Merge branch 'prerelease/lagoon_v218' into lagoon-remote-insights-rem…

…ote-bug-fix

.github/workflows/lint-test-matrix.yaml

@@ -11,11 +11,12 @@ jobs:
       fail-fast: false
       matrix:
         kindest_node_version:
-        - v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb
-        - v1.24.15@sha256:7db4f8bea3e14b82d12e044e25e34bd53754b7f2b0e9d56df21774e6f66a70ab
-        - v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8
-        - v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb
-        - v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31
+        - v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3
+        - v1.24.17@sha256:bad10f9b98d54586cba05a7eaa1b61c6b90bfc4ee174fdc43a7b75ca75c95e51
+        - v1.25.16@sha256:e8b50f8e06b44bb65a93678a65a26248fae585b3d3c2a669e5ca6c90c69dc519
+        - v1.26.14@sha256:5d548739ddef37b9318c70cb977f57bf3e5015e4552be4e27e57280a8cbb8e4f
+        - v1.27.11@sha256:681253009e68069b8e01aad36a1e0fa8cf18bb0ab3e5c4069b2e65cafdd70843
+        - v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -26,7 +27,7 @@ jobs:
       run: sudo apt-get -y install python3-wheel
 
     - name: Set up chart-testing
-      uses: helm/chart-testing-action@v2.6.0
+      uses: helm/chart-testing-action@v2.6.1
 
     - name: Run chart-testing (list-changed)
       id: list-changed
@@ -41,9 +42,9 @@ jobs:
       run: ct lint --config ./default.ct.yaml
 
     - name: Create kind cluster
-      uses: helm/kind-action@v1.8.0
+      uses: helm/kind-action@v1.9.0
       with:
-        version: v0.20.0
+        version: v0.22.0
         node_image: kindest/node:${{ matrix.kindest_node_version }}
       if: |
         (steps.list-changed.outputs.changed == 'true') ||

.github/workflows/lint-test.yaml

@@ -69,7 +69,7 @@ jobs:
       run: sudo apt-get -y install python3-wheel
 
     - name: Set up chart-testing
-      uses: helm/chart-testing-action@v2.6.0
+      uses: helm/chart-testing-action@v2.6.1
 
     - name: Run chart-testing (list-changed)
       id: list-changed
@@ -84,18 +84,23 @@ jobs:
       run: ct lint --config ./default.ct.yaml
 
     - name: Create kind cluster
-      uses: helm/kind-action@v1.8.0
+      uses: helm/kind-action@v1.9.0
       with:
-        version: v0.20.0
-        node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
-        kubectl_version: v1.27.3
+        version: v0.22.0
+        node_image: kindest/node:v1.28.7@sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58
+        kubectl_version: v1.28.7
       if: |
         (steps.list-changed.outputs.changed == 'true') ||
         (contains(github.event.pull_request.labels.*.name, 'needs-testing'))
 
     - name: Run chart-testing (install)
       run: ct install --config ./default.ct.yaml --helm-extra-args "--timeout 30m"
 
+    - name: Run chart-testing (needs-testing)
+      run: ct install --config ./default.ct.yaml  --helm-extra-args "--timeout 30m" --all
+      if: |
+        (contains(github.event.pull_request.labels.*.name, 'needs-testing'))
+
   artifacthub-changelog:
     runs-on: ubuntu-latest
     steps:

.github/workflows/release.yaml

@@ -19,13 +19,6 @@ jobs:
         git config user.name "$GITHUB_ACTOR"
         git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-    # See https://github.com/helm/chart-releaser-action/issues/6
-    - name: Install Helm
-      run: |
-        curl -fsSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
-        chmod 700 get_helm.sh
-        ./get_helm.sh
-
     - name: Add dependency chart repos
       run: |
         helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
@@ -35,6 +28,6 @@ jobs:
         helm repo add kube-logging https://kube-logging.github.io/helm-charts
 
