Merge branch 'main' into ci-update-harbor-to-1.16.2

.github/workflows/integration.yml

@@ -32,10 +32,10 @@ on:
         description: 'Kubernetes version'
         type: choice
         options:
-          - "['1.29']"
           - "['1.30']"
           - "['1.31']"
-        default: "['1.31']"
+          - "['1.32']"
+        default: "['1.32']"
       install_profile:
         description: APL installation profile
         default: minimal-with-team
@@ -223,24 +223,15 @@ jobs:
             
             sleep 30
           done
-      - name: Save kubectl config with auth token and Get kubectl environment and create docker secret
+      - name: Save kubectl config with auth token
         if: ${{ inputs.install_profile != 'no-apl' }}
         run: |
-          # Get the kubeconfig from linode-cli
-          kubeconfig=$(linode-cli lke kubeconfig-view ${{ env.LINODE_CLUSTER_ID }} --text | sed 1d | base64 --decode)
-
-          # Save the kubeconfig to a file
-          kubeconfigDir="$HOME/.kube"
-          kubeconfigPath="$HOME/.kube/config"
-          mkdir -p "$kubeconfigDir"  # Create the directory if it doesn't exist
-          echo "$kubeconfig" > "$kubeconfigPath"
-          echo "Kubeconfig saved to $kubeconfigPath"
-              
-          # Set the kubectl context to use the new kubeconfig
-          export KUBECONFIG="$kubeconfigPath"
-          contextName=$(kubectl config get-contexts -o name | head -n 1)
-          kubectl config use-context "$contextName"
-          echo "Kubectl context set to linode"
+          echo "Waiting for kubeconfig..."
+          while :; do
+            linode-cli get-kubeconfig --label "${{ env.LINODE_CLUSTER_NAME }}" 2> /dev/null && break
+            echo "still waiting..."
+            sleep 10
+          done
           echo LINODE_CLUSTER_CONTEXT=`kubectl config current-context` >> $GITHUB_ENV
       - name: Create image pull secret on test cluster
         if: ${{ inputs.install_profile != 'no-apl' }}

.github/workflows/main.yml

@@ -105,7 +105,7 @@ jobs:
           #Cut the CHANGELOG.md file up to the first occurence of the "### \[[0-9]*" (meaning three #, a space,a square bracket and any number after it)
           sed -n '/### \[[0-9]*/q;p' CHANGELOG.md > NEW_CHANGELOG.md
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1.14.0
+        uses: ncipollo/release-action@v1.15.0
         env:
           token: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -177,7 +177,7 @@ jobs:
         run: git config --global --add safe.directory /__w/apl-core/apl-core
       - name: Create and publish otomi chart release
         id: chart_release
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         with:
           charts_dir: chart
           skip_existing: true

.values/env/settings.yaml

@@ -1 +1 @@
-version: 28
+version: 33

.values/env/teams.yaml

@@ -1,13 +1,3 @@
 teamConfig:
     admin:
         id: admin
-        managedMonitoring:
-            alertmanager: true
-            grafana: true
-            prometheus: true
-        selfService:
-            access:
-                - shell
-                - downloadCertificateAuthority
-            policies:
-                - edit policies

CHANGELOG.md

@@ -2,6 +2,51 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.3.0](https://github.com/linode/apl-core/compare/v4.2.0...v4.3.0) (2025-02-10)
+
+
+### Features
+
+* add coverage to github ci ([#1920](https://github.com/linode/apl-core/issues/1920)) ([232bb48](https://github.com/linode/apl-core/commit/232bb48e367647d893cf861108dee70f9850bdce))
+* add support for Kubernetes 1.32 ([#1894](https://github.com/linode/apl-core/issues/1894)) ([9b1e19c](https://github.com/linode/apl-core/commit/9b1e19c90c6bac3c10e017fd960ecaf5571839a7))
+* added more charts to the chart-index ([#1900](https://github.com/linode/apl-core/issues/1900)) ([061d372](https://github.com/linode/apl-core/commit/061d37232fec7959e192e5a6f595ee964b6781f5))
+* updating teams defaults ([#1909](https://github.com/linode/apl-core/issues/1909)) ([6dc29db](https://github.com/linode/apl-core/commit/6dc29db37c00543db56fe74ea89cbc1606f28d71))
+* fix decrypt ([#1922](https://github.com/linode/apl-core/issues/1922)) ([ea3badf](https://github.com/linode/apl-core/commit/ea3badf4ac3f007047aee43ebcb706a125dd1300))
+* fix open redirect vulnerability ([#1899](https://github.com/linode/apl-core/issues/1899)) ([f180cc9](https://github.com/linode/apl-core/commit/f180cc9b3f772bf49e2c3e862f6b6c7cf2796a14))
+* increase Gitea timeout ([#1921](https://github.com/linode/apl-core/issues/1921)) ([21a0691](https://github.com/linode/apl-core/commit/21a06911c6a0e43105e956260c6799e8ae780c21))
+* lowering DBs cpu resources ([#1891](https://github.com/linode/apl-core/issues/1891)) ([07ba2b9](https://github.com/linode/apl-core/commit/07ba2b9671bf6f9afc40be701a5dd65a5b3567e3))
+
+
+### Bug Fixes
+
+* added team networkpolicies to the team-ns values gotemplate ([#1902](https://github.com/linode/apl-core/issues/1902)) ([51300a5](https://github.com/linode/apl-core/commit/51300a559e3dc77bb287b32d1ef48849c5b9cb55))
+* bootstrap team password ([#1917](https://github.com/linode/apl-core/issues/1917)) ([b5ac229](https://github.com/linode/apl-core/commit/b5ac229b61d0083f0038f6410bc180f0d9f8c939))
+* encryption ([#1919](https://github.com/linode/apl-core/issues/1919)) ([3773a29](https://github.com/linode/apl-core/commit/3773a292c9c32c23f71f1b6ff55cb5ed405a1124))
+* package-lock ([#1923](https://github.com/linode/apl-core/issues/1923)) ([4d488b7](https://github.com/linode/apl-core/commit/4d488b7c36122fc0bb4bfa67d950778ab4a94a2e))
+* team network policies ([#1904](https://github.com/linode/apl-core/issues/1904)) ([9b5ee85](https://github.com/linode/apl-core/commit/9b5ee85154eaaa98ceb363fbf0f14842cb667994))
+* update message ([#1889](https://github.com/linode/apl-core/issues/1889)) ([152dcd2](https://github.com/linode/apl-core/commit/152dcd22eb46bdc83092192c5c6681bb8305771d))
+* update session settings for Gitea ([#1908](https://github.com/linode/apl-core/issues/1908)) ([0b639bb](https://github.com/linode/apl-core/commit/0b639bbdcaa217f1e1dcdc32c7bae6613b13d9dc))
+* use emptydir for Gitea backup volume on custom provider ([#1898](https://github.com/linode/apl-core/issues/1898)) ([80ebd93](https://github.com/linode/apl-core/commit/80ebd93ed5578de5b4f7164b8718ab1367b720bf))
+
+
+### Others
+
+* **chart-deps:** update cert-manager to version v1.16.2 ([#1874](https://github.com/linode/apl-core/issues/1874)) ([bfeb0a0](https://github.com/linode/apl-core/commit/bfeb0a00276180697a2165204c1e608290f8bc9f))
+* **chart-deps:** update cert-manager to version v1.16.3 ([#1896](https://github.com/linode/apl-core/issues/1896)) ([7d78be9](https://github.com/linode/apl-core/commit/7d78be97681792f7a7a5f4d49636483d06bb79b4))
+* **chart-deps:** update cloudnative-pg to version 0.23.0 ([#1880](https://github.com/linode/apl-core/issues/1880)) ([84748ed](https://github.com/linode/apl-core/commit/84748ed3de2493decd86f612269a182b94800c6b))
+* **chart-deps:** update harbor to version 1.16.1 ([#1892](https://github.com/linode/apl-core/issues/1892)) ([75fc895](https://github.com/linode/apl-core/commit/75fc8957f45b68028373043c57377c31b440bbfa))
+* **chart-deps:** update promtail to version 6.16.6 ([#1877](https://github.com/linode/apl-core/issues/1877)) ([bada051](https://github.com/linode/apl-core/commit/bada051021b4ec6f31a2c9947049c7fc9c1f7de5))
+* **chart-deps:** update sealed-secrets to version 2.17.1 ([#1897](https://github.com/linode/apl-core/issues/1897)) ([e3f074a](https://github.com/linode/apl-core/commit/e3f074a5898680ddb9b38f5afd3734bb3ae76b7c))
+* **deps:** bump actions/checkout from 3 to 4 ([#1869](https://github.com/linode/apl-core/issues/1869)) ([ea9e397](https://github.com/linode/apl-core/commit/ea9e397083c398561c45e2291591e7c9fe04bd27))
+* **deps:** bump actions/setup-node from 3 to 4 ([#1868](https://github.com/linode/apl-core/issues/1868)) ([d13e48c](https://github.com/linode/apl-core/commit/d13e48c1f88275964630f419078a3f47fc35992d))
+* **deps:** bump linode/apl-tools from v2.8.6 to v2.8.7 ([#1870](https://github.com/linode/apl-core/issues/1870)) ([21dcaf9](https://github.com/linode/apl-core/commit/21dcaf9493f0a5ae36fe326b7b49cf05fee69035))
+* update changelog ([#1890](https://github.com/linode/apl-core/issues/1890)) ([2c0e39f](https://github.com/linode/apl-core/commit/2c0e39fe7e78b719ef40b5dde8620d87e1285a23))
+* update console and api to latest release ([#1932](https://github.com/linode/apl-core/issues/1932)) ([0fab990](https://github.com/linode/apl-core/commit/0fab9907989348d5bd8c27c88b405e28cd6bf3e7))
+* update task version to 3.6.0 ([#1895](https://github.com/linode/apl-core/issues/1895)) ([5e07fd0](https://github.com/linode/apl-core/commit/5e07fd0f44f389c9e612222a95ce7a5ca8769277))
+* update task version to 3.6.1 ([#1916](https://github.com/linode/apl-core/issues/1916)) ([9e1b61f](https://github.com/linode/apl-core/commit/9e1b61f9e2864db9ca490efd2f0549b6ccab2b35))
+* updated trivy-operator helm chart registry ([#1905](https://github.com/linode/apl-core/issues/1905)) ([6cb6017](https://github.com/linode/apl-core/commit/6cb60177ec545844c72dd83a7464d86344842bf3))
+
+
 ### [4.2.2](https://github.com/linode/apl-core/compare/v4.2.1...v4.2.2) (2025-01-09)
 
 

bin/install-deps.sh

@@ -4,8 +4,26 @@ go install github.com/noqcks/gucci@latest
 go install github.com/plexsystems/konstraint@latest
 npm install -g json-dereference-cli
 
+# Desired version
+helm_secrets_target_version="4.6.2"
+
+# Get the installed version of helm-secrets
+helm_secrets_installed_version=$(helm plugin list | awk '/secrets/ {print $2}')
+
+# Compare versions and update if necessary
+if [ -z "$helm_secrets_installed_version" ]; then
+  echo "helm-secrets is not installed. Installing version $helm_secrets_target_version..."
+  helm plugin install https://github.com/jkroepke/helm-secrets --version "$helm_secrets_target_version"
+elif [ "$(printf '%s\n' "$helm_secrets_installed_version" "$helm_secrets_target_version" | sort -V | head -n1)" != "$helm_secrets_target_version" ]; then
+  echo "Updating helm-secrets from version $helm_secrets_installed_version to $helm_secrets_target_version..."
+  helm plugin uninstall secrets
+  helm plugin install https://github.com/jkroepke/helm-secrets --version "$helm_secrets_target_version"
+else
+  echo "helm-secrets is up-to-date (version $helm_secrets_installed_version)."
+fi
+
 helm plugin install https://github.com/databus23/helm-diff.git || echo "Skipping helm-diff"
-helm plugin install https://github.com/jkroepke/helm-secrets.git --version v3.15.0 || echo "Skipping helm-secret"
+
 
 echo "Set shell rc file:"
 echo 'echo  export PATH="$HOME/go/bin:$PATH" >> $HOME/.zshrc'

chart/chart-index/Chart.yaml

@@ -5,6 +5,7 @@ type: library
 version: 0.1.0
 dependencies:
   - name: argo-cd
+    alias: argocd
     version: 6.7.3
     repository: https://argoproj.github.io/argo-helm
   - name: cert-manager
@@ -16,6 +17,12 @@ dependencies:
   - name: external-dns
     version: 6.20.4
     repository: https://charts.bitnami.com/bitnami
+  - name: falco
+    version: 3.8.5
+    repository: https://falcosecurity.github.io/charts
+  - name: falco-exporter
+    version: 0.9.7
+    repository: https://falcosecurity.github.io/charts
   - name: gitea
     version: 5.0.0
     repository: https://dl.gitea.io/charts
@@ -25,45 +32,69 @@ dependencies:
   - name: ingress-nginx
     version: 4.6.1
     repository: https://kubernetes.github.io/ingress-nginx
+  - name: jaeger-operator
+    version: 2.57.0
+    repository: https://jaegertracing.github.io/helm-charts
+  - name: kiali-operator
+    version: 1.86.1
+    repository: https://kiali.org/helm-charts
+  - name: knative-operator
+    version: 0.1.0
+    repository: https://knative.github.io/operator
   - name: kube-prometheus-stack
     version: 46.4.1
     repository: https://prometheus-community.github.io/helm-charts
+  - name: kured
+    version: 4.6.0
+    repository: https://kubereboot.github.io/charts
+  - name: kyverno
+    version: 3.1.4
+    repository: https://kyverno.github.io/kyverno/
+  - name: loki-distributed
+    alias: loki
+    version: 0.79.4
+    repository: https://grafana.github.io/helm-charts
   - name: metrics-server
     version: 6.8.0
     repository: https://charts.bitnami.com/bitnami
+  - name: minio
+    version: 11.10.13
+    repository: https://charts.bitnami.com/bitnami
   - name: oauth2-proxy
     version: 3.7.4
     repository: https://charts.bitnami.com/bitnami
+  - name: opentelemetry-operator
+    alias: otel-operator
+    version: 0.33.0
+    repository: https://open-telemetry.github.io/opentelemetry-helm-charts
   - name: prometheus-blackbox-exporter
     version: 7.10.0
     repository: https://prometheus-community.github.io/helm-charts
+  - name: prometheus-msteams
+    version: 0.4.4
+    repository: https://prometheus-msteams.github.io/prometheus-msteams/
   - name: promtail
     version: 6.16.6
     repository: https://grafana.github.io/helm-charts
+  - name: rabbitmq
+    version: 3.10.10
+    repository: https://charts.bitnami.com/bitnami
   - name: sealed-secrets
     version: 2.17.1
     repository: https://bitnami-labs.github.io/sealed-secrets/
   - name: tekton-pipeline
     version: 1.0.2
     repository: https://cdfoundation.github.io/tekton-helm-chart/
-  - name: velero
-    version: 5.4.1
-    repository: https://vmware-tanzu.github.io/helm-charts/
-  - name: trivy-operator
-    version: 0.25.0
-    repository: https://aquasecurity.github.io/helm-charts/
-  - name: falco
-    version: 3.8.5
-    repository: https://falcosecurity.github.io/charts
-  - name: falco-exporter
-    version: 0.9.7
-    repository: https://falcosecurity.github.io/charts
-  - name: jaeger-operator
-    version: 2.46.0
-    repository: https://jaegertracing.github.io/helm-charts
-  - name: kiali-operator
-    version: 1.86.1
-    repository: https://kiali.org/helm-charts
   - name: tempo-distributed
+    alias: tempo
     version: 1.18.5
     repository: https://grafana.github.io/helm-charts
+  - name: thanos
+    version: 15.7.25
+    repository: https://charts.bitnami.com/bitnami
+  - name: trivy-operator
+    version: 0.25.0
+    repository: https://aquasecurity.github.io/helm-charts/
+  - name: velero
+    version: 5.4.1
+    repository: https://vmware-tanzu.github.io/helm-charts/

charts/grafana-dashboards/falco-teams/falco-teams.json

@@ -417,7 +417,7 @@
   },
   "timepicker": {},
   "timezone": "",
-  "title": "Detected threads in containers",
+  "title": "Detected threats in containers",
   "uid": "aplteamsfalco",
   "version": 1,
   "weekStart": ""

