feat(base-cluster): ensure compatibility with k8s v1.27.x (#212)

* feat(base-cluster): ensure compatibility with k8s v1.25.x * feat(base-cluster): edit README template * feat(base-cluster): upgrade major chart version * chore: Update 'README.md's * feat(base-cluster): upgrade traefik and stash chart versions * fix(base-cluster): respect traefik upgrade notes * docs: update base-cluster docu * chore: Update 'README.md's * chore(deps): update docker image tags update docker.io/bitnami/kubectl docker tag to v1.29.2 update docker.io/alpine/helm docker tag to v3.14.2 * feat(base-cluster): update oauth2-proxy chart * feat(base-cluster): update docs for oauth2-proxy chart upgrade * chore: Update 'README.md's * docs(base-cluster): edit README template * chore: Update 'README.md's * docs(base-cluster): edit README template * chore: Update 'README.md's * docs(base-cluster): edit README template * chore: Update 'README.md's --------- Co-authored-by: jpkraemer-mg <jpkraemer-mg@users.noreply.github.com>
4ALLPORTAL · Mar 11, 2024 · 9bc1d0a · 9bc1d0a
1 parent 76870da
commit 9bc1d0a
Show file tree

Hide file tree

Showing 11 changed files with 61 additions and 21 deletions.
diff --git a/charts/base-cluster/Chart.yaml b/charts/base-cluster/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A generic, base cluster setup
 name: base-cluster
-version: 38.0.9
+version: 39.0.0
 home: "https://4allportal.com"
 maintainers:
   - name: jpkraemer-mg

diff --git a/charts/base-cluster/README.md b/charts/base-cluster/README.md
@@ -1,6 +1,6 @@
 # base-cluster
 
-![Version: 38.0.9](https://img.shields.io/badge/Version-38.0.9-informational?style=flat-square)
+![Version: 39.0.0](https://img.shields.io/badge/Version-39.0.0-informational?style=flat-square)
 
 A generic, base cluster setup
 
@@ -78,12 +78,12 @@ This helm chart requires flux v2 to be installed (https://fluxcd.io/docs/install
 | global.clusterName | string | `"eu-west-1"` |  |
 | global.helm.image.registry | string | `"docker.io"` |  |
 | global.helm.image.repository | string | `"alpine/helm"` |  |
-| global.helm.image.tag | string | `"3.12.3"` |  |
+| global.helm.image.tag | string | `"3.14.2"` |  |
 | global.imageCredentials | object | `{}` |  |
 | global.imageRegistry | string | `""` |  |
 | global.kubectl.image.registry | string | `"docker.io"` |  |
 | global.kubectl.image.repository | string | `"bitnami/kubectl"` |  |
-| global.kubectl.image.tag | string | `"1.27.3"` |  |
+| global.kubectl.image.tag | string | `"1.29.2"` |  |
 | global.networkPolicy.dnsLabels."io.kubernetes.pod.namespace" | string | `"kube-system"` |  |
 | global.networkPolicy.dnsLabels.k8s-app | string | `"kube-dns"` |  |
 | global.networkPolicy.metricsLabels."app.kubernetes.io/name" | string | `"prometheus"` |  |
@@ -325,9 +325,27 @@ This update removes the old security scanner estafette and installs aquasecuriti
 
 ### To 37.1.6
 
-You can now add an email configuration for the alertmanager. If your email server uses port 456 SMARTTLS will be disabled automaticaly. It is also possible to add custome routes for the alertmanager. For the syntax please refer to the alertmanager [documentation](https://prometheus.io/docs/alerting/latest/configuration/) or our values.schema.json.
+You can now add an email configuration for the alertmanager. If your email server uses port 456 SMARTTLS will be disabled automatically. It is also possible to add custom routes for the alertmanager. For the syntax please refer to the alertmanager [documentation](https://prometheus.io/docs/alerting/latest/configuration/) or our values.schema.json.
 
 ### To 38.0.0
 
-Before executing the upgrade you have to modify the traefik helmrelease and disable the podsecuritypolicy yourself. After that proceed with the following instruction.
-This  update upgrades the ingress controller traefik with its helm chart to 23.x.x. There are a some that you need to be aware of. The clusterrole will be renamed and the PodPolicy will be delete because it is deprecated since k8s version 1.25. In order to perform this update you have to delete the traefik deployment manualy.
+Before executing the upgrade you have to modify the traefik helmrelease and disable the PodSecurityPolicy yourself. After that proceed with the following instruction.
+This  update upgrades the ingress controller traefik with its helm chart to 23.x.x. There are some required changes that you need to be aware of. The clusterrole will be renamed and the PodPolicy will be delete because it is deprecated since k8s version 1.25. In order to perform this update you have to delete the traefik deployment manually.
+
+### To 39.0.0
+
+This update ensures compatibility with k8s v1.27.x, which no longer supports several api versions. It also upgrades the traefik chart to 25.x.x, as well as the oauth2-proxy chart to v3.x.x.
+The upgrade to k8s v1.27.x also removes the in-tree AWS storage drivers.
+Please check the following (urgent) upgrade notes before upgrading:
+
+[traefik release notes](https://github.com/traefik/traefik-helm-chart/releases/tag/v25.0.0)
+
+[k8s upgrade notes v1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes)
+
+[k8s upgrade notes v1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes)
+
+[k8s upgrade notes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes)
+
+[k8s upgrade notes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes)
+
+[redis 7.0 release notes](https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES) before upgrading.
diff --git a/charts/base-cluster/README.md.gotmpl b/charts/base-cluster/README.md.gotmpl
@@ -125,9 +125,27 @@ This update removes the old security scanner estafette and installs aquasecuriti
 
 ### To 37.1.6
 
-You can now add an email configuration for the alertmanager. If your email server uses port 456 SMARTTLS will be disabled automaticaly. It is also possible to add custome routes for the alertmanager. For the syntax please refer to the alertmanager [documentation](https://prometheus.io/docs/alerting/latest/configuration/) or our values.schema.json. 
+You can now add an email configuration for the alertmanager. If your email server uses port 456 SMARTTLS will be disabled automatically. It is also possible to add custom routes for the alertmanager. For the syntax please refer to the alertmanager [documentation](https://prometheus.io/docs/alerting/latest/configuration/) or our values.schema.json.
 