     - name: Run chart-releaser
-      uses: helm/chart-releaser-action@v1.5.0
+      uses: helm/chart-releaser-action@v1.6.0
       env:
         CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/test-suite.yaml

@@ -5,7 +5,7 @@ on: pull_request
 jobs:
   # runs for lagoon-core, lagoon-remote, lagoon-test
   test-suite:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
@@ -48,7 +48,7 @@ jobs:
       run: sudo apt-get -y install python3-wheel
 
     - name: Set up chart-testing
-      uses: helm/chart-testing-action@v2.6.0
+      uses: helm/chart-testing-action@v2.6.1
 
     - name: Run chart-testing (list-changed)
       id: list-changed
@@ -69,14 +69,14 @@ jobs:
         envsubst < test-suite.kind-config.yaml.tpl > test-suite.kind-config.yaml
 
     - name: Create kind cluster
-      uses: helm/kind-action@v1.8.0
+      uses: helm/kind-action@v1.9.0
       if: |
         (steps.list-changed.outputs.changed == 'true') ||
         (contains(github.event.pull_request.labels.*.name, 'needs-testing'))
       with:
-        version: v0.20.0
-        node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
-        kubectl_version: v1.27.3
+        version: v0.22.0
+        node_image: kindest/node:v1.28.7@sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58
+        kubectl_version: v1.28.7
         config: test-suite.kind-config.yaml
 
     - name: Check node IP matches kind configuration
@@ -123,8 +123,8 @@ jobs:
       if: |
         (steps.list-changed.outputs.changed == 'true') ||
         (contains(github.event.pull_request.labels.*.name, 'needs-testing'))
-      # run: make -j8 -O fill-test-ci-values TESTS=[${{ matrix.test }}] IMAGE_REGISTRY=testlagoon IMAGE_TAG=main
-      run: make -j8 -O fill-test-ci-values TESTS=[${{ matrix.test }}]
+      run: make -j8 -O fill-test-ci-values TESTS=[${{ matrix.test }}] IMAGE_REGISTRY=testlagoon IMAGE_TAG=main OVERRIDE_BUILD_DEPLOY_DIND_IMAGE=uselagoon/build-deploy-image:main OVERRIDE_ACTIVE_STANDBY_TASK_IMAGE=testlagoon/task-activestandby:main
+      # run: make -j8 -O fill-test-ci-values TESTS=[${{ matrix.test }}]
 
     - name: Free up some disk space
       if: |

Makefile

@@ -41,6 +41,9 @@ SKIP_ALL_DEPS =
 DISABLE_CORE_HARBOR =
 # Set to `true` to enable the elements of lagoon-core that talk to OpenSearch installs
 OPENSEARCH_INTEGRATION_ENABLED = false
+# Ordinarily we shouldn't need to clear the API data as it's usually a first run. Set this
+# variable on a test run to clear (what's clearable) first
+CLEAR_API_DATA = false
 
 TIMEOUT = 30m
 HELM = helm
@@ -56,7 +59,7 @@ fill-test-ci-values:
 		&& export token="$$($(KUBECTL) -n lagoon create token lagoon-build-deploy --duration 3h)" \
 		&& export $$([ $(IMAGE_TAG) ] && echo imageTag='$(IMAGE_TAG)' || echo imageTag='latest') \
 		&& export webhookHandler="lagoon-core-webhook-handler" \
-		&& export tests='$(TESTS)' imageRegistry='$(IMAGE_REGISTRY)' \
+		&& export tests='$(TESTS)' imageRegistry='$(IMAGE_REGISTRY)' clearApiData='$(CLEAR_API_DATA)' \
 		&& valueTemplate=charts/lagoon-test/ci/linter-values.yaml \
 		&& envsubst < $$valueTemplate.tpl > $$valueTemplate \
 		&& cat $$valueTemplate
@@ -70,6 +73,7 @@ endif
 