charts/otomi-pipelines/templates/_helpers.tpl

@@ -60,3 +60,25 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- /*
+  Helper for cloning a repository. It will wait for gitea to come up if not ready yet.
+  Expected parameters:
+    .DestDir    - (Optional) Destination directory (e.g., "$ENV_DIR")
+    .Values     - The current .Values context
+*/ -}}
+{{- define "otomi-pipelines.cloneRepo" -}}
+{{- if .Values.cloneUnsecure }}
+while ! curl -m 3 -k -s -o /dev/null http://$GITEA_USERNAME:$GITEA_PASSWORD@$url; do
+  echo "Waiting for the repository to be available"
+  sleep 5s
+done
+git clone -c http.sslVerify=false --depth 2 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url{{ if .DestDir }} {{ .DestDir }}{{ end }}
+{{- else }}
+while ! curl -m 3 -s -o /dev/null https://$GITEA_USERNAME:$GITEA_PASSWORD@$url; do
+  echo "Waiting for the repository to be available"
+  sleep 5s
+done
+git clone --depth 2 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url{{ if .DestDir }} {{ .DestDir }}{{ end }}
+{{- end }}
+{{- end }}

charts/otomi-pipelines/templates/tekton-otomi-git-clone.yaml

@@ -57,12 +57,8 @@ spec:
         # Removing the proto part ('http://')
         export url=$(echo $fullRepoUrl|sed 's/http\:\/\///')
 
-        # Cloning the values
-        {{- if .Values.cloneUnsecure }}
-        git clone -c http.sslVerify=false --depth 2 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url
-        {{- else }}
-        git clone --depth 2 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url
-        {{- end }}
+        # Cloning the values using the helper
+        {{- include "otomi-pipelines.cloneRepo" (dict "Values" .Values) | nindent 8}}
 
         # Checking if the next steps should run or skipped 
         if [[ ! $COMMIT_MESSAGE == *ci\ skip* ]]; then

charts/otomi-pipelines/templates/tekton-otomi-task-teams.yaml

@@ -55,12 +55,8 @@ spec:
         export fullRepoUrl=$(params["repoUrl"])
         export url=$(echo $fullRepoUrl|sed 's/http\:\/\///')
 
-        # Cloning the values
-        {{- if .Values.cloneUnsecure }}
-        git clone -c http.sslVerify=false --depth 1 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
-        {{- else}}
-        git clone --depth 1 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
-        {{- end }}
+        # Cloning the values using the helper
+        {{- include "otomi-pipelines.cloneRepo" (dict "DestDir" "$ENV_DIR" "Values" .Values) | nindent 8 }}
     - name: test
       computeResources: {}
       command:

charts/otomi-pipelines/templates/tekton-otomi-task.yaml

@@ -55,12 +55,9 @@ spec:
         export fullRepoUrl=$(params["repoUrl"])
         export url=$(echo $fullRepoUrl|sed 's/http\:\/\///')
 
-        # Cloning the values
-        {{- if .Values.cloneUnsecure }}
-        git clone -c http.sslVerify=false --depth 1 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
-        {{- else}}
-        git clone --depth 1 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
-        {{- end }}
+        # Cloning the values using the helper
+        {{- include "otomi-pipelines.cloneRepo" (dict "DestDir" "$ENV_DIR" "Values" .Values) | nindent 8 }}
+        
     - name: bootstrap
       computeResources: {}
       command:

charts/team-ns/templates/argocd/argocd-applicationset.yaml

@@ -62,7 +62,15 @@ spec:
             duration: 10s
             factor: 3
           limit: 3
-        syncOptions: []
+        {{- if eq $v.teamId "admin" }} 
+        syncOptions:
+          - RespectIgnoreDifferences=true
+      ignoreDifferences:
+        - group: admissionregistration.k8s.io
+          kind: ValidatingWebhookConfiguration
+          jqPathExpressions:
+          - '.webhooks[]?.clientConfig.caBundle'
+        {{- end }}
       destination:
         server: 'https://kubernetes.default.svc'
         {{- if and ( eq $v.teamId "admin" ) .namespace }}