 ### To 38.0.0
 
-Before executing the upgrade you have to modify the traefik helmrelease and disable the podsecuritypolicy yourself. After that proceed with the following instruction.
-This  update upgrades the ingress controller traefik with its helm chart to 23.x.x. There are a some that you need to be aware of. The clusterrole will be renamed and the PodPolicy will be delete because it is deprecated since k8s version 1.25. In order to perform this update you have to delete the traefik deployment manualy. 
+Before executing the upgrade you have to modify the traefik helmrelease and disable the PodSecurityPolicy yourself. After that proceed with the following instruction.
+This  update upgrades the ingress controller traefik with its helm chart to 23.x.x. There are some required changes that you need to be aware of. The clusterrole will be renamed and the PodPolicy will be delete because it is deprecated since k8s version 1.25. In order to perform this update you have to delete the traefik deployment manually.
+
+### To 39.0.0
+
+This update ensures compatibility with k8s v1.27.x, which no longer supports several api versions. It also upgrades the traefik chart to 25.x.x, as well as the oauth2-proxy chart to v3.x.x.
+The upgrade to k8s v1.27.x also removes the in-tree AWS storage drivers.
+Please check the following (urgent) upgrade notes before upgrading:
+
+[traefik release notes](https://github.com/traefik/traefik-helm-chart/releases/tag/v25.0.0)
+
+[k8s upgrade notes v1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes)
+
+[k8s upgrade notes v1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes)
+
+[k8s upgrade notes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes)
+
+[k8s upgrade notes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes)
+
+[redis 7.0 release notes](https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES) before upgrading.
diff --git a/charts/base-cluster/templates/backup/retry-backup-cronjob.yaml b/charts/base-cluster/templates/backup/retry-backup-cronjob.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.backup.enabled -}}
 {{- if false }}
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 {{- else }}
 apiVersion: {{ include "common.capabilities.cronjob.apiVersion" . }}
 {{- end }}

diff --git a/charts/base-cluster/templates/backup/stash.yaml b/charts/base-cluster/templates/backup/stash.yaml
@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: appscode
         namespace: {{ .Release.Namespace }}
-      version: v2023.05.31
+      version: v2024.02.13
   interval: 1m
   install:
     remediation:
@@ -35,6 +35,10 @@ spec:
     {{ required "You need to provide a license for stash 😡" .Values.backup.license | nindent 8 }}
     features:
       community: true
+    security:
+      createPSPs:
+        privileged: false
+        baseline: false
     stash-community:
       criticalAddon: true
       enableAnalytics: false

diff --git a/charts/base-cluster/templates/global/secret-sync-cronjob.yaml b/charts/base-cluster/templates/global/secret-sync-cronjob.yaml
@@ -1,5 +1,5 @@
 {{- if false }}
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 {{- else }}
 apiVersion: {{ include "common.capabilities.cronjob.apiVersion" . }}
 {{- end }}

diff --git a/charts/base-cluster/templates/ingress/traefik.yaml b/charts/base-cluster/templates/ingress/traefik.yaml
@@ -25,7 +25,7 @@ spec:
         kind: HelmRepository
         name: traefik
         namespace: {{ .Release.Namespace }}
-      version: 23.x.x
+      version: 25.x.x
   interval: 1m
   install:
     crds: CreateReplace
@@ -92,7 +92,8 @@ spec:
 
     ports:
       web:
-        redirectTo: websecure
+        redirectTo:
+          port: websecure
       websecure:
         tls:
           enabled: true

diff --git a/charts/base-cluster/templates/monitoring/deadMansSwitch/cronjob.yaml b/charts/base-cluster/templates/monitoring/deadMansSwitch/cronjob.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.monitoring.deadMansSwitch.enabled }}
 {{- if false }}
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 {{- else }}
 apiVersion: {{ include "common.capabilities.cronjob.apiVersion" . }}
 {{- end }}

diff --git a/charts/base-cluster/templates/monitoring/metrics/prometheus-operator.yaml b/charts/base-cluster/templates/monitoring/metrics/prometheus-operator.yaml
@@ -53,7 +53,7 @@ spec:
         kind: HelmRepository
         name: bitnami
         namespace: {{ $.Release.Namespace }}
-      version: 2.x.x
+      version: 3.x.x
   interval: 1m
   install:
     crds: CreateReplace

diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json
@@ -428,8 +428,7 @@
             "enabled",
             "servingCerts",
             "license"
-          ],
-          "additionalProperties": false
+          ]
         },
         {
           "properties": {

diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
@@ -50,12 +50,12 @@ global:
     image:
       registry: docker.io
       repository: bitnami/kubectl
-      tag: 1.27.3
+      tag: "1.29.2"
   helm:
     image:
       registry: docker.io
       repository: alpine/helm
-      tag: 3.12.3
+      tag: "3.14.2"
   imageRegistry: ""
 
 flux: