Merge branch 'main' into release

particuleio · Feb 7, 2025 · 3e54c54 · 3e54c54
2 parents 381eb68 + 7f9debf
commit 3e54c54
Show file tree

Hide file tree

Showing 16 changed files with 68 additions and 56 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -37,7 +37,7 @@ jobs:
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/[email protected].1
+        uses: clowdhaus/[email protected].2
         with:
           directory: ${{ matrix.directory }}
 
@@ -70,7 +70,7 @@ jobs:
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/[email protected].1
+        uses: clowdhaus/[email protected].2
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
         uses: clowdhaus/terraform-composite-actions/[email protected]

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.96.3
+  rev: v1.97.3
   hooks:
     - id: terraform_fmt
     - id: terraform_validate
@@ -14,6 +14,6 @@ repos:
     - id: check-merge-conflict
     - id: end-of-file-fixer
 - repo: https://github.com/renovatebot/pre-commit-hooks
-  rev: 39.91.2
+  rev: 39.164.0
   hooks:
     - id: renovate-config-validator
diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
@@ -6,10 +6,10 @@ dependencies:
     version: 0.13.2
     repository: https://charts.admiralty.io
   - name: secrets-store-csi-driver
-    version: 1.4.7
+    version: 1.4.8
     repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
   - name: aws-ebs-csi-driver
-    version: 2.38.1
+    version: 2.39.3
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver
     version: 3.1.5
@@ -24,16 +24,16 @@ dependencies:
     version: 0.21.0
     repository: https://aws.github.io/eks-charts
   - name: cert-manager
-    version: v1.16.2
+    version: v1.17.0
     repository: https://charts.jetstack.io
   - name: cert-manager-csi-driver
-    version: v0.10.1
+    version: v0.10.2
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.45.0
+    version: 9.46.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
-    version: 1.15.0
+    version: 1.15.1
     repository: https://kubernetes-sigs.github.io/external-dns/
   - name: flux
     version: 1.13.3
@@ -48,16 +48,16 @@ dependencies:
     version: 1.7.2
     repository: https://charts.helm.sh/stable
   - name: karpenter
-    version: 1.1.1
+    version: 1.2.1
     repository: oci://public.ecr.aws/karpenter
   - name: keda
     version: 2.16.1
     repository: https://kedacore.github.io/charts
   - name: kong
-    version: 2.46.0
+    version: 2.47.0
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
-    version: 67.11.0
+    version: 69.2.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: linkerd2-cni
     version: 30.12.2
@@ -72,7 +72,7 @@ dependencies:
     version: 30.12.11
     repository: https://helm.linkerd.io/stable
   - name: loki
-    version: 6.24.0
+    version: 6.25.1
     repository: https://grafana.github.io/helm-charts
   - name: promtail
     version: 6.16.6
@@ -90,31 +90,31 @@ dependencies:
     version: 0.26.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: prometheus-blackbox-exporter
-    version: 9.1.0
+    version: 9.2.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: scaleway-webhook
     version: v0.0.1
     repository: https://particuleio.github.io/charts
   - name: sealed-secrets
-    version: 2.17.0
+    version: 2.17.1
     repository: https://bitnami-labs.github.io/sealed-secrets
   - name: oci://registry-1.docker.io/bitnamicharts/thanos
     version: 15.9.2
     repository: ""
   - name: tigera-operator
-    version: v3.29.1
+    version: v3.29.2
     repository: https://docs.projectcalico.org/charts
   - name: traefik
-    version: 33.2.1
+    version: 34.3.0
     repository: https://helm.traefik.io/traefik
   - name: oci://registry-1.docker.io/bitnamicharts/memcached
     version: 7.5.3
     repository: ""
   - name: velero
-    version: 8.2.0
+    version: 8.3.0
     repository: https://vmware-tanzu.github.io/helm-charts
   - name: victoria-metrics-k8s-stack
-    version: 0.33.4
+    version: 0.36.0
     repository: https://victoriametrics.github.io/helm-charts/
   - name: yet-another-cloudwatch-exporter
     version: 0.14.0

diff --git a/modules/aws/kube-prometheus.tf b/modules/aws/kube-prometheus.tf
@@ -18,6 +18,7 @@ locals {
       thanos_create_bucket              = true
       thanos_bucket                     = "thanos-store-${var.cluster-name}"
       thanos_bucket_force_destroy       = false
+      thanos_bucket_enforce_tls         = false
       thanos_store_config               = null
       thanos_version                    = "v0.37.2"
       enabled                           = false
@@ -418,6 +419,8 @@ module "kube-prometheus-stack_thanos_bucket" {
     target_prefix = "${var.cluster-name}/${local.kube-prometheus-stack.name}/"
   } : {}
 
+  attach_deny_insecure_transport_policy = local.kube-prometheus-stack["thanos_bucket_enforce_tls"]
+
   tags = local.tags
 }
 

diff --git a/modules/aws/loki-stack.tf b/modules/aws/loki-stack.tf
@@ -16,6 +16,7 @@ locals {
       bucket                    = "loki-store-${var.cluster-name}"
       bucket_lifecycle_rule     = []
       bucket_force_destroy      = false
+      bucket_enforce_tls        = false
       generate_ca               = true
       trusted_ca_content        = null
       create_promtail_cert      = true
@@ -206,6 +207,8 @@ module "loki_bucket" {
     target_prefix = "${var.cluster-name}/${local.loki-stack.name}/"
   } : {}
 
+  attach_deny_insecure_transport_policy = local.loki-stack["bucket_enforce_tls"]
+
   tags = local.tags
 
   lifecycle_rule = local.loki-stack["bucket_lifecycle_rule"]

diff --git a/modules/aws/thanos.tf b/modules/aws/thanos.tf
@@ -18,6 +18,7 @@ locals {
       create_bucket             = false
       bucket                    = "thanos-store-${var.cluster-name}"
       bucket_force_destroy      = false
+      bucket_enforce_tls        = false
       generate_ca               = false
       trusted_ca_content        = null
       name_prefix               = "${var.cluster-name}-thanos"
@@ -294,6 +295,8 @@ module "thanos_bucket" {
     target_prefix = "${var.cluster-name}/${local.thanos.name}/"
   } : {}
 
+  attach_deny_insecure_transport_policy = local.thanos["bucket_enforce_tls"]
+
   tags = local.tags
 }
 

diff --git a/modules/aws/velero.tf b/modules/aws/velero.tf
@@ -14,6 +14,7 @@ locals {
       create_bucket             = true
       bucket                    = "${var.cluster-name}-velero"
       bucket_force_destroy      = false
+      bucket_enforce_tls        = false
       allowed_cidrs             = ["0.0.0.0/0"]
       default_network_policy    = true
       kms_key_arn_access_list   = []
@@ -186,6 +187,8 @@ module "velero_thanos_bucket" {
     target_prefix = "${var.cluster-name}/${local.velero.name}/"
   } : {}
 
+  attach_deny_insecure_transport_policy = local.velero.bucket_enforce_tls
+
   tags = local.tags
 }
 

diff --git a/modules/google/README.md b/modules/google/README.md
@@ -48,30 +48,30 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cert_manager_workload_identity"></a> [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0.0 |
-| <a name="module_external_dns_workload_identity"></a> [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0.0 |
-| <a name="module_iam_assumable_sa_kube-prometheus-stack_grafana"></a> [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_kube-prometheus-stack_thanos"></a> [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_loki-stack"></a> [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-compactor"></a> [iam\_assumable\_sa\_thanos-compactor](#module\_iam\_assumable\_sa\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-receive"></a> [iam\_assumable\_sa\_thanos-receive](#module\_iam\_assumable\_sa\_thanos-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-receive-compactor"></a> [iam\_assumable\_sa\_thanos-receive-compactor](#module\_iam\_assumable\_sa\_thanos-receive-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-receive-receive"></a> [iam\_assumable\_sa\_thanos-receive-receive](#module\_iam\_assumable\_sa\_thanos-receive-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-receive-sg"></a> [iam\_assumable\_sa\_thanos-receive-sg](#module\_iam\_assumable\_sa\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-sg"></a> [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_thanos-storegateway"></a> [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
-| <a name="module_iam_assumable_sa_velero"></a> [iam\_assumable\_sa\_velero](#module\_iam\_assumable\_sa\_velero) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 35.0 |
+| <a name="module_cert_manager_workload_identity"></a> [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0.0 |
+| <a name="module_external_dns_workload_identity"></a> [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0.0 |
+| <a name="module_iam_assumable_sa_kube-prometheus-stack_grafana"></a> [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_kube-prometheus-stack_thanos"></a> [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_loki-stack"></a> [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-compactor"></a> [iam\_assumable\_sa\_thanos-compactor](#module\_iam\_assumable\_sa\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-receive"></a> [iam\_assumable\_sa\_thanos-receive](#module\_iam\_assumable\_sa\_thanos-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-receive-compactor"></a> [iam\_assumable\_sa\_thanos-receive-compactor](#module\_iam\_assumable\_sa\_thanos-receive-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-receive-receive"></a> [iam\_assumable\_sa\_thanos-receive-receive](#module\_iam\_assumable\_sa\_thanos-receive-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-receive-sg"></a> [iam\_assumable\_sa\_thanos-receive-sg](#module\_iam\_assumable\_sa\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-sg"></a> [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_thanos-storegateway"></a> [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
+| <a name="module_iam_assumable_sa_velero"></a> [iam\_assumable\_sa\_velero](#module\_iam\_assumable\_sa\_velero) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 36.0 |
 | <a name="module_kube-prometheus-stack_grafana-iam-member"></a> [kube-prometheus-stack\_grafana-iam-member](#module\_kube-prometheus-stack\_grafana-iam-member) | terraform-google-modules/iam/google//modules/member_iam | ~> 8.0 |
 | <a name="module_kube-prometheus-stack_kube-prometheus-stack_bucket"></a> [kube-prometheus-stack\_kube-prometheus-stack\_bucket](#module\_kube-prometheus-stack\_kube-prometheus-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
-| <a name="module_kube-prometheus-stack_thanos_kms_bucket"></a> [kube-prometheus-stack\_thanos\_kms\_bucket](#module\_kube-prometheus-stack\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
+| <a name="module_kube-prometheus-stack_thanos_kms_bucket"></a> [kube-prometheus-stack\_thanos\_kms\_bucket](#module\_kube-prometheus-stack\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
 | <a name="module_loki-stack_bucket"></a> [loki-stack\_bucket](#module\_loki-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
-| <a name="module_loki-stack_kms_bucket"></a> [loki-stack\_kms\_bucket](#module\_loki-stack\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
+| <a name="module_loki-stack_kms_bucket"></a> [loki-stack\_kms\_bucket](#module\_loki-stack\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
 | <a name="module_thanos-receive_bucket"></a> [thanos-receive\_bucket](#module\_thanos-receive\_bucket) | terraform-google-modules/cloud-storage/google | ~> 9.0 |
-| <a name="module_thanos-receive_kms_bucket"></a> [thanos-receive\_kms\_bucket](#module\_thanos-receive\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
+| <a name="module_thanos-receive_kms_bucket"></a> [thanos-receive\_kms\_bucket](#module\_thanos-receive\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
 | <a name="module_thanos-storegateway_bucket_iam"></a> [thanos-storegateway\_bucket\_iam](#module\_thanos-storegateway\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 8.0 |
 | <a name="module_thanos_bucket"></a> [thanos\_bucket](#module\_thanos\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 9.0 |
-| <a name="module_thanos_kms_bucket"></a> [thanos\_kms\_bucket](#module\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
-| <a name="module_velero_bucket"></a> [velero\_bucket](#module\_velero\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v9.0.0 |
+| <a name="module_thanos_kms_bucket"></a> [thanos\_kms\_bucket](#module\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |
+| <a name="module_velero_bucket"></a> [velero\_bucket](#module\_velero\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v9.0.2 |
 