 .PHONY: install-ingress
 install-ingress:
+	# Using 4.7.x because server snippets https://github.com/kubernetes/ingress-nginx/issues/10543
 	$(HELM) upgrade \
 		--install \
 		--create-namespace \
@@ -83,7 +87,7 @@ install-ingress:
 		--set controller.config.hsts="false" \
 		--set controller.watchIngressWithoutClass=true \
 		--set controller.ingressClassResource.default=true \
-		--version=4.7.2 \
+		--version=4.7.5 \
 		ingress-nginx \
 		ingress-nginx/ingress-nginx
 
@@ -103,7 +107,7 @@ install-registry: install-ingress
 		--set clair.enabled=false \
 		--set notary.enabled=false \
 		--set trivy.enabled=false \
-		--version=1.13.0 \
+		--version=1.14.0 \
 		registry \
 		harbor/harbor
 
@@ -158,8 +162,8 @@ install-minio: install-ingress
 		--wait \
 		--timeout $(TIMEOUT) \
 		--set auth.rootUser=lagoonFilesAccessKey,auth.rootPassword=lagoonFilesSecretKey \
-		--set defaultBuckets=lagoon-files \
-		--version=12.8.7 \
+		--set defaultBuckets='lagoon-files\,restores' \
+		--version=13.6.2 \
 		minio \
 		bitnami/minio
 
@@ -258,7 +262,7 @@ install-lagoon-remote: install-lagoon-build-deploy install-lagoon-core install-m
 # Do not install without lagoon-core
 #
 .PHONY: install-lagoon-build-deploy
-install-lagoon-build-deploy: install-lagoon-core install-registry
+install-lagoon-build-deploy: install-lagoon-core
 	$(HELM) dependency build ./charts/lagoon-build-deploy/
 	$(HELM) upgrade \
 		--install \
@@ -285,6 +289,11 @@ install-lagoon-build-deploy: install-lagoon-core install-registry
 		lagoon-build-deploy \
 		./charts/lagoon-build-deploy
 
+# allow skipping registry install for install-lagoon-remote target
+ifneq ($(SKIP_INSTALL_REGISTRY),true)
+install-lagoon-build-deploy: install-registry
+endif
+
 #
 # The following targets facilitate local development only and aren't used in CI.
 #

README.md

@@ -42,7 +42,18 @@ Documentation on probes for pod startup is [here](https://kubernetes.io/docs/con
 
 ### Run chart-testing (lint) locally
 
+```bash
+docker run --rm --interactive --detach --network host --name ct "--volume=$(pwd):/workdir" "--workdir=/workdir" --volume=$(pwd)/default.ct.yaml:/etc/ct/ct.yaml quay.io/helmpack/chart-testing:latest cat
+docker exec ct git config --global --add safe.directory /workdir
+docker exec ct ct lint
 ```
-$ docker run --rm --interactive --detach --network host --name ct "--volume=$(pwd):/workdir" "--workdir=/workdir" --volume=$(pwd)/default.ct.yaml:/etc/ct/ct.yaml quay.io/helmpack/chart-testing:latest cat
-$ docker exec ct ct lint
+
+### Run chart-testing (install) locally
+
+Prerequisite: install [ct](https://github.com/helm/chart-testing).
+
+```bash
+kind create cluster -n chart-testing
+ct install --charts=charts/lagoon-logging
+kind delete cluster -n chart-testing
 ```

charts/lagoon-build-deploy/Chart.yaml

@@ -16,11 +16,11 @@ kubeVersion: ">= 1.23.0-0"
 
 type: application
 
-version: 0.26.2
+version: 0.26.3
 
 appVersion: v0.15.4
 
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: update remote-controller to v0.15.4
+      description: added clusterroles for tasks and builds

