPerReplica: enabled: false - # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress - # ingressClassName: nginx + ingressClassName: "" annotations: {} labels: {} @@ -922,6 +917,7 @@ kubePrometheusStack: repository: prometheus/alertmanager tag: v0.28.1 sha: "" + pullPolicy: IfNotPresent ## If true then the user will be responsible to provide a secret with alertmanager configuration ## So when true the config part will be ignored (including templateFiles) and the one in the secret will be used @@ -1001,6 +997,9 @@ kubePrometheusStack: # alertmanagerConfigMatcherStrategy: # type: OnNamespace + ## Additional command line arguments to pass to Alertmanager (in addition to those generated by the chart) + additionalArgs: [] + ## Define Log Format # Use logfmt (default) or json logging logFormat: logfmt @@ -1029,7 +1028,7 @@ kubePrometheusStack: # resources: # requests: # storage: 50Gi - # selector: {} + # selector: {} ## The external URL the Alertmanager instances will be available under. This is necessary to generate correct URLs. This is necessary if Alertmanager is not served from root of a DNS name. string false @@ -1122,6 +1121,14 @@ kubePrometheusStack: seccompProfile: type: RuntimeDefault + ## DNS configuration for Alertmanager. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#monitoring.coreos.com/v1.PodDNSConfig + dnsConfig: {} + + ## DNS policy for Alertmanager. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#dnspolicystring-alias + dnsPolicy: "" + ## ListenLocal makes the Alertmanager server listen on loopback, so that it does not bind against the Pod IP. ## Note this is only for the Alertmanager UI, not the gossip communication. ## @@ -1132,7 +1139,7 @@ kubePrometheusStack: containers: [] # containers: # - name: oauth-proxy - # image: quay.io/oauth2-proxy/oauth2-proxy:v7.9.0 + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.11.0 # args: # - --upstream=http://127.0.0.1:9093 # - --http-address=0.0.0.0:8081 @@ -1174,15 +1181,15 @@ kubePrometheusStack: clusterAdvertiseAddress: false ## clusterGossipInterval determines interval between gossip attempts. - ## Needs to be specified as GoDuration, a time duration that can be parsed by Go’s time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) + ## Needs to be specified as GoDuration, a time duration that can be parsed by Go's time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) clusterGossipInterval: "" ## clusterPeerTimeout determines timeout for cluster peering. - ## Needs to be specified as GoDuration, a time duration that can be parsed by Go’s time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) + ## Needs to be specified as GoDuration, a time duration that can be parsed by Go's time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) clusterPeerTimeout: "" ## clusterPushpullInterval determines interval between pushpull attempts. - ## Needs to be specified as GoDuration, a time duration that can be parsed by Go’s time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) + ## Needs to be specified as GoDuration, a time duration that can be parsed by Go's time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) clusterPushpullInterval: "" ## clusterLabel defines the identifier that uniquely identifies the Alertmanager cluster. @@ -1390,6 +1397,10 @@ kubePrometheusStack: ## Prometheus request timeout in seconds # timeout: 30 + ## Query parameters to add, as a URL-encoded string, + ## to query Prometheus + # customQueryParameters: "" + # If not defined, will use prometheus.prometheusSpec.scrapeInterval or its default # defaultDatasourceScrapeInterval: 15s @@ -1403,7 +1414,7 @@ kubePrometheusStack: ## Create datasource for each Pod of Prometheus StatefulSet; ## this uses by default the headless service `prometheus-operated` which is ## created by Prometheus Operator. In case you deployed your own Service for your - ## Prometheus instance, you can specifiy it with the field `prometheusServiceName` + ## Prometheus instance, you can specify it with the field `prometheusServiceName` ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/0fee93e12dc7c2ea1218f19ae25ec6b893460590/pkg/prometheus/statefulset.go#L255-L286 createPrometheusReplicasDatasources: false prometheusServiceName: prometheus-operated @@ -2525,7 +2536,7 @@ kubePrometheusStack: releaseLabel: true extraArgs: - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/) - - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ + - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs|erofs)$ service: portName: http-metrics ipDualStack: @@ -2670,6 +2681,7 @@ kubePrometheusStack: namespaceSelector: {} objectSelector: {} + matchConditions: {} mutatingWebhookConfiguration: annotations: {} @@ -2694,7 +2706,7 @@ kubePrometheusStack: podDisruptionBudget: enabled: false minAvailable: 1 - maxUnavailable: "" + # maxUnavailable: "" unhealthyPodEvictionPolicy: AlwaysAllow ## Number of old replicasets to retain ## @@ -2905,7 +2917,7 @@ kubePrometheusStack: image: registry: registry.k8s.io repository: ingress-nginx/kube-webhook-certgen - tag: v1.5.3 # latest tag: https://github.com/kubernetes/ingress-nginx/blob/main/images/kube-webhook-certgen/TAG + tag: v1.6.1 # latest tag: https://github.com/kubernetes/ingress-nginx/blob/main/images/kube-webhook-certgen/TAG sha: "" pullPolicy: IfNotPresent resources: {} @@ -3096,7 +3108,7 @@ kubePrometheusStack: podDisruptionBudget: enabled: false minAvailable: 1 - maxUnavailable: "" + # maxUnavailable: "" unhealthyPodEvictionPolicy: AlwaysAllow ## Assign a PriorityClassName to pods if set @@ -3343,7 +3355,7 @@ kubePrometheusStack: thanosImage: registry: quay.io repository: thanos/thanos - tag: v0.38.0 + tag: v0.39.2 sha: "" ## Set a Label Selector to filter watched prometheus and prometheusAgent @@ -3388,6 +3400,10 @@ kubePrometheusStack: ## annotations: {} + ## Additional labels for Prometheus + ## + additionalLabels: {} + ## Configure network policy for the prometheus networkPolicy: enabled: false @@ -3489,9 +3505,6 @@ kubePrometheusStack: ## relabel configs to apply to samples before ingestion. relabelings: [] - ## Set default scrapeProtocols for Prometheus instances - ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#scrapeprotocolstring-alias - scrapeProtocols: [] # Service for external access to sidecar # Enabling this creates a service to expose thanos-sidecar outside the cluster. thanosServiceExternal: @@ -3640,16 +3653,14 @@ kubePrometheusStack: podDisruptionBudget: enabled: false minAvailable: 1 - maxUnavailable: "" + # maxUnavailable: "" unhealthyPodEvictionPolicy: AlwaysAllow # Ingress exposes thanos sidecar outside the cluster thanosIngress: enabled: false - # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress - # ingressClassName: nginx + ingressClassName: "" annotations: {} labels: {} @@ -3697,9 +3708,7 @@ kubePrometheusStack: ingress: enabled: false - # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress - # ingressClassName: nginx + ingressClassName: "" annotations: {} labels: {} @@ -3778,9 +3787,7 @@ kubePrometheusStack: ingressPerReplica: enabled: false - # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress - # ingressClassName: nginx + ingressClassName: "" annotations: {} labels: {} @@ -3816,13 +3823,6 @@ kubePrometheusStack: ## prefix: "prometheus" - ## Configure additional options for default pod security policy for Prometheus - ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ - podSecurityPolicy: - allowedCapabilities: [] - allowedHostPaths: [] - volumes: [] - serviceMonitor: ## If true, create a serviceMonitor for prometheus ## @@ -3907,9 +3907,9 @@ kubePrometheusStack: disableCompaction: false ## AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod, - ## If the field isn’t set, the operator mounts the service account token by default. + ## If the field isn't set, the operator mounts the service account token by default. ## Warning: be aware that by default, Prometheus requires the service account token for Kubernetes service discovery, - ## It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container. + ## It is possible to use strategic merge patch to project the service account token into the 'prometheus' container. automountServiceAccountToken: true ## APIServerConfig @@ -3948,6 +3948,11 @@ kubePrometheusStack: # caFile: /etc/prometheus/secrets/istio.default/root-cert.pem # certFile: /etc/prometheus/secrets/istio.default/cert-chain.pem + ## PodTargetLabels are appended to the `spec.podTargetLabels` field of all PodMonitor and ServiceMonitor objects. + ## + podTargetLabels: [] + # - customlabel + ## Interval between consecutive evaluations. ## evaluationInterval: "" @@ -3956,6 +3961,9 @@ kubePrometheusStack: ## listenLocal: false + ## enableOTLPReceiver enables the OTLP receiver for Prometheus. + enableOTLPReceiver: false + ## EnableAdminAPI enables Prometheus the administrative HTTP API which includes functionality such as deleting time series. ## This is disabled by default. ## ref: https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis @@ -3983,6 +3991,14 @@ kubePrometheusStack: enableFeatures: [] # - exemplar-storage + ## https://prometheus.io/docs/guides/opentelemetry + ## + otlp: {} + # promoteResourceAttributes: [] + # keepIdentifyingResourceAttributes: false + # translationStrategy: NoUTF8EscapingWithSuffixes + # convertHistogramsToNHCB: false + ## serviceName: @@ -3991,8 +4007,9 @@ kubePrometheusStack: image: registry: quay.io repository: prometheus/prometheus - tag: v3.3.1 + tag: v3.5.0 sha: "" + pullPolicy: IfNotPresent ## Tolerations for use with node taints ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -4209,7 +4226,7 @@ kubePrometheusStack: retention: 10d ## Maximum size of metrics - ## + ## Unit format should be in the form of "50GiB" retentionSize: "" ## Allow out-of-order/out-of-bounds samples ingested into Prometheus for a specified duration @@ -4321,7 +4338,7 @@ kubePrometheusStack: # resources: # requests: # storage: 50Gi - # selector: {} + # selector: {} ## Using tmpfs volume ## @@ -4360,7 +4377,7 @@ kubePrometheusStack: # regex: __meta_kubernetes_node_label_(.