Merge branch 'main' into chartbump/thanos-15.9.2

.bloodhound.yml

@@ -28,6 +28,11 @@ additional_crds:
   - https://raw.githubusercontent.com/cert-manager/cert-manager/master/deploy/crds/crd-certificates.yaml
   - https://raw.githubusercontent.com/cert-manager/cert-manager/master/deploy/crds/crd-issuers.yaml
   - https://raw.githubusercontent.com/rook/rook/master/deploy/olm/assemble/objectbucket.io_objectbucketclaims.yaml
+  - https://raw.githubusercontent.com/mesosphere/charts/refs/heads/master/stable/cosi/crds/apiextensions.k8s.io_v1_customresourcedefinition_bucketaccessclasses.objectstorage.k8s.io.yaml
+  - https://raw.githubusercontent.com/mesosphere/charts/refs/heads/master/stable/cosi/crds/apiextensions.k8s.io_v1_customresourcedefinition_bucketaccesses.objectstorage.k8s.io.yaml
+  - https://raw.githubusercontent.com/mesosphere/charts/refs/heads/master/stable/cosi/crds/apiextensions.k8s.io_v1_customresourcedefinition_bucketclaims.objectstorage.k8s.io.yaml
+  - https://raw.githubusercontent.com/mesosphere/charts/refs/heads/master/stable/cosi/crds/apiextensions.k8s.io_v1_customresourcedefinition_bucketclasses.objectstorage.k8s.io.yaml
+  - https://raw.githubusercontent.com/mesosphere/charts/refs/heads/master/stable/cosi/crds/apiextensions.k8s.io_v1_customresourcedefinition_buckets.objectstorage.k8s.io.yaml
 
 # set values for substitution variables (e.g. ${releaseNamespace}) in the resources
 substitution_vars:

apptests/appscenarios/contants.go

@@ -21,5 +21,5 @@ const (
 
 	// Velero constants
 	kubetoolsImageRepository = "bitnami/kubectl"
-	kubetoolsImageTag        = "1.30.5"
+	kubetoolsImageTag        = "1.31.4"
 )

apptests/appscenarios/traefik_test.go

@@ -1,6 +1,7 @@
 package appscenarios
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"time"
@@ -10,7 +11,10 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/net"
 	ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	fluxhelmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2"
@@ -19,9 +23,7 @@ import (
 )
 
 var _ = Describe("Traefik Tests", Label("traefik"), func() {
-	var (
-		t *traefik
-	)
+	var t *traefik
 
 	BeforeEach(OncePerOrdered, func() {
 		err := SetupKindCluster()
@@ -105,15 +107,14 @@ var _ = Describe("Traefik Tests", Label("traefik"), func() {
 				Namespace: kommanderNamespace,
 			})
 			Expect(err).To(BeNil())
-			Expect(middlewareList.Items).To(HaveLen(5))
+			Expect(middlewareList.Items).To(HaveLen(4))
 			Expect(middlewareList.Items).To(WithTransform(func(mwList []traefikv1a1.Middleware) []string {
 				var names []string
 				for _, mw := range mwList {
 					names = append(names, mw.Name)
 				}
 				return names
-			}, ContainElements("stripprefixes", "stripprefixes-kubetunnel", "forwardauth", "forwardauth-full", "rewrite-api")))
-
+			}, ContainElements("stripprefixes", "stripprefixes-kubetunnel", "forwardauth", "forwardauth-full")))
 		})
 
 		It("should create dashboard ingress route", func() {
@@ -131,7 +132,6 @@ var _ = Describe("Traefik Tests", Label("traefik"), func() {
 			podList = &corev1.PodList{}
 			assertTraefikEndpoints(t, podList)
 		})
-
 	})
 
 	Describe("Traefik Upgrade Test", Ordered, Label("upgrade"), func() {
@@ -172,15 +172,7 @@ var _ = Describe("Traefik Tests", Label("traefik"), func() {
 			}).WithPolling(pollInterval).WithTimeout(5 * time.Minute).Should(Succeed())
 		})
 
-		It("should have access to multiple traefik endpoints", func() {
-			podList = &corev1.PodList{}
-			assertTraefikEndpoints(t, podList)
-		})
-
 		It("should upgrade traefik successfully", func() {
-			err := t.Install(ctx, env)
-			Expect(err).To(BeNil())
-
 			hr = &fluxhelmv2beta2.HelmRelease{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       fluxhelmv2beta2.HelmReleaseKind,
@@ -191,31 +183,48 @@ var _ = Describe("Traefik Tests", Label("traefik"), func() {
 					Namespace: kommanderNamespace,
 				},
 			}
+			Expect(k8sClient.Get(ctx, ctrlClient.ObjectKeyFromObject(hr), hr)).To(Succeed())
+			existingGeneration := hr.Status.ObservedGeneration
 