 ## Resources
 

diff --git a/modules/google/cert-manager.tf b/modules/google/cert-manager.tf
@@ -58,7 +58,7 @@ VALUES
 module "cert_manager_workload_identity" {
   count               = local.cert-manager.create_iam_resources && local.cert-manager.enabled ? 1 : 0
   source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version             = "~> 35.0.0"
+  version             = "~> 36.0.0"
   name                = local.cert-manager.service_account_name
   namespace           = local.cert-manager.namespace
   project_id          = local.cert-manager.project_id

diff --git a/modules/google/external-dns.tf b/modules/google/external-dns.tf
@@ -55,7 +55,7 @@ locals {
 # to be allowed to use the workload identity on GKE.
 module "external_dns_workload_identity" {
   source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version = "~> 35.0.0"
+  version = "~> 36.0.0"
 
   for_each = { for k, v in local.external-dns : k => v if v.enabled && v.create_iam_resources }
 

diff --git a/modules/google/kube-prometheus.tf b/modules/google/kube-prometheus.tf
@@ -283,7 +283,7 @@ VALUES
 module "iam_assumable_sa_kube-prometheus-stack_grafana" {
   count               = local.kube-prometheus-stack["enabled"] ? 1 : 0
   source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version             = "~> 35.0"
+  version             = "~> 36.0"
   namespace           = local.kube-prometheus-stack["namespace"]
   project_id          = var.project_id
   name                = local.kube-prometheus-stack["grafana_service_account_name"]
@@ -294,7 +294,7 @@ module "iam_assumable_sa_kube-prometheus-stack_grafana" {
 module "iam_assumable_sa_kube-prometheus-stack_thanos" {
   count               = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_sidecar_enabled"] ? 1 : 0
   source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version             = "~> 35.0"
+  version             = "~> 36.0"
   namespace           = local.kube-prometheus-stack["namespace"]
   project_id          = var.project_id
   name                = "${local.kube-prometheus-stack["name_prefix"]}-thanos"
@@ -345,7 +345,7 @@ module "kube-prometheus-stack_grafana-iam-member" {
 module "kube-prometheus-stack_thanos_kms_bucket" {
   count   = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_create_bucket"] && local.kube-prometheus-stack["thanos_sidecar_enabled"] ? 1 : 0
   source  = "terraform-google-modules/kms/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id = var.project_id
   location   = data.google_client_config.current.region

diff --git a/modules/google/loki-stack.tf b/modules/google/loki-stack.tf
@@ -77,7 +77,7 @@ locals {
 module "iam_assumable_sa_loki-stack" {
   count               = local.loki-stack["enabled"] ? 1 : 0
   source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version             = "~> 35.0"
+  version             = "~> 36.0"
   namespace           = local.loki-stack["namespace"]
   project_id          = var.project_id
   name                = local.loki-stack.service_account_name
@@ -159,7 +159,7 @@ resource "helm_release" "loki-stack" {
 module "loki-stack_kms_bucket" {
   count   = local.loki-stack["enabled"] && local.loki-stack["create_bucket"] ? 1 : 0
   source  = "terraform-google-modules/kms/google"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   project_id = var.project_id
   location   = local.loki-stack["kms_bucket_location"]