+) # - source_labels: [__address__] # action: replace - # targetLabel: __address__ + # target_label: __address__ # regex: ([^:;]+):(\d+) # replacement: ${1}:2379 # - source_labels: [__meta_kubernetes_node_name] @@ -4368,7 +4385,7 @@ kubePrometheusStack: # regex: .*mst.* # - source_labels: [__meta_kubernetes_node_name] # action: replace - # targetLabel: node + # target_label: node # regex: (.*) # replacement: ${1} # metric_relabel_configs: @@ -4459,6 +4476,14 @@ kubePrometheusStack: seccompProfile: type: RuntimeDefault + ## DNS configuration for Prometheus. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#monitoring.coreos.com/v1.PodDNSConfig + dnsConfig: {} + + ## DNS policy for Prometheus. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#dnspolicystring-alias + dnsPolicy: "" + ## Priority class assigned to the Pods ## priorityClassName: "" @@ -4498,7 +4523,7 @@ kubePrometheusStack: containers: [] # containers: # - name: oauth-proxy - # image: quay.io/oauth2-proxy/oauth2-proxy:v7.9.0 + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.11.0 # args: # - --upstream=http://127.0.0.1:9090 # - --http-address=0.0.0.0:8081 @@ -4615,7 +4640,7 @@ kubePrometheusStack: hostNetwork: false # HostAlias holds the mapping between IP and hostnames that will be injected - # as an entry in the pod’s hosts file. + # as an entry in the pod's hosts file. hostAliases: [] # - ip: 10.10.0.100 # hostnames: @@ -4627,7 +4652,7 @@ kubePrometheusStack: tracingConfig: {} ## Defines the service discovery role used to discover targets from ServiceMonitor objects and Alertmanager endpoints. - ## If set, the value should be either “Endpoints” or “EndpointSlice”. If unset, the operator assumes the “Endpoints” role. + ## If set, the value should be either "Endpoints" or "EndpointSlice". If unset, the operator assumes the "Endpoints" role. serviceDiscoveryRole: "" ## Additional configuration which is not covered by the properties above. (passed through tpl) @@ -4645,6 +4670,10 @@ kubePrometheusStack: ## minutes). maximumStartupDurationSeconds: 0 + ## Set default scrapeProtocols for Prometheus instances + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#scrapeprotocolstring-alias + scrapeProtocols: [] + additionalRulesForClusterRole: [] # - apiGroups: [ "" ] # resources: @@ -4863,15 +4892,13 @@ kubePrometheusStack: podDisruptionBudget: enabled: false minAvailable: 1 - maxUnavailable: "" + # maxUnavailable: "" unhealthyPodEvictionPolicy: AlwaysAllow ingress: enabled: false - # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress - # ingressClassName: nginx + ingressClassName: "" annotations: {} @@ -5071,7 +5098,7 @@ kubePrometheusStack: image: registry: quay.io repository: thanos/thanos - tag: v0.38.0 + tag: v0.39.2 sha: "" ## Namespaces to be selected for PrometheusRules discovery. @@ -5137,7 +5164,7 @@ kubePrometheusStack: # resources: # requests: # storage: 50Gi - # selector: {} + # selector: {} ## AlertmanagerConfig define configuration for connecting to alertmanager. ## Only available with Thanos v0.10.0 and higher. Maps to the alertmanagers.config Thanos Ruler arg. diff --git a/charts/kyverno-policies/Chart.lock b/charts/kyverno-policies/Chart.lock index 4ce80734..c24183b4 100644 --- a/charts/kyverno-policies/Chart.lock +++ b/charts/kyverno-policies/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: kyverno-policies repository: https://kyverno.github.io/kyverno/ - version: 3.4.1 -digest: sha256:b89431a68f4f8f139e462342b965ceac69e2e75b17a53008e94b61ecfd3f79c1 -generated: "2025-05-07T10:22:57.488368538Z" + version: 3.5.1 +digest: sha256:19cb043c7ccd2779deb3c8a6dd7d5fe7318e554841ca03a203f03fa602d28be8 +generated: "2025-08-20T10:23:21.767860581Z" diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 8628e595..7f49c70d 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -24,7 +24,7 @@ version: 0.1.1 appVersion: "1.13.4" dependencies: - name: kyverno-policies - version: 3.4.1 + version: 3.5.1 repository: "https://kyverno.github.io/kyverno/" alias: kyvernopolicies maintainers: diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 24023ee5..3efd6b60 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -1,6 +1,6 @@ # kyverno-policies -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.13.4](https://img.shields.io/badge/AppVersion-1.13.4-informational?style=flat-square) +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.13.4](https://img.shields.io/badge/AppVersion-1.13.4-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kyverno.github.io/kyverno/ | kyvernopolicies(kyverno-policies) | 3.4.1 | +| https://kyverno.github.io/kyverno/ | kyvernopolicies(kyverno-policies) | 3.5.1 | ## Maintainers @@ -30,6 +30,7 @@ A Helm chart for Kubernetes |-----|------|---------|-------------| | kyvernopolicies.autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. | | kyvernopolicies.background | bool | `true` | Policies background mode | +| kyvernopolicies.customAnnotations | object | `{}` | Additional Annotations. | | kyvernopolicies.customLabels | object | `{}` | Additional labels. | | kyvernopolicies.customPolicies | list | `[]` | Additional custom policies to include. | | kyvernopolicies.failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ | @@ -45,7 +46,7 @@ A Helm chart for Kubernetes | kyvernopolicies.policyKind | string | `"ClusterPolicy"` | Policy kind (`ClusterPolicy`, `Policy`) Set to `Policy` if you need namespaced policies and not cluster policies | | kyvernopolicies.policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | | kyvernopolicies.skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller | -| kyvernopolicies.validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/writing-policies/validate. | +| kyvernopolicies.validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/policy-types/. | | kyvernopolicies.validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | | kyvernopolicies.validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. | | kyvernopolicies.validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | @@ -75,7 +76,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.1" + targetRevision: "0.1.2" chart: kyverno-policies path: '' helm: diff --git a/charts/kyverno-policies/charts/kyverno-policies-3.4.1.tgz b/charts/kyverno-policies/charts/kyverno-policies-3.4.1.tgz deleted file mode 100644 index f9a948ad..00000000 Binary files a/charts/kyverno-policies/charts/kyverno-policies-3.4.1.tgz and /dev/null differ diff --git a/charts/kyverno-policies/charts/kyverno-policies-3.5.1.tgz b/charts/kyverno-policies/charts/kyverno-policies-3.5.1.tgz new file mode 100644 index 00000000..0f890c00 Binary files /dev/null and b/charts/kyverno-policies/charts/kyverno-policies-3.5.1.tgz differ diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 507647bd..fc7dcc48 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -58,7 +58,7 @@ kyvernopolicies: # - fluent # -- Validate already existing resources. - # For more info https://kyverno.io/docs/writing-policies/validate. + # For more info https://kyverno.io/docs/policy-types/. validationAllowExistingViolations: true # -- Exclude resources from individual policies. @@ -108,6 +108,9 @@ kyvernopolicies: # -- Name override. nameOverride: + # -- Additional Annotations. + customAnnotations: {} + # -- Additional labels. customLabels: {} diff --git a/charts/kyverno/Chart.lock b/charts/kyverno/Chart.lock index 405959e7..3f4f73e8 100644 --- a/charts/kyverno/Chart.lock +++ b/charts/kyverno/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: kyverno repository: https://kyverno.github.io/kyverno/ - version: 3.4.1 -digest: sha256:91a0bea17ffa77211290f7a569dc9e5f9383814f736c25caea2a07a2b500c2ff -generated: "2025-05-07T10:25:24.475931183Z" + version: 3.5.1 +digest: sha256:b2d61f8e6052f81f8b83abc3d32c0ef39c4f28c11bbc4e638520521643896ac6 +generated: "2025-08-20T10:25:11.239315347Z" diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index dbee9a78..5a483091 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +version: 0.1.