-			// Check the status of the HelmReleases
-			Eventually(func() error {
-				err = k8sClient.Get(ctx, ctrlClient.ObjectKeyFromObject(hr), hr)
-				if err != nil {
-					return err
-				}
+			err := t.Install(ctx, env)
+			Expect(err).To(BeNil())
 
-				for _, cond := range hr.Status.Conditions {
-					if cond.Status == metav1.ConditionTrue &&
-						cond.Type == apimeta.ReadyCondition {
-						return nil
-					}
-				}
-				return fmt.Errorf("helm release not ready yet")
-			}).WithPolling(pollInterval).WithTimeout(5 * time.Minute).Should(Succeed())
+			By("removing outdated ingress config", func() {
+				cl, err := ctrlClient.New(env.K8sClient.Config(), ctrlClient.Options{})
+				Expect(err).NotTo(HaveOccurred())
+
+				dashboardIngress := &networkingv1.Ingress{}
+				cl.Get(ctx, types.NamespacedName{
+					Name:      "traefik-dashboard",
+					Namespace: kommanderNamespace,
+				}, dashboardIngress)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(cl.Delete(ctx, dashboardIngress)).To(Succeed())
+			})
+
+			// Check the status of the HelmReleases
+			By("waiting for HR to get upgraded")
+			Eventually(func() (*fluxhelmv2beta2.HelmRelease, error) {
+				err := k8sClient.Get(ctx, ctrlClient.ObjectKeyFromObject(hr), hr)
+				return hr, err
+			}, "30s", pollInterval).Should(And(
+				HaveField("Status.ObservedGeneration", BeNumerically(">", existingGeneration)),
+				HaveField("Status.Conditions", ContainElement(And(
+					HaveField("Type", Equal(apimeta.ReadyCondition)),
+					HaveField("Status", Equal(metav1.ConditionTrue)))),
+				),
+			))
 		})
 
 		It("should have access to multiple traefik endpoints after upgrade", func() {
+			podList = &corev1.PodList{}
 			assertTraefikEndpoints(t, podList)
 		})
 	})
 })
 
 func assertTraefikEndpoints(t *traefik, podList *corev1.PodList) {
+	GinkgoHelper()
 	selector, err := metav1.LabelSelectorAsSelector(&metav1.LabelSelector{
 		MatchLabels: map[string]string{
 			"app.kubernetes.io/name": t.Name(),
@@ -250,14 +259,28 @@ func assertTraefikEndpoints(t *traefik, podList *corev1.PodList) {
 	Expect(err).To(BeNil())
 	Expect(string(body)).To(ContainSubstring("traefik_entrypoint_requests_total"))
 
-	By("checking traefik dashboard endpoint")
-	res = restClientV1Pods.Get().Resource("pods").Namespace(podList.Items[0].Namespace).Name(podList.Items[0].Name + ":9000").SubResource("proxy").Suffix("/dashboard/").Do(ctx)
-	Expect(res.Error()).To(BeNil())
+	By("checking traefik api endpoint")
+	ref := net.JoinSchemeNamePort("https", podList.Items[0].Name, "8443")
+	Eventually(func() error {
+		res = restClientV1Pods.Get().
+			Resource("pods").
+			Namespace(podList.Items[0].Namespace).
+			Name(ref).
+			SubResource("proxy").
+			Suffix("/dkp/traefik/api/overview").Do(ctx)
+		return res.Error()
+	}, "5s", "500ms").Should(Succeed())
 
 	res.StatusCode(&statusCode)
 	Expect(statusCode).To(Equal(200))
 
 	body, err = res.Raw()
 	Expect(err).To(BeNil())
-	Expect(string(body)).To(ContainSubstring("Traefik UI"))
+	apiResponse := struct {
+		Features  map[string]any `json:"features"`
+		Providers []string       `json:"providers"`
+	}{}
+	Expect(json.Unmarshal(body, &apiResponse)).To(Succeed())
+	Expect(apiResponse.Features).To(HaveKeyWithValue("accessLog", Equal(true)))
+	Expect(apiResponse.Providers).To(ConsistOf("KubernetesIngress", "KubernetesCRD", "KubernetesGateway"))
 }

apptests/testdata/traefik/override-cm.yaml

@@ -8,3 +8,6 @@ data:
     ---
     deployment:
       replicas: 1
+    ingressRoute:
+      dashboard:
+        middlewares: []

common/build/list-images-values.yaml

@@ -1,3 +1,3 @@
 secretName: unused
 commonName: unused
-kubectlImage: bitnami/kubectl:1.30.5
+kubectlImage: bitnami/kubectl:1.31.4

hack/list-images.sh

@@ -130,13 +130,21 @@ done
 
 # These services use raw manifests rather than Helm charts so list the images directly from the manifests.
 # If more raw manifest services are added, then they should be added to the list of paths below.
-gojq --yaml-input --raw-output 'select(.kind | test("^(?:Deployment|Job|CronJob|StatefulSet|DaemonSet)$")) |
-                                (.spec.template.spec // .spec.jobTemplate.spec.template.spec) |
-                                (select(.containers != null) | .containers[].image), (select(.initContainers != null) | .initContainers[].image)' \
-				./services/git-operator/*/git-operator-manifests/* \
-                                ./services/kommander-flux/*/templates/* \
-                                ./services/kube-prometheus-stack/*/etcd-metrics-proxy/* \
-                                >>"${IMAGES_FILE}"
+{
+  gojq --yaml-input --raw-output 'select(.kind | test("^(?:Deployment|Job|CronJob|StatefulSet|DaemonSet)$")) |
+                                  (.spec.template.spec // .spec.jobTemplate.spec.template.spec) |
+                                  (select(.containers != null) | .containers[].image), (select(.initContainers != null) | .initContainers[].image)' \
+                                  ./services/kommander-flux/*/templates/* \
+                                  ./services/kube-prometheus-stack/*/etcd-metrics-proxy/* \
+  # process git operator separately
+  gojq --yaml-input --raw-output 'select(.kind | test("^(?:Deployment|Job|StatefulSet|DaemonSet)$")) |
+                                  .spec.template.spec |
+                                  (select(.containers != null) | .containers[].image), (select(.initContainers != null) | .initContainers[].image)' \
+  				./services/git-operator/*/git-operator-manifests/* \
+  # we patch the cronjob image in this kustomization
+  gojq --yaml-input --raw-output 'select(.kind | test("^(?:Kustomization)$")) | .images | map("\(.name):\(.newTag)") | .[]' \
+          ./services/git-operator/*/kustomization.yaml
+} >>"${IMAGES_FILE}"
 
 # Ensure that all images are fully qualified to ensure uniqueness of images in the image bundle.
 sed --expression='s|^docker.io/||' \

licenses.d2iq.yaml

@@ -97,7 +97,7 @@ resources:
       - license_path: LICENSE
         ref: 3.8.0
         url: https://github.com/Kong/kong
-  - container_image: docker.io/library/traefik:v3.2.1
+  - container_image: docker.io/library/traefik:v3.3.2
     sources:
       - license_path: LICENSE.md
         ref: ${image_tag}
@@ -123,7 +123,7 @@ resources:
     sources:
       - ref: ${image_tag}
         url: https://github.com/mesosphere/dex-controller
-  - container_image: docker.io/mesosphere/dex-k8s-authenticator:v1.4.4-d2iq
+  - container_image: docker.io/mesosphere/dex-k8s-authenticator:v1.4.5-d2iq
     sources:
       - license_path: LICENSE
         ref: ${image_tag}
@@ -244,13 +244,13 @@ resources:
       - license_path: LICENSE.thomseddon.md
         ref: ${image_tag}
         url: https://github.com/mesosphere/traefik-forward-auth
-  - container_image: docker.io/openpolicyagent/gatekeeper-crds:v3.17.0
+  - container_image: docker.io/openpolicyagent/gatekeeper-crds:v3.18.2
     sources:
       - license_path: LICENSE
         notice_path: NOTICE
         ref: ${image_tag}
         url: https://github.com/open-policy-agent/gatekeeper
-  - container_image: docker.io/openpolicyagent/gatekeeper:v3.17.0
+  - container_image: docker.io/openpolicyagent/gatekeeper:v3.18.2
     sources:
       - license_path: LICENSE
         notice_path: NOTICE
@@ -536,12 +536,7 @@ resources:
       - url: https://github.com/NVIDIA/cuda-samples
         ref: v12.5
         license_path: LICENSE
-  - container_image: docker.io/bitnami/kubectl:1.29.6
-    sources:
-      - url: https://github.com/kubernetes/kubectl
-        ref: v0${image_tag#1}
-        license_path: LICENSE
-  - container_image: docker.io/bitnami/kubectl:1.30.5
+  - container_image: docker.io/bitnami/kubectl:1.31.4
     sources:
       - url: https://github.com/kubernetes/kubectl
         ref: v0${image_tag#1}
@@ -597,11 +592,6 @@ resources:
       - url: https://github.com/kubernetes/kubernetes
         ref: master
         license_path: LICENSE
-  - container_image: gcr.io/k8s-staging-sig-storage/objectstorage-controller:v20221027-v0.1.1-8-g300019f # TODO(takirala): drop this entry after merging https://github.com/mesosphere/konvoy2/pull/3474
-    sources:
-      - url: https://github.com/kubernetes-sigs/container-object-storage-interface
-        ref: main
-        license_path: LICENSE
   - container_image: quay.io/ceph/cosi:v0.1.2
     sources:
       - url: https://github.com/ceph/ceph-cosi

services/ai-navigator-app/0.2.9/defaults/cm.yaml

@@ -92,4 +92,4 @@ data:
     tolerations: []
 
     affinity: {}
-    kubectlImage: ${kubetoolsImageRepository:=bitnami/kubectl}:${kubetoolsImageTag:=1.30.5}
+    kubectlImage: ${kubetoolsImageRepository:=bitnami/kubectl}:${kubetoolsImageTag:=1.31.4}

services/ai-navigator-app/metadata.yaml

@@ -9,7 +9,7 @@ scope:
 licensing:
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise
 overview: |-
   # Overview

services/ai-navigator-cluster-info-agent/metadata.yaml

@@ -9,7 +9,7 @@ scope:
 licensing:
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise
 overview: |-
   # Overview

services/cert-manager/metadata.yaml

@@ -9,7 +9,7 @@ licensing:
   - Starter
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise
 certifications:
   - qualified

services/chartmuseum/metadata.yaml

@@ -5,5 +5,5 @@ licensing:
   - Starter
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise

services/cloudnative-pg/metadata.yaml

@@ -8,7 +8,7 @@ scope:
 licensing:
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise
 certifications:
   - qualified

services/dex-k8s-authenticator/1.4.4/defaults/cm.yaml → services/dex-k8s-authenticator/1.4.5/defaults/cm.yaml

@@ -1,15 +1,15 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: dex-k8s-authenticator-1.4.4-d2iq-defaults
+  name: dex-k8s-authenticator-1.4.5-d2iq-defaults
   namespace: ${releaseNamespace}
 data:
   values.yaml: |-
     ---
     priorityClassName: "dkp-high-priority"
     image:
       repository: mesosphere/dex-k8s-authenticator
-      tag: v1.4.4-d2iq
+      tag: v1.4.5-d2iq
     env:
       ENABLE_MULTI_TENANCY: "true"
     ingress:

services/dex-k8s-authenticator/1.4.4/dex-k8s-authenticator.yaml → services/dex-k8s-authenticator/1.4.5/dex-k8s-authenticator.yaml

@@ -34,7 +34,7 @@ spec:
   releaseName: dex-k8s-authenticator
   valuesFrom:
     - kind: ConfigMap
-      name: dex-k8s-authenticator-1.4.4-d2iq-defaults
+      name: dex-k8s-authenticator-1.4.5-d2iq-defaults
     - kind: ConfigMap
       name: dex-k8s-authenticator-overrides
       optional: true

services/dex-k8s-authenticator/metadata.yaml

@@ -9,5 +9,5 @@ licensing:
   - Starter
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise

services/dex/2.14.0/defaults/cm.yaml

@@ -7,7 +7,7 @@ data:
   values.yaml: |-
     ---
     priorityClassName: "dkp-critical-priority"
-    kubectlImage: "${kubetoolsImageRepository:=bitnami/kubectl}:${kubetoolsImageTag:=1.30.5}"
+    kubectlImage: "${kubetoolsImageRepository:=bitnami/kubectl}:${kubetoolsImageTag:=1.31.4}"
     image: mesosphere/dex
     imageTag: v2.41.1-d2iq.1
     resources:

services/dex/metadata.yaml

@@ -5,5 +5,5 @@ licensing:
   - Starter
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise

services/external-dns/metadata.yaml

@@ -11,7 +11,7 @@ certifications:
 licensing:
   - Pro
   - Ultimate
-  - Essentials
+  - Essential
   - Enterprise
 overview: |-
   # External DNS