Merge pull request #289 from openinfradev/release

[WIP] 20231107 release to main
openinfradev · Nov 8, 2023 · 6678ef2 · 6678ef2
2 parents 9efb733 + 2812e55
commit 6678ef2
Show file tree

Hide file tree

Showing 15 changed files with 566 additions and 79 deletions.
diff --git a/lma/base/resources.yaml b/lma/base/resources.yaml
@@ -10,7 +10,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: kube-prometheus-stack
-    version: 44.3.1
+    version: 48.3.1
     origin: https://prometheus-community.github.io/helm-charts
   helmVersion: v3
   releaseName: prometheus-operator-crds
@@ -29,7 +29,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: kube-prometheus-stack
-    version: 44.3.1
+    version: 48.3.1
     origin: https://prometheus-community.github.io/helm-charts
   releaseName: prometheus-operator
   targetNamespace: lma
@@ -71,29 +71,25 @@ spec:
       enabled: true
       image:
         repository: tks/prometheus-operator
-        tag: v0.52.0
+        tag: v0.66.0
       admissionWebhooks:
         patch:
           image:
             repository: tks/kube-webhook-certgen
-            tag: v1.0
+            tag: v20221220-controller-v1.5.1-58-g787ea74b6
       prometheusConfigReloader:
         image:
           repository: tks/prometheus-config-reloader
-          tag: v0.52.0
+          tag: v0.66.0
       thanosImage:
         repository: tks/thanos
-        tag: v0.30.2
+        tag: v0.31.0
       nodeSelector: {}  # TO_BE_FIXED
       createCustomResource: true
       cleanupCustomResource: true
       cleanupCustomResourceBeforeInstall: true
     prometheus:
       enabled: false
-      prometheusSpec:
-        image:
-          repository: tks/prometheus
-          tag: v2.31.1
   wait: true
 ---
 apiVersion: helm.fluxcd.io/v1
@@ -108,7 +104,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: kube-prometheus-stack
-    version: 44.3.1
+    version: 48.3.1
     origin: https://prometheus-community.github.io/helm-charts
   releaseName: prometheus
   targetNamespace: lma
@@ -123,7 +119,7 @@ spec:
       alertmanagerSpec:
         image:
           repository: tks/alertmanager
-          tag: v0.23.0
+          tag: v0.25.0
         nodeSelector: {} # TO_BE_FIXED
         retention: TO_BE_FIXED
 
@@ -238,7 +234,7 @@ spec:
       prometheusSpec:
         image:
           repository: tks/prometheus
-          tag: v2.31.1
+          tag: v2.45.0
         retention: TO_BE_FIXED
         storageSpec:
           volumeClaimTemplate:
@@ -757,7 +753,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: lma-addons
-    version: 1.8.4
+    version: 1.8.6
     origin: https://openinfradev.github.io/helm-repo
   releaseName: addons
   targetNamespace: lma
@@ -923,8 +919,8 @@ spec:
       limits:
         memory: 2Gi # tunable
     mode: standalone
-    DeploymentUpdate.type: Recreate
-    # replicas: 3
+    DeploymentUpdate:
+      type: Recreate
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
@@ -962,9 +958,8 @@ spec:
       nodeSelector: {}
       service:
         type: TO_BE_FIXED
-        http:
-          port: 9090
-          nodePort: TO_BE_FIXED
+        nodePorts:
+          http: TO_BE_FIXED
       config: |-
         type: IN-MEMORY
         config:
@@ -1193,7 +1188,7 @@ spec:
           shared_store: s3
         aws:
           s3: TO_BE_FIXED
-          bucketnames: loki
+          bucketnames: tks-loki
           s3forcepathstyle: true
       structuredConfig:
         limits_config:

diff --git a/lma/base/site-values.yaml b/lma/base/site-values.yaml
@@ -173,10 +173,10 @@ charts:
       versioning: true
       objectlocking: false
     customCommands:
-    - command: ilm rule add --expire-days 90 myminio/thanos
-    - command: ilm rule add --expire-days 15 myminio/loki
-    - command: ilm ls myminio/thanos
-    - command: ilm ls myminio/loki
+    - command: ilm rule add --expire-days 90 myminio/tks-thanos
+    - command: ilm rule add --expire-days 15 myminio/tks-loki
+    - command: ilm ls myminio/tks-thanos
+    - command: ilm ls myminio/tks-loki
     persistence.storageClass: $(storageClassName)
     persistence.accessMode: ReadWriteOnce
     persistence.size: 20Gi
@@ -196,7 +196,8 @@ charts:
     query.dnsDiscovery.sidecarsService: null
     queryFrontend.nodeSelector: $(nodeSelector)
     queryFrontend.service.type: NodePort
-    queryFrontend.service.http.nodePort: 30007
+    queryFrontend.service.nodePorts.http: 30005
+
     bucketweb.nodeSelector: $(nodeSelector)
     compactor.nodeSelector: $(nodeSelector)
     storegateway.nodeSelector: $(nodeSelector)

diff --git a/policy/base/kustomization.yaml b/policy/base/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+  - resources.yaml
+
+transformers:
+  - site-values.yaml
diff --git a/policy/base/resources.yaml b/policy/base/resources.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: opa-gatekeeper
+  name: opa-gatekeeper
+spec:
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: gatekeeper
+    version: 3.13.0
+    origin: https://open-policy-agent.github.io/gatekeeper/charts
+  helmVersion: v3
+  releaseName: opa-gatekeeper
+  targetNamespace: gatekeeper-system
+  values: 
+    enableDeleteOperations: true
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: policy-resources
+  name: policy-resources
+spec:
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: policy-resources
+    version: 1.0.0
+    origin: https://openinfradev.github.io/helm-charts/policy-resources
+  helmVersion: v3
+  releaseName: policy-resources
+  targetNamespace: gatekeeper-system
+  values: {}
diff --git a/policy/base/site-values.yaml b/policy/base/site-values.yaml
@@ -0,0 +1,27 @@
+apiVersion: openinfradev.github.com/v1
+kind: HelmValuesTransformer
+metadata:
+  name: site
+
+global:
+  # Specify nodes to install workload
+  nodeSelector:
+    taco-lma: enabled
+  # Specify cluster name. It is useful in multi-cluster env.
+  clusterName: cluster.local
+  # Storageclass to install persistant
+  storageClassName: taco-storage
+
+charts:
+- name: opa-gatekeeper
+  override:
+    postUpgrade.nodeSelector: $(nodeSelector)
+    postInstall.nodeSelector: $(nodeSelector)
+    preUninstall.nodeSelector: $(nodeSelector)
+    controllerManager.nodeSelector: $(nodeSelector)
+    audit.nodeSelector: $(nodeSelector)
+    crds.nodeSelector: $(nodeSelector)
+
+    enableDeleteOperations: true
+
+- name: policy-resources
diff --git a/service-mesh/base/resources.yaml b/service-mesh/base/resources.yaml
@@ -460,6 +460,7 @@ spec:
           servers: cassandra-dc-service.tks-msa.svc
           keyspace: jaeger_v1_datacenter
         cassandraCreateSchema:
+          image: harbor.taco-cat.xyz/tks/jaeger-cassandra-schema:1.35.0
           datacenter: "dc"
           mode: "prod"
           timeout: "3m"
@@ -717,3 +718,33 @@ spec:
     optimization:
       interval: "5s"
   wait: true
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: gatekeeper
+  name: gatekeeper
+spec:
+  helmVersion: v3
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: gatekeeper
+    version: 0.1.39
+    origin: https://gogatekeeper.github.io/helm-gogatekeeper
+  releaseName: gatekeeper
+  targetNamespace: tks-msa
+  values:
+    image:
+      registry: harbor.taco-cat.xyz
+      repository: tks/gatekeeper
+    service:
+      type: LoadBalancer
+    config:
+      discovery-url: https://tks-console-dev.taco-cat.xyz/auth/realms/organization
+      upstream-url: http://jaeger-operator-jaeger-query.tks-msa.svc:16686
+      client-id: gatekeeper-jaeger
+      client-secret: secret
+  wait: true
+
diff --git a/service-mesh/base/site-values.yaml b/service-mesh/base/site-values.yaml
@@ -15,6 +15,9 @@ global:
     tks-egressgateway: enabled
   ingressGatewayLabel: istio-ingressgateway
   egressGatewayLabel: istio-egressgateway
+  keycloakIssuerUri: https://keycloak.com/auth/realms/oraganization
+  keycloakClientPrefix: client-prefix
+  gatekeeperSecret: gatekeeper-secret
 
 charts:
 - name: cert-manager
@@ -96,7 +99,7 @@ charts:
     global.hub: $(imageRepo)
     global.proxy.clusterDomain: $(clusterName)
     global.tracer.zipkin.address: jaeger-operator-jaeger-collector.$(namespace):9411
-    
+
 - name: istio-ingressgateway
   override:
     revision: ""
@@ -162,6 +165,11 @@ charts:
         options:
           servers: cassandra-dc-service.tks-msa.svc
           keyspace: jaeger_v1_datacenter
+        cassandraCreateSchema:
+          image: harbor.taco-cat.xyz/tks/jaeger-cassandra-schema:1.35.0
+          datacenter: "dc"
+          mode: "prod"
+          timeout: "3m"
         dependencies:
           enabled: true
           image: harbor.taco-cat.xyz/tks/spark-dependencies:1.35.0
@@ -237,3 +245,11 @@ charts:
     namespace: tks-msa
     aggregation.interval: "15s"
     optimization.interval: "15s"
+
+- name: gatekeeper
+  override:
+    config:
+      discovery-url: $(keycloakIssuerUri)
+      client-id: $(keycloakClientPrefix)-gatekeeper-jaeger
+      client-secret: $(gatekeeperSecret)
+
diff --git a/tks-admin-tools/base/kustomization.yaml b/tks-admin-tools/base/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+  - resources.yaml
+
+transformers:
+  - site-values.yaml