From c6934283e80a3838913691aac273fe5b7ec6ee19 Mon Sep 17 00:00:00 2001 From: Brandon Williams Date: Tue, 30 Jul 2024 17:14:23 -0500 Subject: [PATCH 01/26] fix: lagoon-remote-ssh-core scale permissions --- charts/lagoon-remote/Chart.yaml | 13 +++---------- .../templates/ssh-core.clusterrole.yaml | 1 + 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index da82fc0af..39bcda00e 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.92.0 +version: 0.93.0 dependencies: - name: lagoon-build-deploy @@ -40,12 +40,5 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: changed - description: update values for local development - - kind: changed - description: bump minimum Kubernetes version to 1.25 - - kind: changed - description: update ssh-portal components to v0.37.0 - links: - - name: ssh-portal release - url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.0 + - kind: fixed + description: lagoon-remote-ssh-core scale permissions diff --git a/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml b/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml index 972503944..495d0a6ca 100644 --- a/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml +++ b/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml @@ -13,6 +13,7 @@ rules: verbs: - get - update + - patch - apiGroups: - apps resources: From dec692df9cbb114736a405691bdfc09abe3c6292 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Wed, 7 Aug 2024 12:43:26 +1000 Subject: [PATCH 02/26] feat: support for static hostkeys in ssh core --- charts/lagoon-core/Chart.yaml | 18 +----- charts/lagoon-core/ci/linter-values.yaml | 58 +++++++++++++++++++ .../lagoon-core/templates/ssh.deployment.yaml | 36 ++++++++++++ charts/lagoon-core/templates/ssh.secret.yaml | 22 +++++++ charts/lagoon-core/values.yaml | 6 ++ 5 files changed, 124 insertions(+), 16 deletions(-) create mode 100644 charts/lagoon-core/templates/ssh.secret.yaml diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 9c2c75185..71a1cddcc 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.46.0 +version: 1.46.1 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -41,18 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update values for local development - - kind: changed - description: bump minimum Kubernetes version to 1.25 - - kind: changed - description: added api-sidecar-handler container to api and webhooks2tasks - - kind: changed - description: update ssh-portal components to v0.37.0 - links: - - name: ssh-portal release - url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.0 - - kind: changed - description: update Lagoon appVersion to v2.20.0 - links: - - name: lagoon v2.20.0 release notes - url: https://docs.lagoon.sh/releases/2.20.0/ + description: add support for injecting hostkeys in core ssh service diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index c8916ba45..312824923 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -163,6 +163,64 @@ ssh: resources: requests: cpu: "10m" + hostKeys: + rsa: |- + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn + NhAAAAAwEAAQAAAYEA01PSVwpU00EAdkL7DXoMFjsMXWTcrMIw61jveHOxno/lpHhQuomI + CJAC0xVz/v7koDHXMSEpwKmhYmpe49qMJpximx/TE05kkuvCPBWUTfygLA01aszkfG3MKN + +rkunI3L0CXrxaSiZP0lgzKM6kYFitiN0H5JArxskQPcf5KvQShTkYzM3G0Z0k791T7FyY + CUiEBmKfu+k0zSE9vIflnsxlcdWH/rCpoSY4FZzHL4puuilvu9H4HmknH+bILFgV/t9U+U + ZFamq4VvhQXB7hZOTd25rBu5PvPeJ7LKg71T1xCpct/OquGfTspGmL/qv6PdcAAPlMFIOz + 2/ug+1/NHI8SwRDaB9h0q2ik4/mdHuou7rArtmXf8VBlIkpi7X0NYT/Nx3ngRFlHlYo7O9 + P4LVfV4/Bl53GiqCslf1rOsNpwiuG9VIH1dGzCw3YI3gNPihQPEUnJKFVmLRYd81MRv7xn + gFWZIJ3CkoRCTIHkGSfQ87raDtmWbGE7YdQvK2m9AAAFiDDW52Mw1udjAAAAB3NzaC1yc2 + EAAAGBANNT0lcKVNNBAHZC+w16DBY7DF1k3KzCMOtY73hzsZ6P5aR4ULqJiAiQAtMVc/7+ + 5KAx1zEhKcCpoWJqXuPajCacYpsf0xNOZJLrwjwVlE38oCwNNWrM5HxtzCjfq5LpyNy9Al + 68WkomT9JYMyjOpGBYrYjdB+SQK8bJED3H+Sr0EoU5GMzNxtGdJO/dU+xcmAlIhAZin7vp + NM0hPbyH5Z7MZXHVh/6wqaEmOBWcxy+Kbropb7vR+B5pJx/myCxYFf7fVPlGRWpquFb4UF + we4WTk3duawbuT7z3ieyyoO9U9cQqXLfzqrhn07KRpi/6r+j3XAAD5TBSDs9v7oPtfzRyP + EsEQ2gfYdKtopOP5nR7qLu6wK7Zl3/FQZSJKYu19DWE/zcd54ERZR5WKOzvT+C1X1ePwZe + dxoqgrJX9azrDacIrhvVSB9XRswsN2CN4DT4oUDxFJyShVZi0WHfNTEb+8Z4BVmSCdwpKE + QkyB5Bkn0PO62g7ZlmxhO2HULytpvQAAAAMBAAEAAAGANb5cgOxMtEkUr/7K0BuY1VKBC4 + NqJ7lfLYs5o51wr42S7mf2x+nQIbVWMo6DKHd0d1UVkBYKA0hglaHNrg7Xk74zyZWnXYKT + S1YP2K34QHkd1vYo/pdLCGX4BPEVNlCkV5bt8l/eansh07HAmQEshqAmyebEahlMOMrLiZ + rAwG7AAweJShSPGqHnUeUswbCurbW2ddVBIE3nsr9gbwD0oZUDu5Z9doVBLo2Et+JeObXw + AQImu1Jj0oAVhiRwBe8EekcISIOORJH5sXOQSUT1U1c8SEi2hexeBykOfBiWeWAKXl+IHy + fDGDx+7UNc+lxX/Y/VD22AUtVGvT8VgpfRrQEQ+1VzH8vinA8lk70nGaZ88efVQBOjwLSf + OpQTKXEIOz6kGEUSZa6+ifasW2bVm+Y4QBBuKaSgNo5Q6ajC8lHCtsQiBqZxKZqR2FxIz5 + J2slA7V1UEqa6G4XbgmMDuRd/35EGfIFr+XSyVuIz1+Qf5Pp0F+lHUHCbQMudIOBcVAAAA + wEZj+u+dfCZJEyDUrYVGpqbeOs8sevJg+DQ4GTtt6IkyXDwWUjhnvoRABhwQbcMEcj639y + 8CjBIC+D10Zz5IOJhOiedio7IDl4og1o0SmwGRddsRIGYwCKTKrR/+H9IHPp7EcfElnZfE + 3kenOld0feseYQG94SnJFLY638mD/zqpFiWan2VypMmJtvNV5eWI4VrLdKzVtuVdF61xvd + mlrsEoQ1H98W7E9/zffCZJKTgYrt51tE0rV8u0HrBFbE8d1QAAAMEA/VyoWuGFIiIaHA32 + WTJ5+uOcp+CVLZzCCDlCKhrjnRBM0qlO7a7pyQ9j74LQ1+tw7QGvu9f5O9x3Ndaphr3DQG + Ner84JVBls6JMRURPiTHs+Tv5VfiPAXnsOmioIDe3X5oW5ikexkA2rVYR9RET0qW/txqJm + Xuve9AUfyC6GmsHpt2P7R6JF0jocYdVaSmzFrmx3F1d7j/vQkNklE9rGt4nB0dyY4ZnBi0 + Ffo8sEiku1TfbKzCILxHZnGhc6nl0DAAAAwQDVhx63rZcSA55I9zJDWoYZIKPtGnt2f2MZ + QnjH9CtDHrEjJigxGnaUo5+BDtDvh3Bjb8LVgK4vbSNESl8H7WeGsq9A8jsz1J6rwJ22hU + nqekQovL1icA0q16x3VWVfEpXbcuWjnKVE/zFGOXf01khUrW4Xu+idkYws9bGLdtvkMliG + IHdnz7MSzcqR4sWmI2naEt79rGLH3rK/blJpBfCU71wmtz93jYYOW7VQrW8zt1kXtx4fn3 + 9CZBLAoHn9gj8AAAARYmVuQHNocmVkZGVkYmFjb24BAg== + -----END OPENSSH PRIVATE KEY----- + ecdsa: |- + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS + 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQ3ODLabuuNJtOWW+DCHMFB+ZuF6Fj9 + tUl/AkKo7tKXCsF39MWXs15+e+7zPw6SfRjOSe+DWoKNmInezvpO2kJMAAAAsNTQX8rU0F + /KAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDc4Mtpu640m05Zb + 4MIcwUH5m4XoWP21SX8CQqju0pcKwXf0xZezXn577vM/DpJ9GM5J74Nago2Yid7O+k7aQk + wAAAAhAM1shfG9ZAFn1XxrmsGuqhXTuI+8W8VZJRIF+ucX6J+vAAAAEWJlbkBzaHJlZGRl + ZGJhY29uAQIDBAUG + -----END OPENSSH PRIVATE KEY----- + ed25519: |- + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcAAAAJhzIoyXcyKM + lwAAAAtzc2gtZWQyNTUxOQAAACC1kg8IaExTQNv4rZmkcIwfHc9P053fFQyeiZIZ4sftcA + AAAEAWTgia6XF7lvU5UrUbTq4GDvWVpa54m5OwAUqMLF5xXLWSDwhoTFNA2/itmaRwjB8d + z0/Tnd8VDJ6Jkhnix+1wAAAAEWJlbkBzaHJlZGRlZGJhY29uAQIDBA== + -----END OPENSSH PRIVATE KEY----- sshPortalAPI: enabled: true diff --git a/charts/lagoon-core/templates/ssh.deployment.yaml b/charts/lagoon-core/templates/ssh.deployment.yaml index 94c5e8141..63f9a3b2f 100644 --- a/charts/lagoon-core/templates/ssh.deployment.yaml +++ b/charts/lagoon-core/templates/ssh.deployment.yaml @@ -68,6 +68,42 @@ spec: port: ssh resources: {{- toYaml .Values.ssh.resources | nindent 10 }} + volumeMounts: + {{- with .Values.ssh.hostKeys.ecdsa }} + - name: {{ include "lagoon-core.ssh.fullname" $ }} + mountPath: "/etc/ssh/ssh_host_ecdsa_key" + subPath: ssh_host_ecdsa_key + {{- end }} + {{- with .Values.ssh.hostKeys.ed25519 }} + - name: {{ include "lagoon-core.ssh.fullname" $ }} + mountPath: "/etc/ssh/ssh_host_ed25519_key" + subPath: ssh_host_ed25519_key + {{- end }} + {{- with .Values.ssh.hostKeys.rsa }} + - name: {{ include "lagoon-core.ssh.fullname" $ }} + mountPath: "/etc/ssh/ssh_host_rsa_key" + subPath: ssh_host_rsa_key + {{- end }} + volumes: + {{- if or .Values.ssh.hostKeys.rsa .Values.ssh.hostKeys.ecdsa .Values.ssh.hostKeys.ed25519 }} + - secret: + defaultMode: 432 + items: + {{- with .Values.ssh.hostKeys.rsa }} + - key: HOST_KEY_RSA + path: ssh_host_rsa_key + {{- end }} + {{- with .Values.ssh.hostKeys.ecdsa }} + - key: HOST_KEY_ECDSA + path: ssh_host_ecdsa_key + {{- end }} + {{- with .Values.ssh.hostKeys.ed25519 }} + - key: HOST_KEY_ED25519 + path: ssh_host_ed25519_key + {{- end }} + secretName: {{ include "lagoon-core.ssh.fullname" . }} + name: {{ include "lagoon-core.ssh.fullname" . }} + {{- end }} {{- with .Values.ssh.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/lagoon-core/templates/ssh.secret.yaml b/charts/lagoon-core/templates/ssh.secret.yaml new file mode 100644 index 000000000..d4e48f83e --- /dev/null +++ b/charts/lagoon-core/templates/ssh.secret.yaml @@ -0,0 +1,22 @@ +{{- if .Values.ssh.enabled -}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "lagoon-core.ssh.fullname" . }} + labels: + {{- include "lagoon-core.ssh.labels" . | nindent 4 }} +stringData: + {{- with .Values.ssh.hostKeys.ecdsa }} + HOST_KEY_ECDSA: | + {{- . | nindent 4 }} + {{- end }} + {{- with .Values.ssh.hostKeys.ed25519 }} + HOST_KEY_ED25519: | + {{- . | nindent 4 }} + {{- end }} + {{- with .Values.ssh.hostKeys.rsa }} + HOST_KEY_RSA: | + {{- . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index bab048c94..8902dbec8 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -778,6 +778,12 @@ ssh: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 + # host keys, PEM encoded + hostKeys: + ecdsa: "" + ed25519: "" + rsa: "" + workflows: enabled: true replicaCount: 2 From 69b6110fae14e4d605b0c449b983afa3c56eca90 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 8 Aug 2024 17:59:39 +1000 Subject: [PATCH 03/26] force action run From 2bc5153d91fa4d6dfcc0821dedb1e465a00c7bf9 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 9 Aug 2024 08:51:15 +1000 Subject: [PATCH 04/26] chore: add pubkey support too --- charts/lagoon-core/ci/linter-values.yaml | 3 +++ .../lagoon-core/templates/ssh.deployment.yaml | 27 +++++++++++++++++++ charts/lagoon-core/templates/ssh.secret.yaml | 12 +++++++++ charts/lagoon-core/values.yaml | 3 +++ 4 files changed, 45 insertions(+) diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index 312824923..9beab339b 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -164,6 +164,7 @@ ssh: requests: cpu: "10m" hostKeys: + rsaPub: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTU9JXClTTQQB2QvsNegwWOwxdZNyswjDrWO94c7Gej+WkeFC6iYgIkALTFXP+/uSgMdcxISnAqaFial7j2owmnGKbH9MTTmSS68I8FZRN/KAsDTVqzOR8bcwo36uS6cjcvQJevFpKJk/SWDMozqRgWK2I3QfkkCvGyRA9x/kq9BKFORjMzcbRnSTv3VPsXJgJSIQGYp+76TTNIT28h+WezGVx1Yf+sKmhJjgVnMcvim66KW+70fgeaScf5sgsWBX+31T5RkVqarhW+FBcHuFk5N3bmsG7k+894nssqDvVPXEKly386q4Z9OykaYv+q/o91wAA+UwUg7Pb+6D7X80cjxLBENoH2HSraKTj+Z0e6i7usCu2Zd/xUGUiSmLtfQ1hP83HeeBEWUeVijs70/gtV9Xj8GXncaKoKyV/Ws6w2nCK4b1UgfV0bMLDdgjeA0+KFA8RSckoVWYtFh3zUxG/vGeAVZkgncKShEJMgeQZJ9DzutoO2ZZsYTth1C8rab0=" rsa: |- -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn @@ -203,6 +204,7 @@ ssh: IHdnz7MSzcqR4sWmI2naEt79rGLH3rK/blJpBfCU71wmtz93jYYOW7VQrW8zt1kXtx4fn3 9CZBLAoHn9gj8AAAARYmVuQHNocmVkZGVkYmFjb24BAg== -----END OPENSSH PRIVATE KEY----- + ecdsaPub: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDc4Mtpu640m05Zb4MIcwUH5m4XoWP21SX8CQqju0pcKwXf0xZezXn577vM/DpJ9GM5J74Nago2Yid7O+k7aQkw=" ecdsa: |- -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS @@ -213,6 +215,7 @@ ssh: wAAAAhAM1shfG9ZAFn1XxrmsGuqhXTuI+8W8VZJRIF+ucX6J+vAAAAEWJlbkBzaHJlZGRl ZGJhY29uAQIDBAUG -----END OPENSSH PRIVATE KEY----- + ed25519Pub: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWSDwhoTFNA2/itmaRwjB8dz0/Tnd8VDJ6Jkhnix+1w" ed25519: |- -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW diff --git a/charts/lagoon-core/templates/ssh.deployment.yaml b/charts/lagoon-core/templates/ssh.deployment.yaml index 63f9a3b2f..1b4852317 100644 --- a/charts/lagoon-core/templates/ssh.deployment.yaml +++ b/charts/lagoon-core/templates/ssh.deployment.yaml @@ -74,16 +74,31 @@ spec: mountPath: "/etc/ssh/ssh_host_ecdsa_key" subPath: ssh_host_ecdsa_key {{- end }} + {{- with .Values.ssh.hostKeys.ecdsaPub }} + - name: {{ include "lagoon-core.ssh.fullname" $ }} + mountPath: "/etc/ssh/ssh_host_ecdsa_key.pub" + subPath: ssh_host_ecdsa_pubkey + {{- end }} {{- with .Values.ssh.hostKeys.ed25519 }} - name: {{ include "lagoon-core.ssh.fullname" $ }} mountPath: "/etc/ssh/ssh_host_ed25519_key" subPath: ssh_host_ed25519_key {{- end }} + {{- with .Values.ssh.hostKeys.ed25519Pub }} + - name: {{ include "lagoon-core.ssh.fullname" $ }} + mountPath: "/etc/ssh/ssh_host_ed25519_key.pub" + subPath: ssh_host_ed25519_pubkey + {{- end }} {{- with .Values.ssh.hostKeys.rsa }} - name: {{ include "lagoon-core.ssh.fullname" $ }} mountPath: "/etc/ssh/ssh_host_rsa_key" subPath: ssh_host_rsa_key {{- end }} + {{- with .Values.ssh.hostKeys.rsaPub }} + - name: {{ include "lagoon-core.ssh.fullname" $ }} + mountPath: "/etc/ssh/ssh_host_rsa_key.pub" + subPath: ssh_host_rsa_pubkey + {{- end }} volumes: {{- if or .Values.ssh.hostKeys.rsa .Values.ssh.hostKeys.ecdsa .Values.ssh.hostKeys.ed25519 }} - secret: @@ -93,14 +108,26 @@ spec: - key: HOST_KEY_RSA path: ssh_host_rsa_key {{- end }} + {{- with .Values.ssh.hostKeys.rsaPub }} + - key: HOST_PUBKEY_RSA + path: ssh_host_rsa_pubkey + {{- end }} {{- with .Values.ssh.hostKeys.ecdsa }} - key: HOST_KEY_ECDSA path: ssh_host_ecdsa_key {{- end }} + {{- with .Values.ssh.hostKeys.ecdsaPub }} + - key: HOST_PUBKEY_ECDSA + path: ssh_host_ecdsa_pubkey + {{- end }} {{- with .Values.ssh.hostKeys.ed25519 }} - key: HOST_KEY_ED25519 path: ssh_host_ed25519_key {{- end }} + {{- with .Values.ssh.hostKeys.ed25519Pub }} + - key: HOST_PUBKEY_ED25519 + path: ssh_host_ed25519_pubkey + {{- end }} secretName: {{ include "lagoon-core.ssh.fullname" . }} name: {{ include "lagoon-core.ssh.fullname" . }} {{- end }} diff --git a/charts/lagoon-core/templates/ssh.secret.yaml b/charts/lagoon-core/templates/ssh.secret.yaml index d4e48f83e..00857fd96 100644 --- a/charts/lagoon-core/templates/ssh.secret.yaml +++ b/charts/lagoon-core/templates/ssh.secret.yaml @@ -11,12 +11,24 @@ stringData: HOST_KEY_ECDSA: | {{- . | nindent 4 }} {{- end }} + {{- with .Values.ssh.hostKeys.ecdsaPub }} + HOST_PUBKEY_ECDSA: | + {{- . | nindent 4 }} + {{- end }} {{- with .Values.ssh.hostKeys.ed25519 }} HOST_KEY_ED25519: | {{- . | nindent 4 }} {{- end }} + {{- with .Values.ssh.hostKeys.ed25519Pub }} + HOST_PUBKEY_ED25519: | + {{- . | nindent 4 }} + {{- end }} {{- with .Values.ssh.hostKeys.rsa }} HOST_KEY_RSA: | {{- . | nindent 4 }} {{- end }} + {{- with .Values.ssh.hostKeys.rsaPub }} + HOST_PUBKEY_RSA: | + {{- . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 8902dbec8..4b4a38eac 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -780,8 +780,11 @@ ssh: # host keys, PEM encoded hostKeys: + ecdsaPub: "" ecdsa: "" + ed25519Pub: "" ed25519: "" + rsaPub: "" rsa: "" workflows: From c29980a9467cbf4ab5de30fd1719763e87aaf356 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Fri, 9 Aug 2024 11:03:36 +1000 Subject: [PATCH 05/26] build: update Lagoon appVersion to v2.20.1 --- charts/lagoon-core/Chart.yaml | 6 ++++-- charts/lagoon-test/Chart.yaml | 10 +++------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 71a1cddcc..83d88a6ba 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,13 +21,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.46.1 +version: 1.47.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.20.0 +appVersion: v2.20.1 dependencies: - name: nats @@ -42,3 +42,5 @@ annotations: artifacthub.io/changes: | - kind: changed description: add support for injecting hostkeys in core ssh service + - kind: changed + description: update Lagoon appVersion to v2.20.1 diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index 7a976396c..0efdc1e55 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -15,13 +15,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.58.0 +version: 0.59.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.20.0 +appVersion: v2.20.1 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -29,8 +29,4 @@ appVersion: v2.20.0 annotations: artifacthub.io/changes: | - kind: changed - description: update values for local development - - kind: changed - description: bump minimum Kubernetes version to 1.25 - - kind: changed - description: update Lagoon appVersion to v2.20.0 + description: update Lagoon appVersion to v2.20.1 From 785efe51c66fc4bcf0538b3f1bb31b44a3711832 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 15 Aug 2024 13:46:02 +1000 Subject: [PATCH 06/26] build: update insights-handler to v0.0.6 --- charts/lagoon-core/Chart.yaml | 9 +++++---- charts/lagoon-core/values.yaml | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 83d88a6ba..d13284fad 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.47.0 +version: 1.47.1 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -41,6 +41,7 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: add support for injecting hostkeys in core ssh service - - kind: changed - description: update Lagoon appVersion to v2.20.1 + description: update insights-handler to v0.0.6 + links: + - name: insights-remote v0.0.6 release + url: https://github.com/uselagoon/insights-handler/releases/tag/v0.0.6 diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 4b4a38eac..5b7236bec 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -630,7 +630,7 @@ insightsHandler: repository: uselagoon/insights-handler pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "v0.0.5" + tag: "v0.0.6" podAnnotations: {} From 4d374f0bb69866f7a50b8512034ad5f3025862a0 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 15 Aug 2024 13:46:18 +1000 Subject: [PATCH 07/26] build: update insights-remote to v0.0.11 --- charts/lagoon-remote/Chart.yaml | 9 ++++++--- charts/lagoon-remote/values.yaml | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 39bcda00e..2ee10e0a3 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.93.0 +version: 0.93.1 dependencies: - name: lagoon-build-deploy @@ -40,5 +40,8 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: fixed - description: lagoon-remote-ssh-core scale permissions + - kind: changed + description: update insights-remote to v0.0.11 + links: + - name: insights-remote v0.0.11 release + url: https://github.com/uselagoon/insights-remote/releases/tag/v0.0.11 diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml index adc2c8a47..b3ff90559 100644 --- a/charts/lagoon-remote/values.yaml +++ b/charts/lagoon-remote/values.yaml @@ -219,7 +219,7 @@ insightsRemote: repository: uselagoon/insights-remote pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "v0.0.10" + tag: "v0.0.11" imagePullSecrets: [] nameOverride: "" From b70e5b6b7859d87147115d4a7c5b47cf2f716821 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 15 Aug 2024 19:00:42 +1000 Subject: [PATCH 08/26] build: update logging-operator from 4.6.1 to 4.9.0 --- charts/lagoon-logging/Chart.lock | 6 +++--- charts/lagoon-logging/Chart.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/lagoon-logging/Chart.lock b/charts/lagoon-logging/Chart.lock index 5cb42cded..e51d15ff5 100644 --- a/charts/lagoon-logging/Chart.lock +++ b/charts/lagoon-logging/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: logging-operator repository: oci://ghcr.io/kube-logging/helm-charts - version: 4.6.1 -digest: sha256:e746740d59c5de0162b79dbffbe5696f1e5204e122abad3ac76bc6a22bd3fb7b -generated: "2024-05-28T15:19:59.540195358+10:00" + version: 4.9.0 +digest: sha256:6c06a155e62a3716a1d549187a29e4fa8cdf59ddcf3bddec58e2abcb07ffa27d +generated: "2024-08-15T16:08:40.297734358+10:00" diff --git a/charts/lagoon-logging/Chart.yaml b/charts/lagoon-logging/Chart.yaml index 927957f2c..1b83bb7a2 100644 --- a/charts/lagoon-logging/Chart.yaml +++ b/charts/lagoon-logging/Chart.yaml @@ -19,16 +19,16 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.83.0 +version: 0.84.0 # AppVersion is set here the same as the logging-operator chart version to # autopopulate the post-install CRD message. -appVersion: 4.6.1 +appVersion: 4.9.0 dependencies: - name: logging-operator repository: oci://ghcr.io/kube-logging/helm-charts - version: 4.6.1 + version: 4.9.0 condition: logging-operator.enabled # This section is used to collect a changelog for artifacthub.io @@ -38,4 +38,4 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/changes: | - kind: changed - description: update logging-operator from 4.2.3 to 4.6.1 and use oci registry + description: update logging-operator from 4.6.1 to 4.9.0 From 7ee8e04605ef77401431ea2b5d5c74b617412b94 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 15 Aug 2024 19:00:59 +1000 Subject: [PATCH 09/26] build: update uselagoon/logs-concentrator from v3.4.0 to v3.5.0 --- charts/lagoon-logs-concentrator/Chart.yaml | 6 ++---- charts/lagoon-logs-concentrator/values.yaml | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-logs-concentrator/Chart.yaml b/charts/lagoon-logs-concentrator/Chart.yaml index 42e57fbe5..696399747 100644 --- a/charts/lagoon-logs-concentrator/Chart.yaml +++ b/charts/lagoon-logs-concentrator/Chart.yaml @@ -19,7 +19,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.49.0 +version: 0.50.0 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -27,6 +27,4 @@ version: 0.49.0 annotations: artifacthub.io/changes: | - kind: changed - description: update uselagoon/logs-concentrator from v3.2.0 to v3.4.0 - - kind: changed - description: increase resource requests for logs-concentrator statefulset + description: update uselagoon/logs-concentrator from v3.4.0 to v3.5.0 diff --git a/charts/lagoon-logs-concentrator/values.yaml b/charts/lagoon-logs-concentrator/values.yaml index df7424bd9..a1e960f2d 100644 --- a/charts/lagoon-logs-concentrator/values.yaml +++ b/charts/lagoon-logs-concentrator/values.yaml @@ -12,7 +12,7 @@ image: repository: uselagoon/logs-concentrator pullPolicy: IfNotPresent # Overrides the image tag whose default is "latest". - tag: "v3.4.0" + tag: "v3.5.0" imagePullSecrets: [] nameOverride: "" From a99feebacdad0a7d8c8874dbd7b5c7ea1745a77a Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 15 Aug 2024 19:01:17 +1000 Subject: [PATCH 10/26] build: update uselagoon/logs-dispatcher from v3.6.0 to v3.7.0 --- charts/lagoon-logging/Chart.yaml | 2 ++ charts/lagoon-logging/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-logging/Chart.yaml b/charts/lagoon-logging/Chart.yaml index 1b83bb7a2..b6fff45db 100644 --- a/charts/lagoon-logging/Chart.yaml +++ b/charts/lagoon-logging/Chart.yaml @@ -39,3 +39,5 @@ annotations: artifacthub.io/changes: | - kind: changed description: update logging-operator from 4.6.1 to 4.9.0 + - kind: changed + description: update uselagoon/logs-dispatcher from v3.6.0 to v3.7.0 diff --git a/charts/lagoon-logging/values.yaml b/charts/lagoon-logging/values.yaml index 7ea91ae5b..e16c0201f 100644 --- a/charts/lagoon-logging/values.yaml +++ b/charts/lagoon-logging/values.yaml @@ -19,7 +19,7 @@ logsDispatcher: repository: uselagoon/logs-dispatcher pullPolicy: IfNotPresent # Overrides the image tag whose default is "latest". - tag: "v3.6.0" + tag: "v3.7.0" serviceAccount: # Specifies whether a service account should be created @@ -121,7 +121,7 @@ cdnLogsCollector: repository: uselagoon/logs-dispatcher pullPolicy: IfNotPresent # Overrides the image tag whose default is "latest". - tag: "v3.6.0" + tag: "v3.7.0" podAnnotations: {} From 5e5a014e4643e068bb8eb6fa2cefd4587b5482ae Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 15 Aug 2024 19:01:39 +1000 Subject: [PATCH 11/26] tests: enable insights-handler in ci --- charts/lagoon-core/ci/linter-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index 9beab339b..afd479ce0 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -142,9 +142,9 @@ backupHandler: cpu: "10m" insightsHandler: + enabled: true image: repository: uselagoon/insights-handler - tag: main logs2notifications: replicaCount: 1 From 7f49dbb1f77e6ce8ff6c87e3e541ea96e4e902bd Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Fri, 16 Aug 2024 14:16:56 +1000 Subject: [PATCH 12/26] build: update ssh-portal and ssh-token to v0.37.2 --- charts/lagoon-core/Chart.yaml | 5 +++++ charts/lagoon-core/values.yaml | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index d13284fad..c775e393a 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -45,3 +45,8 @@ annotations: links: - name: insights-remote v0.0.6 release url: https://github.com/uselagoon/insights-handler/releases/tag/v0.0.6 + - kind: changed + description: update ssh-portal and ssh-token to v0.37.2 + links: + - name: ssh-portal v0.37.2 release + url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.2 diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 5b7236bec..41ae684a2 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -885,7 +885,7 @@ sshPortalAPI: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-portal-api pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.37.0" + tag: "v0.37.2" podAnnotations: {} @@ -958,7 +958,7 @@ sshToken: repository: ghcr.io/uselagoon/lagoon-ssh-portal/ssh-token pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.37.0" + tag: "v0.37.2" podAnnotations: {} From 6b664067425772cd79fba9d93a3daae213b63352 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 2 Sep 2024 10:29:14 +1000 Subject: [PATCH 13/26] chore: add add broker-flag-enable pre-upgrade job --- .github/workflows/lint-test.yaml | 5 ++ charts/lagoon-core/Chart.yaml | 6 +- charts/lagoon-core/templates/_helpers.tpl | 9 +++ .../templates/broker.flag-enable.job.yaml | 63 +++++++++++++++++++ 4 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 charts/lagoon-core/templates/broker.flag-enable.job.yaml diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 6db580e99..9e9e3b076 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -96,6 +96,11 @@ jobs: ct install --config ./default.ct.yaml --helm-extra-args "--timeout 30m" if: ${{ contains(github.event.pull_request.labels.*.name, 'next-release') }} + - name: Run chart-testing (upgrade changed next-release only) + run: | + ct install --upgrade --config ./default.ct.yaml --helm-extra-args "--timeout 30m" + if: ${{ contains(github.event.pull_request.labels.*.name, 'next-release') }} + - name: Run chart-testing (install all charts when required) run: ct install --config ./default.ct.yaml --helm-extra-args "--timeout 30m" --all if: ${{ contains(github.event.pull_request.labels.*.name, 'next-release') || contains(github.event.pull_request.labels.*.name, 'needs-testing') }} diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 83d88a6ba..c599d7350 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.47.0 +version: 1.48.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -41,6 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: add support for injecting hostkeys in core ssh service - - kind: changed - description: update Lagoon appVersion to v2.20.1 + description: add broker-flag-enable pre-upgrade job diff --git a/charts/lagoon-core/templates/_helpers.tpl b/charts/lagoon-core/templates/_helpers.tpl index 5c5b09513..ec90ca698 100644 --- a/charts/lagoon-core/templates/_helpers.tpl +++ b/charts/lagoon-core/templates/_helpers.tpl @@ -240,6 +240,15 @@ app.kubernetes.io/instance: {{ .Release.Name }} +{{/* +Create a default fully qualified app name for broker-flag-enable job. +*/}} +{{- define "lagoon-core.brokerFlagEnable.fullname" -}} +{{- include "lagoon-core.fullname" . }}-broker-flag-enable +{{- end }} + + + {{/* Create a default fully qualified app name for auth-server. */}} diff --git a/charts/lagoon-core/templates/broker.flag-enable.job.yaml b/charts/lagoon-core/templates/broker.flag-enable.job.yaml new file mode 100644 index 000000000..2f0d84c60 --- /dev/null +++ b/charts/lagoon-core/templates/broker.flag-enable.job.yaml @@ -0,0 +1,63 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "lagoon-core.brokerFlagEnable.fullname" . }} + labels: + {{- include "lagoon-core.broker.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + backoffLimit: 2 + template: + metadata: + labels: + {{- include "lagoon-core.broker.selectorLabels" . | nindent 8 }} + spec: + restartPolicy: Never + securityContext: + {{- toYaml .Values.broker.securityContext | nindent 8 }} + terminationGracePeriodSeconds: 120 + containers: + - name: broker-flag-enable + args: + - /enable-feature-flags.sh + image: "{{ .Values.broker.image.repository }}:{{ coalesce .Values.broker.image.tag .Values.imageTag .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.broker.image.pullPolicy }} + command: + - /bin/sh + - -c + securityContext: + {{- toYaml .Values.broker.securityContext | nindent 10 }} + env: + - name: RABBITMQ_DEFAULT_PASS + valueFrom: + secretKeyRef: + name: {{ include "lagoon-core.broker.fullname" . }} + key: RABBITMQ_PASSWORD + - name: RABBITMQ_DEFAULT_USER + valueFrom: + secretKeyRef: + name: {{ include "lagoon-core.broker.fullname" . }} + key: RABBITMQ_USERNAME + - name: RABBITMQ_USE_LONGNAME + value: "true" + # these variables are used by the /cluster-rabbit.sh entrypoint + - name: POD_NAMESPACE + value: {{ .Release.Namespace | quote }} + - name: SERVICE_NAME + value: {{ include "lagoon-core.broker.fullname" . }} + {{- range $key, $val := .Values.broker.additionalEnvs }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + resources: + {{- toYaml .Values.broker.resources | nindent 10 }} + {{- with .Values.broker.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.broker.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} From 8bfff3a2198cfdbb37f3468ba34e117f00dae6ac Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 2 Sep 2024 11:32:19 +1000 Subject: [PATCH 14/26] update logging-operator from 4.9.0 to 4.9.1 --- charts/lagoon-logging/Chart.lock | 6 +++--- charts/lagoon-logging/Chart.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/lagoon-logging/Chart.lock b/charts/lagoon-logging/Chart.lock index e51d15ff5..18691940f 100644 --- a/charts/lagoon-logging/Chart.lock +++ b/charts/lagoon-logging/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: logging-operator repository: oci://ghcr.io/kube-logging/helm-charts - version: 4.9.0 -digest: sha256:6c06a155e62a3716a1d549187a29e4fa8cdf59ddcf3bddec58e2abcb07ffa27d -generated: "2024-08-15T16:08:40.297734358+10:00" + version: 4.9.1 +digest: sha256:26b05aafbf9e1d92adfd10664ac225d8f07adc00e497369d563c4b12d445c108 +generated: "2024-09-02T11:31:43.731650736+10:00" diff --git a/charts/lagoon-logging/Chart.yaml b/charts/lagoon-logging/Chart.yaml index b6fff45db..712da2c9a 100644 --- a/charts/lagoon-logging/Chart.yaml +++ b/charts/lagoon-logging/Chart.yaml @@ -23,12 +23,12 @@ version: 0.84.0 # AppVersion is set here the same as the logging-operator chart version to # autopopulate the post-install CRD message. -appVersion: 4.9.0 +appVersion: 4.9.1 dependencies: - name: logging-operator repository: oci://ghcr.io/kube-logging/helm-charts - version: 4.9.0 + version: 4.9.1 condition: logging-operator.enabled # This section is used to collect a changelog for artifacthub.io @@ -38,6 +38,6 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/changes: | - kind: changed - description: update logging-operator from 4.6.1 to 4.9.0 + description: update logging-operator from 4.6.1 to 4.9.1 - kind: changed description: update uselagoon/logs-dispatcher from v3.6.0 to v3.7.0 From f62e565e3f9eea437179edb20b20a085b4fb87aa Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 2 Sep 2024 18:47:03 +1000 Subject: [PATCH 15/26] chore: add crd settings for fluentbitNamespaceLabels --- charts/lagoon-logging/templates/logging.yaml | 2 ++ charts/lagoon-logging/values.yaml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/charts/lagoon-logging/templates/logging.yaml b/charts/lagoon-logging/templates/logging.yaml index b5625d750..a7bbeb8c8 100644 --- a/charts/lagoon-logging/templates/logging.yaml +++ b/charts/lagoon-logging/templates/logging.yaml @@ -30,6 +30,8 @@ spec: # At the time of writing this just hits the metrics endpoint. # https://github.com/banzaicloud/logging-operator/blob/master/pkg/sdk/logging/api/v1beta1/logging_types.go#L452-L467 livenessDefaultCheck: true + filterKubernetes: + namespace_labels: {{ default "Off" .Values.fluentbitNamespaceLabels | quote }} {{- if .Values.fluentbitPrivileged }} security: securityContext: diff --git a/charts/lagoon-logging/values.yaml b/charts/lagoon-logging/values.yaml index e16c0201f..602b2e248 100644 --- a/charts/lagoon-logging/values.yaml +++ b/charts/lagoon-logging/values.yaml @@ -250,6 +250,10 @@ consolidateServiceIndices: false # sent to a third-party service and not to a central elasticsearch. enableDefaultForwarding: true +# Set this to "On" for the default behavior including kubernetes_namespace_name +# labels. In router-logs this could be confusing, but may be useful for debug. +fluentbitNamespaceLabels: "Off" + # Set how many Fluentd log forwarder pods should be running fluentdReplicaCount: 3 From 45c04f8bf6033188bcbcceaf7b0e121a7ff2f2d3 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 1 Dec 2023 13:13:29 +1100 Subject: [PATCH 16/26] chore: use internal keycloak service for api communications --- charts/lagoon-core/templates/api.deployment.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/charts/lagoon-core/templates/api.deployment.yaml b/charts/lagoon-core/templates/api.deployment.yaml index 4d15bed93..89f0d65c8 100644 --- a/charts/lagoon-core/templates/api.deployment.yaml +++ b/charts/lagoon-core/templates/api.deployment.yaml @@ -59,13 +59,7 @@ spec: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET - name: KEYCLOAK_URL - {{- if .Values.keycloakFrontEndURL }} - value: {{ .Values.keycloakFrontEndURL }} - {{- else if .Values.keycloak.ingress.enabled }} - value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }} - {{- else }} value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} - {{- end }} - name: REDIS_HOST value: {{ include "lagoon-core.apiRedis.fullname" . }} envFrom: @@ -154,13 +148,7 @@ spec: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET - name: KEYCLOAK_URL - {{- if .Values.keycloakFrontEndURL }} - value: {{ .Values.keycloakFrontEndURL }} - {{- else if .Values.keycloak.ingress.enabled }} - value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }} - {{- else }} value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} - {{- end }} - name: KIBANA_URL value: {{ required "A valid .Values.kibanaURL required!" .Values.kibanaURL | quote }} - name: LAGOON_VERSION From a8b730fab35d377bc45243f65e1a7322ba674f76 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Thu, 5 Sep 2024 08:37:43 +1000 Subject: [PATCH 17/26] chore: add keycloak frontend url variable to api --- charts/lagoon-core/templates/api.deployment.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/lagoon-core/templates/api.deployment.yaml b/charts/lagoon-core/templates/api.deployment.yaml index 89f0d65c8..63d514b2d 100644 --- a/charts/lagoon-core/templates/api.deployment.yaml +++ b/charts/lagoon-core/templates/api.deployment.yaml @@ -58,6 +58,14 @@ spec: secretKeyRef: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET + - name: KEYCLOAK_FRONTEND_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/auth + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/auth + {{- else }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/auth + {{- end }} - name: KEYCLOAK_URL value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} - name: REDIS_HOST @@ -147,6 +155,14 @@ spec: secretKeyRef: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET + - name: KEYCLOAK_FRONTEND_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }} + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }} + {{- else }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} + {{- end }} - name: KEYCLOAK_URL value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} - name: KIBANA_URL From 405b68b8ed85839b093344976e358743517708a1 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 10 Sep 2024 07:40:58 +1000 Subject: [PATCH 18/26] chore: add KEYCLOAK_FRONTEND_URL to api deployment --- charts/lagoon-core/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index b3933b1be..f87a8d4cd 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -52,3 +52,5 @@ annotations: url: https://github.com/uselagoon/lagoon-ssh-portal/releases/tag/v0.37.2 - kind: changed description: add broker-flag-enable pre-upgrade job + - kind: changed + description: add KEYCLOAK_FRONTEND_URL variable to api deployment From c84b5b3ae84911e48231aa121aac7cc7fdb0e3e5 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Thu, 5 Sep 2024 08:37:43 +1000 Subject: [PATCH 19/26] chore: add keycloak frontend url variable to api --- charts/lagoon-core/templates/api.deployment.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/lagoon-core/templates/api.deployment.yaml b/charts/lagoon-core/templates/api.deployment.yaml index 89f0d65c8..1c96bca7a 100644 --- a/charts/lagoon-core/templates/api.deployment.yaml +++ b/charts/lagoon-core/templates/api.deployment.yaml @@ -58,6 +58,14 @@ spec: secretKeyRef: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET + - name: KEYCLOAK_FRONTEND_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/auth + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/auth + {{- else }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/auth + {{- end }} - name: KEYCLOAK_URL value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} - name: REDIS_HOST @@ -147,6 +155,14 @@ spec: secretKeyRef: name: {{ include "lagoon-core.keycloak.fullname" . }} key: KEYCLOAK_API_CLIENT_SECRET + - name: KEYCLOAK_FRONTEND_URL + {{- if .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/auth + {{- else if .Values.keycloak.ingress.enabled }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/auth + {{- else }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/auth + {{- end }} - name: KEYCLOAK_URL value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} - name: KIBANA_URL From e32c58ac00596fb8003003da8e6426074471f57a Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Thu, 5 Sep 2024 08:37:43 +1000 Subject: [PATCH 20/26] chore: add keycloak frontend url variable to api --- charts/lagoon-core/templates/api.deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-core/templates/api.deployment.yaml b/charts/lagoon-core/templates/api.deployment.yaml index 63d514b2d..1c96bca7a 100644 --- a/charts/lagoon-core/templates/api.deployment.yaml +++ b/charts/lagoon-core/templates/api.deployment.yaml @@ -157,11 +157,11 @@ spec: key: KEYCLOAK_API_CLIENT_SECRET - name: KEYCLOAK_FRONTEND_URL {{- if .Values.keycloakFrontEndURL }} - value: {{ .Values.keycloakFrontEndURL }} + value: {{ .Values.keycloakFrontEndURL }}/auth {{- else if .Values.keycloak.ingress.enabled }} - value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }} + value: https://{{ index .Values.keycloak.ingress.hosts 0 "host" }}/auth {{- else }} - value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} + value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }}/auth {{- end }} - name: KEYCLOAK_URL value: http://{{ include "lagoon-core.keycloak.fullname" . }}:{{ .Values.keycloak.service.port }} From a765818ad4ac5317c0d159ebaa12069e7aa7cbed Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 10 Sep 2024 16:02:17 +1000 Subject: [PATCH 21/26] ci: update kind and kubernetes in CI --- .github/workflows/lint-test-matrix.yaml | 13 +++++++------ .github/workflows/lint-test.yaml | 6 +++--- .github/workflows/test-suite.yaml | 6 +++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/lint-test-matrix.yaml b/.github/workflows/lint-test-matrix.yaml index abb0a1ed0..8860c70b1 100644 --- a/.github/workflows/lint-test-matrix.yaml +++ b/.github/workflows/lint-test-matrix.yaml @@ -11,11 +11,12 @@ jobs: fail-fast: false matrix: kindest_node_version: - - v1.25.16@sha256:5da57dfc290ac3599e775e63b8b6c49c0c85d3fec771cd7d55b45fae14b38d3b - - v1.26.15@sha256:84333e26cae1d70361bb7339efb568df1871419f2019c80f9a12b7e2d485fe19 - - v1.27.13@sha256:17439fa5b32290e3ead39ead1250dca1d822d94a10d26f1981756cd51b24b9d8 - - v1.28.9@sha256:dca54bc6a6079dd34699d53d7d4ffa2e853e46a20cd12d619a09207e35300bd0 - - v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 + - v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025 + - v1.26.15@sha256:1cc15d7b1edd2126ef051e359bf864f37bbcf1568e61be4d2ed1df7a3e87b354 + - v1.27.17@sha256:3fd82731af34efe19cd54ea5c25e882985bafa2c9baefe14f8deab1737d9fabe + - v1.28.13@sha256:45d319897776e11167e4698f6b14938eb4d52eb381d9e3d7a9086c16c69a8110 + - v1.29.8@sha256:d46b7aa29567e93b27f7531d258c372e829d7224b25e3fc6ffdefed12476d3aa + - v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 steps: - name: Checkout uses: actions/checkout@v4 @@ -43,7 +44,7 @@ jobs: - name: Create kind cluster uses: helm/kind-action@v1.10.0 with: - version: v0.23.0 + version: v0.24.0 node_image: kindest/node:${{ matrix.kindest_node_version }} if: | (steps.list-changed.outputs.changed == 'true') || diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 6db580e99..8bbcff891 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -78,9 +78,9 @@ jobs: - name: Create kind cluster uses: helm/kind-action@v1.10.0 with: - version: v0.23.0 - node_image: kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e - kubectl_version: v1.30.0 + version: v0.24.0 + node_image: kindest/node:v1.30.4@sha256:976ea815844d5fa93be213437e3ff5754cd599b040946b5cca43ca45c2047114 + kubectl_version: v1.30.4 if: | (steps.list-changed.outputs.changed == 'true') || (contains(github.event.pull_request.labels.*.name, 'needs-testing')) diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index a57c4980d..88f13ea5b 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -77,9 +77,9 @@ jobs: (contains(github.event.pull_request.labels.*.name, 'needs-testing')) || (contains(github.event.pull_request.labels.*.name, 'next-release')) with: - version: v0.23.0 - node_image: kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e - kubectl_version: v1.30.0 + version: v0.24.0 + node_image: kindest/node:v1.30.4@sha256:976ea815844d5fa93be213437e3ff5754cd599b040946b5cca43ca45c2047114 + kubectl_version: v1.30.4 config: test-suite.kind-config.yaml - name: Check node IP matches kind configuration From b73a87434d0d1c8632e0144506d77ac717716d80 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 10 Sep 2024 16:02:38 +1000 Subject: [PATCH 22/26] ci: configure network policies in CI --- charts/lagoon-docker-host/Chart.yaml | 4 ++-- .../lagoon-docker-host/ci/linter-values.yaml | 20 +++++++++++++++++++ charts/lagoon-remote/Chart.yaml | 6 +++--- .../templates/tests/test-connection.yaml | 18 ----------------- 4 files changed, 25 insertions(+), 23 deletions(-) delete mode 100644 charts/lagoon-remote/templates/tests/test-connection.yaml diff --git a/charts/lagoon-docker-host/Chart.yaml b/charts/lagoon-docker-host/Chart.yaml index 6803cf32d..7a1ca4cca 100644 --- a/charts/lagoon-docker-host/Chart.yaml +++ b/charts/lagoon-docker-host/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.3.0 +version: 0.3.1 appVersion: v3.5.0 @@ -26,4 +26,4 @@ appVersion: v3.5.0 annotations: artifacthub.io/changes: | - kind: changed - description: update docker-host from v3.3.0 to v3.5.0 + description: configure network policy for CI diff --git a/charts/lagoon-docker-host/ci/linter-values.yaml b/charts/lagoon-docker-host/ci/linter-values.yaml index 579baa2b4..ff1c0f09c 100644 --- a/charts/lagoon-docker-host/ci/linter-values.yaml +++ b/charts/lagoon-docker-host/ci/linter-values.yaml @@ -1,2 +1,22 @@ storage: size: 50Gi +networkPolicy: + # Specifies whether the docker-host network policy should be enabled + enabled: true + # Specify the policy to apply, useful to change who can access the docker-host + # This default policy just replicates the existing docker-host + policy: + - namespaceSelector: + matchExpressions: + - key: lagoon.sh/environment + operator: Exists + podSelector: + matchExpressions: + - key: lagoon.sh/buildName + operator: Exists + - podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - lagoon-docker-host diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index 39bcda00e..2699ebe47 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.93.0 +version: 0.93.1 dependencies: - name: lagoon-build-deploy @@ -40,5 +40,5 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: fixed - description: lagoon-remote-ssh-core scale permissions + - kind: changed + description: remove docker-host connection test in CI diff --git a/charts/lagoon-remote/templates/tests/test-connection.yaml b/charts/lagoon-remote/templates/tests/test-connection.yaml deleted file mode 100644 index e0e7087da..000000000 --- a/charts/lagoon-remote/templates/tests/test-connection.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "lagoon-remote.dockerHost.fullname" . }}-test-connection" - labels: - {{- include "lagoon-remote.dockerHost.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: nc - image: busybox - command: ['nc'] - args: - - "-zvw5" - - "docker-host" - - "{{ .Values.dockerHost.service.port }}" - restartPolicy: Never From 446eced2f08584658349e32c698020e971d634b6 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Wed, 11 Sep 2024 07:47:28 +1000 Subject: [PATCH 23/26] chore: fixup chart.yaml --- charts/lagoon-remote/Chart.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index acce0b2c6..8b3719559 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -42,7 +42,6 @@ annotations: artifacthub.io/changes: | - kind: changed description: remove docker-host connection test in CI - artifacthub.io/changes: | - kind: changed description: update insights-remote to v0.0.11 links: From 30c5869b69e5c37ed2ceeeb2febd9d4bf1f3d025 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Mon, 16 Sep 2024 10:14:03 +1000 Subject: [PATCH 24/26] force action run From 3afddb40038c9921539f4d3e34bb77d9f043f33e Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Tue, 17 Sep 2024 11:00:32 +1000 Subject: [PATCH 25/26] build: update Lagoon appVersion to v2.21.0 --- charts/lagoon-core/Chart.yaml | 7 ++++++- charts/lagoon-test/Chart.yaml | 6 +++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index f87a8d4cd..7de6f1a51 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -27,7 +27,7 @@ version: 1.48.0 # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.20.1 +appVersion: v2.21.0 dependencies: - name: nats @@ -40,6 +40,11 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | + - kind: changed + description: update Lagoon appVersion to v2.21.0 + links: + - name: lagoon-core v2.21.0 release + url: https://github.com/uselagoon/lagoon/releases/tag/v2.21.0 - kind: changed description: update insights-handler to v0.0.6 links: diff --git a/charts/lagoon-test/Chart.yaml b/charts/lagoon-test/Chart.yaml index 0efdc1e55..fdd1d157f 100644 --- a/charts/lagoon-test/Chart.yaml +++ b/charts/lagoon-test/Chart.yaml @@ -15,13 +15,13 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.59.0 +version: 0.60.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. # Versions are not expected to follow Semantic Versioning. They should reflect # the version the application is using. -appVersion: v2.20.1 +appVersion: v2.21.0 # This section is used to collect a changelog for artifacthub.io # It should be started afresh for each release @@ -29,4 +29,4 @@ appVersion: v2.20.1 annotations: artifacthub.io/changes: | - kind: changed - description: update Lagoon appVersion to v2.20.1 + description: update Lagoon appVersion to v2.21.0 From d1d260d421e4de4fbc6084a8a36c80033b4ae177 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Thu, 3 Oct 2024 12:49:21 +1000 Subject: [PATCH 26/26] chore: remove unused banzaicloud-stable repo --- .github/workflows/lint-test.yaml | 1 - .github/workflows/release.yaml | 1 - default.ct.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 88661cd0d..c0b645870 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -10,7 +10,6 @@ jobs: uses: actions/checkout@v4 - name: Add dependency chart repos run: | - helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com helm repo add lagoon https://uselagoon.github.io/lagoon-charts/ helm repo add amazeeio https://amazeeio.github.io/charts/ helm repo add nats https://nats-io.github.io/k8s/helm/charts/ diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b03949dcb..428d9a9cd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,6 @@ jobs: - name: Add dependency chart repos run: | - helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com helm repo add lagoon https://uselagoon.github.io/lagoon-charts/ helm repo add amazeeio https://amazeeio.github.io/charts/ helm repo add nats https://nats-io.github.io/k8s/helm/charts/ diff --git a/default.ct.yaml b/default.ct.yaml index 9341d51a2..87005ddbb 100644 --- a/default.ct.yaml +++ b/default.ct.yaml @@ -5,7 +5,6 @@ target-branch: main chart-dirs: - charts chart-repos: -- banzaicloud-stable=https://kubernetes-charts.banzaicloud.com - lagoon=https://uselagoon.github.io/lagoon-charts/ - amazeeio=https://amazeeio.github.io/charts/ - nats=https://nats-io.github.io/k8s/helm/charts/