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -24,7 +24,7 @@ version: 0.1.2 appVersion: "1.13.4" dependencies: - name: kyverno - version: 3.4.1 + version: 3.5.1 repository: "https://kyverno.github.io/kyverno/" maintainers: - name: wiemaouadi diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 9c95965b..1d8375e7 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -1,6 +1,6 @@ # kyverno -![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.13.4](https://img.shields.io/badge/AppVersion-1.13.4-informational?style=flat-square) +![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.13.4](https://img.shields.io/badge/AppVersion-1.13.4-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ | Repository | Name | Version | |------------|------|---------| -| https://kyverno.github.io/kyverno/ | kyverno | 3.4.1 | +| https://kyverno.github.io/kyverno/ | kyverno | 3.5.1 | ## Maintainers @@ -48,6 +48,7 @@ A Helm chart for kyverno | kyverno.admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | kyverno.admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | | kyverno.admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | +| kyverno.admissionController.crdWatcher | bool | `false` | Enable/Disable custom resource watcher to invalidate cache | | kyverno.admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | kyverno.admissionController.dnsConfig | object | `{}` | `dnsConfig` allows to specify DNS configuration for the pod. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config. | | kyverno.admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | @@ -77,6 +78,7 @@ A Helm chart for kyverno | kyverno.admissionController.metricsService.create | bool | `true` | Create service. | | kyverno.admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | | kyverno.admissionController.metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. | +| kyverno.admissionController.metricsService.trafficDistribution | string | `nil` | Service traffic distribution policy. Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. | | kyverno.admissionController.metricsService.type | string | `"ClusterIP"` | Service type. | | kyverno.admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | kyverno.admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | @@ -88,6 +90,7 @@ A Helm chart for kyverno | kyverno.admissionController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | kyverno.admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | kyverno.admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| kyverno.admissionController.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealty pod eviction policy to be used. Possible values are `IfHealthyBudget` or `AlwaysAllow`. | | kyverno.admissionController.podLabels | object | `{}` | Additional labels to add to each pod | | kyverno.admissionController.podSecurityContext | object | `{}` | Security context for the pod | | kyverno.admissionController.priorityClassName | string | `""` | Optional priority class | @@ -101,6 +104,7 @@ A Helm chart for kyverno | kyverno.admissionController.rbac.create | bool | `true` | Create RBAC resources | | kyverno.admissionController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | | kyverno.admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| kyverno.admissionController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | kyverno.admissionController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | kyverno.admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | @@ -110,7 +114,9 @@ A Helm chart for kyverno | kyverno.admissionController.service.annotations | object | `{}` | Service annotations. | | kyverno.admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | | kyverno.admissionController.service.port | int | `443` | Service port. | +| kyverno.admissionController.service.trafficDistribution | string | `nil` | Service traffic distribution policy. Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. | | kyverno.admissionController.service.type | string | `"ClusterIP"` | Service type. | +| kyverno.admissionController.serviceMonitor.additionalAnnotations | object | `{}` | Additional annotations | | kyverno.admissionController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | | kyverno.admissionController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | | kyverno.admissionController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | @@ -158,6 +164,7 @@ A Helm chart for kyverno | kyverno.backgroundController.metricsService.create | bool | `true` | Create service. | | kyverno.backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. | | kyverno.backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| kyverno.backgroundController.metricsService.trafficDistribution | string | `nil` | Service traffic distribution policy. Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. | | kyverno.backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. | | kyverno.backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | kyverno.backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | @@ -169,6 +176,7 @@ A Helm chart for kyverno | kyverno.backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | kyverno.backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | kyverno.backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| kyverno.backgroundController.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealty pod eviction policy to be used. Possible values are `IfHealthyBudget` or `AlwaysAllow`. | | kyverno.backgroundController.podLabels | object | `{}` | Additional labels to add to each pod | | kyverno.backgroundController.podSecurityContext | object | `{}` | Security context for the pod | | kyverno.backgroundController.priorityClassName | string | `""` | Optional priority class | @@ -181,6 +189,7 @@ A Helm chart for kyverno | kyverno.backgroundController.rbac.create | bool | `true` | Create RBAC resources | | kyverno.backgroundController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | | kyverno.backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| kyverno.backgroundController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | | kyverno.backgroundController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | kyverno.backgroundController.replicas | int | `nil` | Desired number of pods | @@ -190,6 +199,7 @@ A Helm chart for kyverno | kyverno.backgroundController.revisionHistoryLimit | int | `10` | The number of revisions to keep | | kyverno.backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | kyverno.backgroundController.server | object | `{"port":9443}` | backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to | +| kyverno.backgroundController.serviceMonitor.additionalAnnotations | object | `{}` | Additional annotations | | kyverno.backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | | kyverno.backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | | kyverno.backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | @@ -232,6 +242,7 @@ A Helm chart for kyverno | kyverno.cleanupController.metricsService.create | bool | `true` | Create service. | | kyverno.cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. | | kyverno.cleanupController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| kyverno.cleanupController.metricsService.trafficDistribution | string | `nil` | Service traffic distribution policy. Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. | | kyverno.cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. | | kyverno.cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | kyverno.cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | @@ -243,6 +254,7 @@ A Helm chart for kyverno | kyverno.cleanupController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | kyverno.cleanupController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | kyverno.cleanupController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| kyverno.cleanupController.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealty pod eviction policy to be used. Possible values are `IfHealthyBudget` or `AlwaysAllow`. | | kyverno.cleanupController.podLabels | object | `{}` | Additional labels to add to each pod | | kyverno.cleanupController.podSecurityContext | object | `{}` | Security context for the pod | | kyverno.cleanupController.priorityClassName | string | `""` | Optional priority class | @@ -253,6 +265,7 @@ A Helm chart for kyverno | kyverno.cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | kyverno.cleanupController.rbac.create | bool | `true` | Create RBAC resources | | kyverno.cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| kyverno.cleanupController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | | kyverno.cleanupController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | | kyverno.cleanupController.replicas | int | `nil` | Desired number of pods | @@ -265,7 +278,9 @@ A Helm chart for kyverno | kyverno.cleanupController.service.annotations | object | `{}` | Service annotations. | | kyverno.cleanupController.service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. | | kyverno.cleanupController.service.port | int | `443` | Service port. | +| kyverno.cleanupController.service.trafficDistribution | string | `nil` | Service traffic distribution policy. Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. | | kyverno.cleanupController.service.type | string | `"ClusterIP"` | Service type. | +| kyverno.cleanupController.serviceMonitor.additionalAnnotations | object | `{}` | Additional annotations | | kyverno.cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | | kyverno.cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | | kyverno.cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | @@ -308,8 +323,8 @@ A Helm chart for kyverno | kyverno.config.webhooks | object | `{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}` | Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | | kyverno.crds.annotations | object | `{}` | Additional CRDs annotations | | kyverno.crds.customLabels | object | `{}` | Additional CRDs labels | -| kyverno.crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` | -| kyverno.crds.groups.policies | object | `{"imagevalidatingpolicies":true,"policyexceptions":true,"validatingpolicies":true}` | Install CRDs in group `policies.kyverno.io` | +| kyverno.crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` | +| kyverno.crds.groups.policies | object | `{"deletingpolicies":true,"generatingpolicies":true,"imagevalidatingpolicies":true,"mutatingpolicies":true,"policyexceptions":true,"validatingpolicies":true}` | Install CRDs in group `policies.kyverno.io` | | kyverno.crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` | | kyverno.crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` | | kyverno.crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created | @@ -331,7 +346,9 @@ A Helm chart for kyverno | kyverno.crds.migration.podSecurityContext | object | `{}` | Security context for the pod | | kyverno.crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","clusterpolicies.kyverno.io","globalcontextentries.kyverno.io","policies.kyverno.io","policyexceptions.kyverno.io","updaterequests.kyverno.io"]` | Resources to migrate | | kyverno.crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| kyverno.crds.migration.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.crds.migration.tolerations | list | `[]` | List of node taints to tolerate | +| kyverno.crds.reportsServer.enabled | bool | `false` | Kyverno reports-server is used in your cluster | | kyverno.customLabels | object | `{}` | Additional labels | | kyverno.existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | kyverno.features.admissionReports.enabled | bool | `true` | Enables the feature | @@ -342,14 +359,17 @@ A Helm chart for kyverno | kyverno.features.backgroundScan.enabled | bool | `true` | Enables the feature | | kyverno.features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan | | kyverno.features.configMapCaching.enabled | bool | `true` | Enables the feature | +| kyverno.features.controllerRuntimeMetrics.bindAddress | string | `":8080"` | Bind address for controller-runtime metrics (use "0" to disable it) | | kyverno.features.deferredLoading.enabled | bool | `true` | Enables the feature | | kyverno.features.dumpPatches.enabled | bool | `false` | Enables the feature | | kyverno.features.dumpPayload.enabled | bool | `false` | Enables the feature | | kyverno.features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature | -| kyverno.features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature | +| kyverno.features.generateMutatingAdmissionPolicy.enabled | bool | `false` | Enables the feature | +| kyverno.features.generateValidatingAdmissionPolicy.enabled | bool | `true` | Enables the feature | | kyverno.features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) | | kyverno.features.logging.format | string | `"text"` | Logging format | | kyverno.features.logging.verbosity | int | `2` | Logging verbosity | +| kyverno.features.mutatingAdmissionPolicyReports.enabled | bool | `false` | Enables the feature | | kyverno.features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | | kyverno.features.policyExceptions.enabled | bool | `false` | Enables the feature | | kyverno.features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces | @@ -367,10 +387,11 @@ A Helm chart for kyverno | kyverno.features.tuf.mirror | string | `nil` | Tuf mirror | | kyverno.features.tuf.root | string | `nil` | Path to Tuf root | | kyverno.features.tuf.rootRaw | string | `nil` | Raw Tuf root | -| kyverno.features.validatingAdmissionPolicyReports.enabled | bool | `false` | Enables the feature | +| kyverno.features.validatingAdmissionPolicyReports.enabled | bool | `true` | Enables the feature | | kyverno.fullnameOverride | string | `nil` | Override the expanded name of the chart | | kyverno.global.caCertificates.data | string | `nil` | Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value | | kyverno.global.caCertificates.volume | object | `{}` | Global value to set single volume to be mounted for CA certificates for all deployments. Not used when `.Values.global.caCertificates.data` is defined Individual controller values will override this global value | +| kyverno.global.crdWatcher | bool | `false` | Enable/Disable custom resource watcher to invalidate cache | | kyverno.global.extraEnvVars | list | `[]` | Additional container environment variables to apply to all containers and init containers | | kyverno.global.image.registry | string | `nil` | Global value that allows to set a single image registry across all deployments. When set, it will override any values set under `.image.registry` across the chart. | | kyverno.global.imagePullSecrets | list | `[]` | Global list of Image pull secrets When set, it will override any values set under `imagePullSecrets` under different components across the chart. | @@ -394,23 +415,7 @@ A Helm chart for kyverno | kyverno.metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. | | kyverno.nameOverride | string | `nil` | Override the name of the chart | | kyverno.namespaceOverride | string | `nil` | Override the namespace the chart deploys to | -| kyverno.policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. | -| kyverno.policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| kyverno.policyReportsCleanup.image.registry | string | `nil` | Image registry | -| kyverno.policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | -| kyverno.policyReportsCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | -| kyverno.policyReportsCleanup.imagePullSecrets | list | `[]` | Image pull secrets | -| kyverno.policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | -| kyverno.policyReportsCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | -| kyverno.policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. | -| kyverno.policyReportsCleanup.podAnnotations | object | `{}` | Pod annotations. | -| kyverno.policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| kyverno.policyReportsCleanup.podLabels | object | `{}` | Pod labels. | -| kyverno.policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod | -| kyverno.policyReportsCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | -| kyverno.policyReportsCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | -| kyverno.policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | -| kyverno.policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate | +| kyverno.openreports.enabled | bool | `false` | | | kyverno.rbac.roles.aggregate | object | `{"admin":true,"view":true}` | Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) | | kyverno.reportsController.annotations | object | `{}` | Deployment annotations. | | kyverno.reportsController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | @@ -439,6 +444,7 @@ A Helm chart for kyverno | kyverno.reportsController.metricsService.create | bool | `true` | Create service. | | kyverno.reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | | kyverno.reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| kyverno.reportsController.metricsService.trafficDistribution | string | `nil` | Service traffic distribution policy. Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. | | kyverno.reportsController.metricsService.type | string | `"ClusterIP"` | Service type. | | kyverno.reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | kyverno.reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | @@ -450,6 +456,7 @@ A Helm chart for kyverno | kyverno.reportsController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | kyverno.reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | kyverno.reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| kyverno.reportsController.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealty pod eviction policy to be used. Possible values are `IfHealthyBudget` or `AlwaysAllow`. | | kyverno.reportsController.podLabels | object | `{}` | Additional labels to add to each pod | | kyverno.reportsController.podSecurityContext | object | `{}` | Security context for the pod | | kyverno.reportsController.priorityClassName | string | `""` | Optional priority class | @@ -463,6 +470,7 @@ A Helm chart for kyverno | kyverno.reportsController.rbac.create | bool | `true` | Create RBAC resources | | kyverno.reportsController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | | kyverno.reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| kyverno.reportsController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | | kyverno.reportsController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | kyverno.reportsController.replicas | int | `nil` | Desired number of pods | @@ -473,6 +481,7 @@ A Helm chart for kyverno | kyverno.reportsController.sanityChecks | bool | `true` | Enable sanity check for reports CRDs | | kyverno.reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | kyverno.reportsController.server | object | `{"port":9443}` | reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to | +| kyverno.reportsController.serviceMonitor.additionalAnnotations | object | `{}` | Additional annotations | | kyverno.reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels | | kyverno.reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | | kyverno.reportsController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | @@ -491,22 +500,25 @@ A Helm chart for kyverno | kyverno.reportsController.tracing.port | string | `nil` | Traces receiver port | | kyverno.reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | kyverno.reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| kyverno.test.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | kyverno.test.image.registry | string | `nil` | Image registry | | kyverno.test.image.repository | string | `"busybox"` | Image repository | | kyverno.test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted | | kyverno.test.imagePullSecrets | list | `[]` | Image pull secrets | +| kyverno.test.nodeSelector | object | `{}` | Node labels for pod assignment | | kyverno.test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | kyverno.test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | kyverno.test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers | | kyverno.test.sleep | int | `20` | Sleep time before running test | +| kyverno.test.tolerations | list | `[]` | List of node taints to tolerate | | kyverno.upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. | | kyverno.webhooksCleanup.autoDeleteWebhooks.enabled | bool | `false` | Allow webhooks controller to delete webhooks using finalizers | | kyverno.webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. | | kyverno.webhooksCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | kyverno.webhooksCleanup.image.registry | string | `nil` | Image registry | -| kyverno.webhooksCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | -| kyverno.webhooksCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | +| kyverno.webhooksCleanup.image.repository | string | `"registry.k8s.io/kubectl"` | Image repository | +| kyverno.webhooksCleanup.image.tag | string | `"v1.32.7"` | Image tag Defaults to `latest` if omitted | | kyverno.webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets | | kyverno.webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | | kyverno.webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | @@ -518,6 +530,7 @@ A Helm chart for kyverno | kyverno.webhooksCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | kyverno.webhooksCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | kyverno.webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | +| kyverno.webhooksCleanup.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | | kyverno.webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate | | prometheus.enabled | bool | `false` | Enables Prometheus Operator monitoring | | prometheus.grafanaDashboard.enabled | bool | `true` | Add grafana dashboard as a configmap | @@ -550,7 +563,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.2" + targetRevision: "0.1.3" chart: kyverno path: '' helm: diff --git a/charts/kyverno/charts/kyverno-3.4.1.tgz b/charts/kyverno/charts/kyverno-3.4.1.tgz deleted file mode 100644 index 4cc88c26..00000000 Binary files a/charts/kyverno/charts/kyverno-3.4.1.tgz and /dev/null differ diff --git a/charts/kyverno/charts/kyverno-3.5.1.tgz b/charts/kyverno/charts/kyverno-3.5.1.tgz new file mode 100644 index 00000000..91a86218 Binary files /dev/null and b/charts/kyverno/charts/kyverno-3.5.1.tgz differ diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 98935898..1e9bb4a1 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -37,6 +37,9 @@ kyverno: # -- Resync period for informers resyncPeriod: 15m + # -- Enable/Disable custom resource watcher to invalidate cache + crdWatcher: false + caCertificates: # -- Global CA certificates to use with Kyverno deployments # This value is expected to be one large string of CA certificates @@ -91,12 +94,20 @@ kyverno: admin: true view: true + # Use openreports.io as the API group for reporting + openreports: + enabled: false + # CRDs configuration crds: # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created install: true + reportsServer: + # -- Kyverno reports-server is used in your cluster + enabled: false + groups: # -- Install CRDs in group `kyverno.io` @@ -108,13 +119,15 @@ kyverno: policies: true policyexceptions: true updaterequests: true - validatingpolicies: true # -- Install CRDs in group `policies.kyverno.io` policies: validatingpolicies: true policyexceptions: true imagevalidatingpolicies: true + mutatingpolicies: true + generatingpolicies: true + deletingpolicies: true # -- Install CRDs in group `reports.kyverno.io` reports: @@ -213,6 +226,10 @@ kyverno: cpu: 10m memory: 64Mi + serviceAccount: + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true + # Configuration config: @@ -261,16 +278,16 @@ kyverno: - '[*/*,kube-public,*]' - '[*/*,kube-node-lease,*]' - '[Node,*,*]' - - '[Node/*,*,*]' + - '[Node/?*,*,*]' - '[APIService,*,*]' - - '[APIService/*,*,*]' + - '[APIService/?*,*,*]' - '[TokenReview,*,*]' - '[SubjectAccessReview,*,*]' - '[SelfSubjectAccessReview,*,*]' - '[Binding,*,*]' - '[Pod/binding,*,*]' - '[ReplicaSet,*,*]' - - '[ReplicaSet/*,*,*]' + - '[ReplicaSet/?*,*,*]' - '[EphemeralReport,*,*]' - '[ClusterEphemeralReport,*,*]' # exclude resources from the chart @@ -291,13 +308,13 @@ kyverno: - '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]' - '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]' - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' - - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' + - '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' - - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' + - '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' - - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' + - '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' - - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' + - '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]' - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]' - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]' @@ -309,51 +326,51 @@ kyverno: - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]' - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]' - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' - - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' - - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' - - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' - - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' + - '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' - - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' + - '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' - - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' + - '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' - - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' + - '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' - - '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' + - '[Job/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' - - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' - - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' - - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' - - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' + - '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' - - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' + - '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' - - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' + - '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' - - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' + - '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' - - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' + - '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' - - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' + - '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' + - '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' - - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' + - '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' - - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' + - '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]' - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]' - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]' @@ -375,10 +392,10 @@ kyverno: values: - kube-system # Exclude objects - # - objectSelector: - # matchExpressions: - # - key: webhooks.kyverno.io/exclude - # operator: DoesNotExist + # objectSelector: + # matchExpressions: + # - key: webhooks.kyverno.io/exclude + # operator: DoesNotExist # -- Defines annotations to set on webhook configurations. webhookAnnotations: @@ -518,9 +535,19 @@ kyverno: seccompProfile: type: RuntimeDefault + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + # -- Additional labels customLabels: {} + webhooksCleanup: # -- Create a helm pre-delete hook to cleanup webhooks. enabled: true @@ -533,10 +560,10 @@ kyverno: # -- (string) Image registry registry: ~ # -- Image repository - repository: bitnami/kubectl + repository: registry.k8s.io/kubectl # -- Image tag # Defaults to `latest` if omitted - tag: '1.32.3' + tag: 'v1.32.7' # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted pullPolicy: ~ @@ -592,73 +619,9 @@ kyverno: cpu: 10m memory: 64Mi - policyReportsCleanup: - # -- Create a helm post-upgrade hook to cleanup the old policy reports. - enabled: true - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.32.3' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Security context for the pod - podSecurityContext: {} - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Pod labels. - podLabels: {} - - # -- Pod annotations. - podAnnotations: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - # -- Security context for the hook containers - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - resources: - # -- Pod resource limits - limits: - cpu: 100m - memory: 256Mi - # -- Pod resource requests - requests: - cpu: 10m - memory: 64Mi + serviceAccount: + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true grafana: # -- Enable grafana dashboard creation. @@ -699,6 +662,9 @@ kyverno: # -- Enables the feature enabled: true validatingAdmissionPolicyReports: + # -- Enables the feature + enabled: true + mutatingAdmissionPolicyReports: # -- Enables the feature enabled: false reporting: @@ -727,6 +693,9 @@ kyverno: configMapCaching: # -- Enables the feature enabled: true + controllerRuntimeMetrics: + # -- Bind address for controller-runtime metrics (use "0" to disable it) + bindAddress: ":8080" deferredLoading: # -- Enables the feature enabled: true @@ -737,6 +706,9 @@ kyverno: # -- Enables the feature enabled: false generateValidatingAdmissionPolicy: + # -- Enables the feature + enabled: true + generateMutatingAdmissionPolicy: # -- Enables the feature enabled: false dumpPatches: @@ -831,6 +803,9 @@ kyverno: annotations: {} # example.com/annotation: value + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true + coreClusterRole: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. @@ -862,6 +837,9 @@ kyverno: # -- Resync period for informers resyncPeriod: 15m + # -- Enable/Disable custom resource watcher to invalidate cache + crdWatcher: false + # -- Additional labels to add to each pod podLabels: {} # example.com/label: foo @@ -1015,6 +993,9 @@ kyverno: # -- Configures the maximum unavailable pods for disruptions. # Cannot be used if `minAvailable` is set. maxUnavailable: + # -- Unhealty pod eviction policy to be used. + # Possible values are `IfHealthyBudget` or `AlwaysAllow`. + unhealthyPodEvictionPolicy: # -- A writable volume to use for the TUF root initialization. tufRootMountPath: /.sigstore @@ -1153,6 +1134,9 @@ kyverno: nodePort: # -- Service annotations. annotations: {} + # -- (string) Service traffic distribution policy. + # Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. + trafficDistribution: ~ metricsService: # -- Create service. @@ -1167,6 +1151,9 @@ kyverno: nodePort: # -- Service annotations. annotations: {} + # -- (string) Service traffic distribution policy. + # Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. + trafficDistribution: ~ networkPolicy: # -- When true, use a NetworkPolicy to allow ingress to the webhook @@ -1178,6 +1165,8 @@ kyverno: serviceMonitor: # -- Create a `ServiceMonitor` to collect Prometheus metrics. enabled: false + # -- Additional annotations + additionalAnnotations: {} # -- Additional labels additionalLabels: {} # -- (string) Override namespace @@ -1255,6 +1244,9 @@ kyverno: annotations: {} # example.com/annotation: value + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true + coreClusterRole: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. @@ -1449,6 +1441,9 @@ kyverno: # -- Configures the maximum unavailable pods for disruptions. # Cannot be used if `minAvailable` is set. maxUnavailable: + # -- Unhealty pod eviction policy to be used. + # Possible values are `IfHealthyBudget` or `AlwaysAllow`. + unhealthyPodEvictionPolicy: caCertificates: # -- CA certificates to use with Kyverno deployments @@ -1475,6 +1470,9 @@ kyverno: nodePort: # -- Service annotations. annotations: {} + # -- (string) Service traffic distribution policy. + # Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. + trafficDistribution: ~ networkPolicy: @@ -1488,6 +1486,8 @@ kyverno: serviceMonitor: # -- Create a `ServiceMonitor` to collect Prometheus metrics. enabled: false + # -- Additional annotations + additionalAnnotations: {} # -- Additional labels additionalLabels: {} # -- (string) Override namespace @@ -1564,6 +1564,9 @@ kyverno: annotations: {} # example.com/annotation: value + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1775,6 +1778,9 @@ kyverno: # -- Configures the maximum unavailable pods for disruptions. # Cannot be used if `minAvailable` is set. maxUnavailable: + # -- Unhealty pod eviction policy to be used. + # Possible values are `IfHealthyBudget` or `AlwaysAllow`. + unhealthyPodEvictionPolicy: service: # -- Service port. @@ -1786,6 +1792,9 @@ kyverno: nodePort: # -- Service annotations. annotations: {} + # -- (string) Service traffic distribution policy. + # Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. + trafficDistribution: ~ metricsService: # -- Create service. @@ -1800,6 +1809,9 @@ kyverno: nodePort: # -- Service annotations. annotations: {} + # -- (string) Service traffic distribution policy. + # Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. + trafficDistribution: ~ networkPolicy: @@ -1813,6 +1825,8 @@ kyverno: serviceMonitor: # -- Create a `ServiceMonitor` to collect Prometheus metrics. enabled: false + # -- Additional annotations + additionalAnnotations: {} # -- Additional labels additionalLabels: {} # -- (string) Override namespace @@ -1890,6 +1904,9 @@ kyverno: annotations: {} # example.com/annotation: value + # -- Toggle automounting of the ServiceAccount + automountServiceAccountToken: true + coreClusterRole: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. @@ -2065,6 +2082,9 @@ kyverno: # -- Configures the maximum unavailable pods for disruptions. # Cannot be used if `minAvailable` is set. maxUnavailable: + # -- Unhealty pod eviction policy to be used. + # Possible values are `IfHealthyBudget` or `AlwaysAllow`. + unhealthyPodEvictionPolicy: # -- A writable volume to use for the TUF root initialization. tufRootMountPath: /.sigstore @@ -2099,6 +2119,9 @@ kyverno: nodePort: ~ # -- Service annotations. annotations: {} + # -- (string) Service traffic distribution policy. + # Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs. + trafficDistribution: ~ networkPolicy: @@ -2112,6 +2135,8 @@ kyverno: serviceMonitor: # -- Create a `ServiceMonitor` to collect Prometheus metrics. enabled: false + # -- Additional annotations + additionalAnnotations: {} # -- Additional labels additionalLabels: {} # -- (string) Override namespace diff --git a/charts/velero/Chart.lock b/charts/velero/Chart.lock index b32a7e61..d916306d 100644 --- a/charts/velero/Chart.lock +++ b/charts/velero/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: velero repository: https://vmware-tanzu.github.io/helm-charts - version: 9.1.2 + version: 10.1.0 - name: gcp-workload-identity repository: https://edixos.github.io/ekp-helm version: 0.1.1 @@ -14,5 +14,5 @@ dependencies: - name: gcp-bucket repository: https://edixos.github.io/ekp-helm version: 0.1.0 -digest: sha256:56dafcc28b5517504b03be7a9549166c131b26251d03d0d55a63954e2c5bf30a -generated: "2025-05-14T10:23:09.920610947Z" +digest: sha256:4918dd9f3b7a4db1ebcedcd40ce337db4e33990d96761c216fc02027c394a0bd +generated: "2025-08-20T10:23:05.081454958Z" diff --git a/charts/velero/Chart.yaml b/charts/velero/Chart.yaml index 2bca7d40..2a68c275 100644 --- a/charts/velero/Chart.yaml +++ b/charts/velero/Chart.yaml @@ -2,11 +2,11 @@ apiVersion: v2 name: velero description: A Helm chart for velero type: application -version: 0.1.4 +version: 0.1.5 appVersion: "1.15.2" dependencies: - name: velero - version: 9.1.2 + version: 10.1.0 repository: "https://vmware-tanzu.github.io/helm-charts" - name: gcp-workload-identity version: 0.1.1 diff --git a/charts/velero/README.md b/charts/velero/README.md index c13ca208..f7baa9eb 100644 --- a/charts/velero/README.md +++ b/charts/velero/README.md @@ -1,6 +1,6 @@ # velero -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.15.2](https://img.shields.io/badge/AppVersion-1.15.2-informational?style=flat-square) +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.15.2](https://img.shields.io/badge/AppVersion-1.15.2-informational?style=flat-square) ## Prerequisites @@ -15,7 +15,7 @@ | https://edixos.github.io/ekp-helm | iamCustomRole(gcp-iam-custom-role) | 0.1.0 | | https://edixos.github.io/ekp-helm | iamPolicyMembers(gcp-iam-policy-members) | 0.1.2 | | https://edixos.github.io/ekp-helm | workloadIdentity(gcp-workload-identity) | 0.1.1 | -| https://vmware-tanzu.github.io/helm-charts | velero | 9.1.2 | +| https://vmware-tanzu.github.io/helm-charts | velero | 10.1.0 | ## Maintainers @@ -53,20 +53,21 @@ A Helm chart for velero | velero.configMaps | object | `{}` | | | velero.configuration.backupStorageLocation[0].accessMode | string | `"ReadWrite"` | | | velero.configuration.backupStorageLocation[0].annotations | object | `{}` | | -| velero.configuration.backupStorageLocation[0].bucket | string | `nil` | | +| velero.configuration.backupStorageLocation[0].bucket | string | `""` | | | velero.configuration.backupStorageLocation[0].caCert | string | `nil` | | | velero.configuration.backupStorageLocation[0].config | object | `{}` | | | velero.configuration.backupStorageLocation[0].credential.key | string | `nil` | | | velero.configuration.backupStorageLocation[0].credential.name | string | `nil` | | -| velero.configuration.backupStorageLocation[0].default | string | `nil` | | +| velero.configuration.backupStorageLocation[0].default | bool | `false` | | | velero.configuration.backupStorageLocation[0].name | string | `nil` | | | velero.configuration.backupStorageLocation[0].prefix | string | `nil` | | -| velero.configuration.backupStorageLocation[0].provider | string | `nil` | | +| velero.configuration.backupStorageLocation[0].provider | string | `""` | | | velero.configuration.backupStorageLocation[0].validationFrequency | string | `nil` | | | velero.configuration.backupSyncPeriod | string | `nil` | | | velero.configuration.clientBurst | string | `nil` | | | velero.configuration.clientPageSize | string | `nil` | | | velero.configuration.clientQPS | string | `nil` | | +| velero.configuration.dataMoverPrepareTimeout | string | `nil` | | | velero.configuration.defaultBackupStorageLocation | string | `nil` | | | velero.configuration.defaultBackupTTL | string | `nil` | | | velero.configuration.defaultItemOperationTimeout | string | `nil` | | @@ -77,7 +78,7 @@ A Helm chart for velero | velero.configuration.disableControllers | string | `nil` | | | velero.configuration.disableInformerCache | bool | `false` | | | velero.configuration.extraArgs | list | `[]` | | -| velero.configuration.extraEnvVars | object | `{}` | | +| velero.configuration.extraEnvVars | list | `[]` | | | velero.configuration.features | string | `nil` | | | velero.configuration.fsBackupTimeout | string | `nil` | | | velero.configuration.garbageCollectionFrequency | string | `nil` | | @@ -90,6 +91,9 @@ A Helm chart for velero | velero.configuration.profilerAddress | string | `nil` | | | velero.configuration.repositoryMaintenanceJob.latestJobsCount | int | `3` | | | velero.configuration.repositoryMaintenanceJob.limits | string | `nil` | | +| velero.configuration.repositoryMaintenanceJob.repositoryConfigData.global | object | `{}` | | +| velero.configuration.repositoryMaintenanceJob.repositoryConfigData.name | string | `"velero-repo-maintenance"` | | +| velero.configuration.repositoryMaintenanceJob.repositoryConfigData.repositories | object | `{}` | | | velero.configuration.repositoryMaintenanceJob.requests | string | `nil` | | | velero.configuration.restoreOnlyMode | string | `nil` | | | velero.configuration.restoreResourcePriorities | string | `nil` | | @@ -101,7 +105,7 @@ A Helm chart for velero | velero.configuration.volumeSnapshotLocation[0].credential.key | string | `nil` | | | velero.configuration.volumeSnapshotLocation[0].credential.name | string | `nil` | | | velero.configuration.volumeSnapshotLocation[0].name | string | `nil` | | -| velero.configuration.volumeSnapshotLocation[0].provider | string | `nil` | | +| velero.configuration.volumeSnapshotLocation[0].provider | string | `""` | | | velero.containerSecurityContext | object | `{}` | | | velero.credentials.existingSecret | string | `nil` | | | velero.credentials.extraEnvVars | object | `{}` | | @@ -116,10 +120,11 @@ A Helm chart for velero | velero.extraVolumeMounts | list | `[]` | | | velero.extraVolumes | list | `[]` | | | velero.fullnameOverride | string | `""` | | +| velero.hostAliases | list | `[]` | | | velero.image.imagePullSecrets | list | `[]` | | | velero.image.pullPolicy | string | `"IfNotPresent"` | | | velero.image.repository | string | `"velero/velero"` | | -| velero.image.tag | string | `"v1.16.0"` | | +| velero.image.tag | string | `"v1.16.2"` | | | velero.initContainers | string | `nil` | | | velero.kubectl.annotations | object | `{}` | | | velero.kubectl.containerSecurityContext | object | `{}` | | @@ -153,7 +158,13 @@ A Helm chart for velero | velero.metrics.scrapeInterval | string | `"30s"` | | | velero.metrics.scrapeTimeout | string | `"10s"` | | | velero.metrics.service.annotations | object | `{}` | | +| velero.metrics.service.externalTrafficPolicy | string | `""` | | +| velero.metrics.service.internalTrafficPolicy | string | `""` | | +| velero.metrics.service.ipFamilies | list | `[]` | | +| velero.metrics.service.ipFamilyPolicy | string | `""` | | | velero.metrics.service.labels | object | `{}` | | +| velero.metrics.service.nodePort | string | `nil` | | +| velero.metrics.service.type | string | `"ClusterIP"` | | | velero.metrics.serviceMonitor.additionalLabels | object | `{}` | | | velero.metrics.serviceMonitor.annotations | object | `{}` | | | velero.metrics.serviceMonitor.autodetect | bool | `true` | | @@ -166,9 +177,10 @@ A Helm chart for velero | velero.nodeAgent.dnsConfig | object | `{}` | | | velero.nodeAgent.dnsPolicy | string | `"ClusterFirst"` | | | velero.nodeAgent.extraArgs | list | `[]` | | -| velero.nodeAgent.extraEnvVars | object | `{}` | | +| velero.nodeAgent.extraEnvVars | list | `[]` | | | velero.nodeAgent.extraVolumeMounts | list | `[]` | | | velero.nodeAgent.extraVolumes | list | `[]` | | +| velero.nodeAgent.hostAliases | list | `[]` | | | velero.nodeAgent.labels | object | `{}` | | | velero.nodeAgent.lifecycle | object | `{}` | | | velero.nodeAgent.nodeSelector | object | `{}` | | @@ -213,7 +225,7 @@ A Helm chart for velero | velero.tolerations | list | `[]` | | | velero.upgradeCRDs | bool | `true` | | | velero.upgradeCRDsJob.automountServiceAccountToken | bool | `true` | | -| velero.upgradeCRDsJob.extraEnvVars | object | `{}` | | +| velero.upgradeCRDsJob.extraEnvVars | list | `[]` | | | velero.upgradeCRDsJob.extraVolumeMounts | list | `[]` | | | velero.upgradeCRDsJob.extraVolumes | list | `[]` | | | velero.upgradeJobResources | object | `{}` | | @@ -244,7 +256,7 @@ spec: source: repoURL: "https://edixos.github.io/ekp-helm" - targetRevision: "0.1.4" + targetRevision: "0.1.5" chart: velero path: '' helm: diff --git a/charts/velero/charts/velero-10.1.0.tgz b/charts/velero/charts/velero-10.1.0.tgz new file mode 100644 index 00000000..e3011ee1 Binary files /dev/null and b/charts/velero/charts/velero-10.1.0.tgz differ diff --git a/charts/velero/charts/velero-9.1.2.tgz b/charts/velero/charts/velero-9.1.2.tgz deleted file mode 100644 index 14de8687..00000000 Binary files a/charts/velero/charts/velero-9.1.2.tgz and /dev/null differ diff --git a/charts/velero/values.yaml b/charts/velero/values.yaml index 33574af6..d93cf62f 100644 --- a/charts/velero/values.yaml +++ b/charts/velero/values.yaml @@ -17,18 +17,12 @@ velero: labels: {} # Enforce Pod Security Standards with Namespace Labels # https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/ - # - key: pod-security.kubernetes.io/enforce - # value: privileged - # - key: pod-security.kubernetes.io/enforce-version - # value: latest - # - key: pod-security.kubernetes.io/audit - # value: privileged - # - key: pod-security.kubernetes.io/audit-version - # value: latest - # - key: pod-security.kubernetes.io/warn - # value: privileged - # - key: pod-security.kubernetes.io/warn-version - # value: latest + # pod-security.kubernetes.io/enforce: privileged + # pod-security.kubernetes.io/enforce-version: latest + # pod-security.kubernetes.io/audit: privileged + # pod-security.kubernetes.io/audit-version: latest + # pod-security.kubernetes.io/warn: privileged + # pod-security.kubernetes.io/warn-version: latest ## ## End of namespace-related settings. @@ -43,7 +37,7 @@ velero: # enabling node-agent). Required. image: repository: velero/velero - tag: v1.16.0 + tag: v1.16.2 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -91,6 +85,14 @@ velero: # cpu: 1000m # memory: 512Mi + # Configure hostAliases for Velero deployment. Optional + # For more information, check: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # Resource requests/limits to specify for the upgradeCRDs job pod. Need to be adjusted by user accordingly. upgradeJobResources: {} # requests: @@ -104,8 +106,18 @@ velero: extraVolumes: [] # Extra volumeMounts for the Upgrade CRDs Job. Optional. extraVolumeMounts: [] - # Extra key/value pairs to be used as environment variables. Optional. - extraEnvVars: {} + # Additional values to be used as environment variables. Optional. + extraEnvVars: [] + # Simple value + # - name: SIMPLE_VAR + # value: "simple-value" + + # FieldRef example + # - name: MY_POD_LABEL + # valueFrom: + # fieldRef: + # fieldPath: metadata.labels['my_label'] + # Configure if API credential for Service Account is automounted. automountServiceAccountToken: true # Configure the shell cmd in case you are using custom image @@ -120,7 +132,7 @@ velero: # If the value is a string then it is evaluated as a template. initContainers: # - name: velero-plugin-for-aws - # image: velero/velero-plugin-for-aws:v1.10.0 + # image: velero/velero-plugin-for-aws:v1.12.2 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target @@ -230,7 +242,19 @@ velero: # service metdata if metrics are enabled service: annotations: {} + type: ClusterIP labels: {} + nodePort: null + + # External/Internal traffic policy setting (Cluster, Local) + # https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies + externalTrafficPolicy: "" + internalTrafficPolicy: "" + + # the IP family policy for the metrics Service to be able to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services). + ipFamilyPolicy: "" + # a list of IP families for the metrics Service that should be supported, in the order in which they should be applied to ClusterIP. Can be "IPv4" and/or "IPv6". + ipFamilies: [] # Pod annotations for Prometheus podAnnotations: @@ -276,19 +300,40 @@ velero: # namespace: "" # Rules to be deployed spec: [] - # - alert: VeleroBackupPartialFailures + # - alert: VeleroBackupFailed # annotations: - # message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partialy failed backups. + # message: Velero backup {{ $labels.schedule }} has failed # expr: |- - # velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 + # velero_backup_last_status{schedule!=""} != 1 # for: 15m # labels: # severity: warning - # - alert: VeleroBackupFailures + # - alert: VeleroBackupFailing + # annotations: + # message: Velero backup {{ $labels.schedule }} has been failing for the last 12h + # expr: |- + # velero_backup_last_status{schedule!=""} != 1 + # for: 12h + # labels: + # severity: critical + # - alert: VeleroNoNewBackup # annotations: - # message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} failed backups. + # message: Velero backup {{ $labels.schedule }} has not run successfuly in the last 30h # expr: |- - # velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 + # ( + # rate(velero_backup_last_successful_timestamp{schedule!=""}[15m]) <=bool 0 + # or + # absent(velero_backup_last_successful_timestamp{schedule!=""}) + # ) == 1 + # for: 30h + # labels: + # severity: critical + # - alert: VeleroBackupPartialFailures + # annotations: + # message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partialy failed backups + # expr: |- + # rate(velero_backup_partial_failure_total{schedule!=""}[25m]) + # / rate(velero_backup_attempt_total{schedule!=""}[25m]) > 0.5 # for: 15m # labels: # severity: warning @@ -339,15 +384,15 @@ velero: # a backup storage location will be created with the name "default". Optional. - name: # provider is the name for the backup storage location provider. - provider: + provider: "" # bucket is the name of the bucket to store backups in. Required. - bucket: + bucket: "" # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. Optional. caCert: # prefix is the directory under which all Velero data should be stored within the bucket. Optional. prefix: # default indicates this location is the default backup storage location. Optional. - default: + default: false # validationFrequency defines how frequently Velero should validate the object storage. Optional. validationFrequency: # accessMode determines if velero can write to this backup storage location. Optional. @@ -383,10 +428,11 @@ velero: # Parameters for the VolumeSnapshotLocation(s). Configure multiple by adding other element(s) to the volumeSnapshotLocation slice. # See https://velero.io/docs/v1.6/api-types/volumesnapshotlocation/ volumeSnapshotLocation: - # name is the name of the volume snapshot location where snapshots are being taken. Required. + # name is the name of the volume snapshot location where snapshots are being taken. If a name is not provided, + # a volume snapshot location will be created with the name "default". Optional. - name: # provider is the name for the volume snapshot provider. - provider: + provider: "" credential: # name of the secret used by this volumeSnapshotLocation. name: @@ -463,6 +509,8 @@ velero: # Comma separated list of velero feature flags. default: empty # features: EnableCSI features: + # Configures the timeout for provisioning the volume created from the CSI snapshot. Default: 30m + dataMoverPrepareTimeout: # Resource requests/limits to specify for the repository-maintenance job. Optional. # https://velero.io/docs/v1.14/repository-maintenance/#resource-limitation repositoryMaintenanceJob: @@ -474,14 +522,64 @@ velero: # memory: 1024Mi # Number of latest maintenance jobs to keep for each repository latestJobsCount: 3 + # Per-repository resource settings ConfigMap + # This ConfigMap allows specifying different settings for different repositories + # See: https://velero.io/docs/main/repository-maintenance/ + repositoryConfigData: + # Name of the ConfigMap to create. If not provided, will use "velero-repo-maintenance" + name: "velero-repo-maintenance" + # Global configuration applied to all repositories + # This configuration is used when no specific repository configuration is found + # global: + # podResources: + # cpuRequest: "100m" + # cpuLimit: "200m" + # memoryRequest: "100Mi" + # memoryLimit: "200Mi" + # keepLatestMaintenanceJobs: 1 + # loadAffinity: + # - nodeSelector: + # matchExpressions: + # - key: "cloud.google.com/machine-family" + # operator: "In" + # values: ["e2"] + # - nodeSelector: + # matchExpressions: + # - key: "topology.kubernetes.io/zone" + # operator: "In" + # values: ["us-central1-a", "us-central1-b", "us-central1-c"] + # priorityClassName: "low-priority" # Note: priorityClassName is only supported in global configuration + global: {} + # Repository-specific configurations + # Repository keys are formed as: "{namespace}-{storageLocation}-{repositoryType}" + # For example: "default-default-kopia" or "prod-s3-backup-kopia" + # Note: priorityClassName is NOT supported in repository-specific configurations + # repositories: + # "kibishii-default-kopia": + # podResources: + # cpuRequest: "200m" + # cpuLimit: "400m" + # memoryRequest: "200Mi" + # memoryLimit: "400Mi" + # keepLatestMaintenanceJobs: 2 + repositories: {} # `velero server` default: velero namespace: # additional command-line arguments that will be passed to the `velero server` # e.g.: extraArgs: ["--foo=bar"] extraArgs: [] - # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'" - extraEnvVars: {} + # Additional values to be used as environment variables. Optional. + extraEnvVars: [] + # Simple value + # - name: SIMPLE_VAR + # value: "simple-value" + + # FieldRef example + # - name: MY_POD_LABEL + # valueFrom: + # fieldRef: + # fieldPath: metadata.labels['my_label'] # Set true for backup all pod volumes without having to apply annotation on the pod when used file system backup Default: false. defaultVolumesToFsBackup: @@ -600,8 +698,17 @@ velero: # Extra volumeMounts for the node-agent daemonset. Optional. extraVolumeMounts: [] - # Key/value pairs to be used as environment variables for the node-agent daemonset. Optional. - extraEnvVars: {} + # Additional values to be used as environment variables for node-agent daemonset. Optional. + extraEnvVars: [] + # Simple key/value + # - name: SIMPLE_VAR + # value: "simple-value" + + # FieldRef example + # - name: MY_POD_LABEL + # valueFrom: + # fieldRef: + # fieldPath: metadata.labels['my_label'] # Additional command-line arguments that will be passed to the node-agent. Optional. # e.g.: extraArgs: ["--foo=bar"] @@ -611,6 +718,14 @@ velero: # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: ClusterFirst + # Configure hostAliases for node-agent daemonset. Optional + # For more information, check: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # SecurityContext to use for the Velero deployment. Optional. # Set fsGroup for `AWS IAM Roles for Service Accounts` # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html