charts/lagoon-build-deploy/templates/clusterrolebinding.yaml

@@ -12,3 +12,31 @@ roleRef:
   kind: ClusterRole
   name: cluster-admin
   apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "lagoon-build-deploy.fullname" . }}-builds
+  labels:
+    {{- include "lagoon-build-deploy.labels" . | nindent 4 }}
+    # Add these permissions to the "admin" and "edit" default roles.
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.lagoon.sh"]
+  resources: ["lagoonbuilds"]
+  verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "lagoon-build-deploy.fullname" . }}-tasks
+  labels:
+    {{- include "lagoon-build-deploy.labels" . | nindent 4 }}
+    # Add these permissions to the "admin" and "edit" default roles.
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["crd.lagoon.sh"]
+  resources: ["lagoontasks"]
+  verbs: ["*"]

charts/lagoon-core/Chart.yaml

@@ -21,13 +21,13 @@ type: application
 # time you make changes to the chart and its templates, including the app
 # version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.40.0
+version: 1.42.0
 
 # This is the version number of the application being deployed. This version
 # number should be incremented each time you make changes to the application.
 # Versions are not expected to follow Semantic Versioning. They should reflect
 # the version the application is using.
-appVersion: v2.16.0
+appVersion: v2.17.0
 
 dependencies:
 - name: nats
@@ -41,4 +41,4 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: bump lagoon-opensearch-sync version to v0.7.1
+      description: modify keycloak liveness and readiness endpoint

charts/lagoon-core/templates/keycloak.deployment.yaml

@@ -65,11 +65,11 @@ spec:
           containerPort: 8080
         livenessProbe:
           httpGet:
-            path: /
+            path: /auth
             port: http-8080
         readinessProbe:
           httpGet:
-            path: /
+            path: /auth
             port: http-8080
         startupProbe:
           exec:

charts/lagoon-core/values.yaml

@@ -620,7 +620,7 @@ insightsHandler:
     enabled: false
     image:
       repository: aquasec/trivy
-      tag: latest
+      tag: 0.48.0
     service:
       type: ClusterIP
       port: 4954

charts/lagoon-logging/Chart.yaml

@@ -19,7 +19,7 @@ type: application
 # time you make changes to the chart and its templates, including the app
 # version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.80.0
+version: 0.81.1
 
 dependencies:
 - name: logging-operator
@@ -31,10 +31,7 @@ dependencies:
 # It should be started afresh for each release
 # Valid supported kinds are added, changed, deprecated, removed, fixed and security
 annotations:
+  artifacthub.io/containsSecurityUpdates: "true"
   artifacthub.io/changes: |
-    - kind: changed
-      description: update uselagoon/logs-dispatcher image to v3.4.0
-    - kind: added
-      description: schedule Logging Pods also on infra nodes
-    - kind: added
-      description: ability to configure toleration/affinity on FluentD deployment
+    - kind: security
+      description: avoid test role and rolebinding being wrongly installed

charts/lagoon-logging/ci/linter-values.yaml

@@ -68,7 +68,10 @@ cdnLogsCollector:
   buffer:
     storageClassName: standard
     size: 1Gi
-  serviceType: ClusterIP
+  service:
+    type: ClusterIP
+    annotations:
+      sh.lagoon.chart.testKey: lagoonTestValue
   tls:
     caCert: |-
       -----BEGIN CERTIFICATE-----

charts/lagoon-logging/templates/cdn-logs-collector.service.yaml

@@ -5,8 +5,12 @@ metadata:
   name: {{ include "lagoon-logging.cdnLogsCollector.fullname" . }}
   labels:
     {{- include "lagoon-logging.cdnLogsCollector.labels" . | nindent 4 }}
+  {{- with .Values.cdnLogsCollector.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  type: {{ .Values.cdnLogsCollector.serviceType }}
+  type: {{ .Values.cdnLogsCollector.service.type }}
   selector:
     {{- include "lagoon-logging.cdnLogsCollector.selectorLabels" . | nindent 4 }}
   ports: