Add changelog for release v0.40.0

REQUIREMENTS

@@ -1,6 +1,6 @@
 pkg:deb/ubuntu/[email protected]*?arch=amd64&distro=jammy
-pkg:deb/ubuntu/[email protected].16?arch=amd64&distro=jammy
-pkg:deb/ubuntu/dnsutils@1:9.18.24-0ubuntu0.22.04.1?arch=amd64&distro=jammy
+pkg:deb/ubuntu/[email protected].17?arch=amd64&distro=jammy
+pkg:deb/ubuntu/dnsutils@1:9.18*-0ubuntu0.22.04.1?arch=amd64&distro=jammy
 pkg:deb/ubuntu/[email protected]?arch=amd64&distro=jammy
 pkg:deb/ubuntu/[email protected]?arch=amd64&distro=jammy
 pkg:generic/[email protected]

changelog/0.40.md

@@ -0,0 +1,82 @@
+# v0.40.0
+
+Released 2024-08-05
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+>
+> - New environment variable `CK8S_K8S_INSTALLER` is required for running `ck8s init`. There is a new command for listing supported installers with `ck8s k8s-installers`. It is assumed that nftables are used instead of iptables (Ubuntu 22.04 or newer) when `CK8S_K8S_INSTALLER` is set to `capi` (cluster-api).
+> - New generic openstack `CK8S_PROVIDER` for situations when apps is deployed on a openstack cloud but not safespring, elastx or citycloud.
+> - This update to the autoscaling monitoring breaks support for the autoscaler deployment that was part of the openstack cluster chart. But it instead works with the independent upstream autoscaler chart.
+<!-- -->
+> [!NOTE]
+> **Application Developer Notice(s)**
+>
+> - The alert for kured in wc will be removed since this didn't work as expected.
+
+## Changes by kind
+
+### Feature(s)
+
+- [#1980](https://github.com/elastisys/compliantkubernetes-apps/pull/1980) - Add conditional set-me in config [@Ajarmar](https://github.com/Ajarmar)
+
+### Improvement(s)
+
+- [#2153](https://github.com/elastisys/compliantkubernetes-apps/pull/2153) - Improve diagnostics script [@vomba](https://github.com/vomba)
+- [#2155](https://github.com/elastisys/compliantkubernetes-apps/pull/2155) - Migrate Fluentd networkpolices to generator [@robinAwallace](https://github.com/robinAwallace)
+- [#2160](https://github.com/elastisys/compliantkubernetes-apps/pull/2160) - Upgrade Kured to v1.15.1 [@lunkan93](https://github.com/lunkan93)
+- [#2174](https://github.com/elastisys/compliantkubernetes-apps/pull/2174) - psps: allow matchexpressions in gatekeeper mutation for runasuser [@Pavan-Gunda](https://github.com/Pavan-Gunda)
+- [#2178](https://github.com/elastisys/compliantkubernetes-apps/pull/2178) - Enable OAuth PKCE in Grafana [@Zash](https://github.com/Zash)
+- [#2185](https://github.com/elastisys/compliantkubernetes-apps/pull/2185) - Bump dnsutils 1:9.18.24-0ubuntu0.22.04.1 [@simonklb](https://github.com/simonklb)
+- [#2188](https://github.com/elastisys/compliantkubernetes-apps/pull/2188) - increase rclone default job deadline and make it configurable [@Eliastisys](https://github.com/Eliastisys)
+- [#2190](https://github.com/elastisys/compliantkubernetes-apps/pull/2190) - Add new K8s installer variable and config [@anders-elastisys](https://github.com/anders-elastisys) [@robinAwallace](https://github.com/robinAwallace)
+- [#2194](https://github.com/elastisys/compliantkubernetes-apps/pull/2194) - apps sc: increase default grafana timeout [@davidumea](https://github.com/davidumea)
+- [#2195](https://github.com/elastisys/compliantkubernetes-apps/pull/2195) - bin: allow password-less sudo for install-requirements script [@AlbinB97](https://github.com/AlbinB97)
+- [#2201](https://github.com/elastisys/compliantkubernetes-apps/pull/2201) - apps sc: Added node filter to more graphs in kubernetes status dashboard [@Xartos](https://github.com/Xartos)
+- [#2205](https://github.com/elastisys/compliantkubernetes-apps/pull/2205) - tests: Improved tests [@Xartos](https://github.com/Xartos)
+- [#2212](https://github.com/elastisys/compliantkubernetes-apps/pull/2212) - config: change rclone activedeadlineseconds to 14400 [@Pavan-Gunda](https://github.com/Pavan-Gunda)
+- [#2216](https://github.com/elastisys/compliantkubernetes-apps/pull/2216) - Upgrade opensearch and opensearch dashboards to app version v2.15.0 [@viktor-f](https://github.com/viktor-f)
+- [#2220](https://github.com/elastisys/compliantkubernetes-apps/pull/2220) - apps sc: dex upgraded to app version 2.40.0 and chart version 0.18.0 [@viktor-f](https://github.com/viktor-f)
+- [#2221](https://github.com/elastisys/compliantkubernetes-apps/pull/2221) - apps: upgrade metrics server to app v0.7.1 and chart v3.12.1 [@viktor-f](https://github.com/viktor-f)
+- [#2224](https://github.com/elastisys/compliantkubernetes-apps/pull/2224) - Upgrade prometheus-elasticsearch-exporter [@lunkan93](https://github.com/lunkan93)
+- [#2225](https://github.com/elastisys/compliantkubernetes-apps/pull/2225) - apps sc: change autoscaling monitoring to work with new autoscaler chart [@viktor-f](https://github.com/viktor-f)
+- [#2228](https://github.com/elastisys/compliantkubernetes-apps/pull/2228) - apps sc: Added back the skip of the consent screen for dex [@Xartos](https://github.com/Xartos)
+- [#2229](https://github.com/elastisys/compliantkubernetes-apps/pull/2229) - apps-sc: upgraded harbor to v2.11.0 [@Pavan-Gunda](https://github.com/Pavan-Gunda)
+
+### Other(s)
+
+- [#2231](https://github.com/elastisys/compliantkubernetes-apps/pull/2231) - bin: bugfix for curl installation in requirements [@AlbinB97](https://github.com/AlbinB97)
+- [#2231](https://github.com/elastisys/compliantkubernetes-apps/pull/2231) - bin: fix for dnsutils requirements script [@AlbinB97](https://github.com/AlbinB97)
+- [#2231](https://github.com/elastisys/compliantkubernetes-apps/pull/2231) - apps sc: fixed a bug with harbor failing backups [@AlbinB97](https://github.com/AlbinB97)
+- [#2231](https://github.com/elastisys/compliantkubernetes-apps/pull/2231) - apps sc: fix for harbor-backup job to correctly error when job is not completing [@AlbinB97](https://github.com/AlbinB97)
+- [#2231](https://github.com/elastisys/compliantkubernetes-apps/pull/2231) - config: increased memory limit of sync resources [@AlbinB97](https://github.com/AlbinB97)
+- [#2231](https://github.com/elastisys/compliantkubernetes-apps/pull/2231) - config: Add tolerations for trivy node-collector [@lucianvlad](https://github.com/lucianvlad)
+- [#2150](https://github.com/elastisys/compliantkubernetes-apps/pull/2150) - bug: Allow changes to pods that are missing network policies when the pods are about to be deleted [@Zash](https://github.com/Zash)
+- [#2158](https://github.com/elastisys/compliantkubernetes-apps/pull/2158) - documentation: docs: Add QA checks for Rclone [@aarnq](https://github.com/aarnq)
+- [#2162](https://github.com/elastisys/compliantkubernetes-apps/pull/2162) - clean-up: Rework provider config templates [@davidumea](https://github.com/davidumea)
+- [#2179](https://github.com/elastisys/compliantkubernetes-apps/pull/2179) - other: Add changelog for release v0.38.1 [@Ajarmar](https://github.com/Ajarmar)
+- [#2180](https://github.com/elastisys/compliantkubernetes-apps/pull/2180) - documentation: Update process for adding release notes for patches [@Ajarmar](https://github.com/Ajarmar)
+- [#2181](https://github.com/elastisys/compliantkubernetes-apps/pull/2181) - bug: Fixed issue with rclone networkpolicies [@Xartos](https://github.com/Xartos)
+- [#2182](https://github.com/elastisys/compliantkubernetes-apps/pull/2182) - bug: Fixed bug in Harbor alert as warned by Thanos [@Xartos](https://github.com/Xartos)
+- [#2183](https://github.com/elastisys/compliantkubernetes-apps/pull/2183) - other: Add migration script for setting ingress-nginx annotations if they are unset [@Ajarmar](https://github.com/Ajarmar)
+- [#2184](https://github.com/elastisys/compliantkubernetes-apps/pull/2184) - bug: bin: bugfix for install-requirements to allow downgrades [@AlbinB97](https://github.com/AlbinB97)
+- [#2186](https://github.com/elastisys/compliantkubernetes-apps/pull/2186) - bug: Preserve empty objects on init [@Zash](https://github.com/Zash)
+- [#2187](https://github.com/elastisys/compliantkubernetes-apps/pull/2187) - bug: Fix bug preventing configuration of PSA level [@simonklb](https://github.com/simonklb)
+- [#2191](https://github.com/elastisys/compliantkubernetes-apps/pull/2191) - bug: apps-wc: Disabled kured alert in WC [@Xartos](https://github.com/Xartos)
+- [#2192](https://github.com/elastisys/compliantkubernetes-apps/pull/2192) - other: Port 0.39.0 [@Ajarmar](https://github.com/Ajarmar) [@anders-elastisys](https://github.com/anders-elastisys) [@robinAwallace](https://github.com/robinAwallace) [@simonklb](https://github.com/simonklb) [@vomba](https://github.com/vomba)
+- [#2196](https://github.com/elastisys/compliantkubernetes-apps/pull/2196) - clean-up: Replace deprecated Angular panels in Daily and Backup Dashboards [@Zash](https://github.com/Zash)
+- [#2198](https://github.com/elastisys/compliantkubernetes-apps/pull/2198) - bug: Fix velero psp [@lunkan93](https://github.com/lunkan93)
+- [#2199](https://github.com/elastisys/compliantkubernetes-apps/pull/2199) - bug: Fix Opensearch test for empty snapshots [@anders-elastisys](https://github.com/anders-elastisys)
+- [#2200](https://github.com/elastisys/compliantkubernetes-apps/pull/2200) - clean-up: Remove some Infra Providers from release template issue [@lucianvlad](https://github.com/lucianvlad)
+- [#2202](https://github.com/elastisys/compliantkubernetes-apps/pull/2202) - bug: Update outdated apache-utils version [@viktor-f](https://github.com/viktor-f)
+- [#2208](https://github.com/elastisys/compliantkubernetes-apps/pull/2208) - bug: config: use wildcard apache2-utils version [@davidumea](https://github.com/davidumea)
+- [#2210](https://github.com/elastisys/compliantkubernetes-apps/pull/2210) - bug: apps sc: Fixed kured alert to not alert for removed nodes [@Xartos](https://github.com/Xartos)
+- [#2213](https://github.com/elastisys/compliantkubernetes-apps/pull/2213) - bug: apps sc: Fixed alert for capi if machinedeployment is 0 replicas [@Xartos](https://github.com/Xartos)
+- [#2214](https://github.com/elastisys/compliantkubernetes-apps/pull/2214) - bug: Fixed bug with fix for capi alert [@Xartos](https://github.com/Xartos)
+- [#2215](https://github.com/elastisys/compliantkubernetes-apps/pull/2215) - bug: Fixed netpol for fluentd-aggregator [@viktor-f](https://github.com/viktor-f)
+- [#2217](https://github.com/elastisys/compliantkubernetes-apps/pull/2217) - bug: apps sc: Fixed some panels in the kubernetes cluster status dashboard [@Xartos](https://github.com/Xartos)
+- [#2218](https://github.com/elastisys/compliantkubernetes-apps/pull/2218) - bug: bin: fix redirecting usage to stderr [@Zash](https://github.com/Zash)
+- [#2219](https://github.com/elastisys/compliantkubernetes-apps/pull/2219) - bug: Rclone sync fixes [@Zash](https://github.com/Zash)
+- [#2222](https://github.com/elastisys/compliantkubernetes-apps/pull/2222) - documentation: docs: remove oidc-users if restoring harbor to new domain [@viktor-f](https://github.com/viktor-f)
+- [#2223](https://github.com/elastisys/compliantkubernetes-apps/pull/2223) - other: bin: Updated kubectl requirement to match kubespray [@Xartos](https://github.com/Xartos)
+- [#2227](https://github.com/elastisys/compliantkubernetes-apps/pull/2227) - documentation: docs: add instructions for restoring harbor between swift and s3 [@viktor-f](https://github.com/viktor-f)

config/common-config.yaml

@@ -919,8 +919,10 @@ trivy:
  tolerations: []
  affinity: {}
  nodeCollector:
- tolerations: []
-
+ tolerations:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ effect: NoSchedule
  # configurations for an offline / air-gapped environment
  # ref: https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm#values
  scanner:

config/sc-config.yaml

@@ -108,7 +108,7 @@ objectStorage:
  memory: 100Mi
  limits:
  cpu: 300m
- memory: 300Mi
+ memory: 500Mi
 
 falco:
  ## Falco alerting configuration.

helmfile.d/charts/grafana-dashboards/files/welcome.md

@@ -4,12 +4,13 @@
 
 Here you can find the most relevant features and changes for the last couple of releases of Compliant Kubernetes
 
+- Disabled kured alerts in WC. **[v0.40]**
+- Opensearch and Opensearch dashboards was upgraded to v2.15.0. **[v0.40]**
+- Harbor was upgraded to v2.11.0. **[v0.40]**
+- Dex was upgraded to v2.40.0. **[v0.40]**
 - Trivy Operator was upgraded to v0.20.1. **[v0.39]**
 - Velero was upgraded to v1.13.0. **[v0.39]**
 - Pods can now be granted access to the API of Prometheus from Application Developer namespaces per request. **[v0.39]**
-- Thanos was upgraded to v0.34.1. **[v0.38]**
-- Gatekeeper was upgraded to v3.15.1. **[v0.38]**
-- A new Gatekeeper constraint was added. It will warn if the user tries to deploy a Deployment or StatefulSet with less than 2 replicas. **[v0.38]**
 
 ## Public docs
 

helmfile.d/charts/harbor/harbor-backup/scripts/harbor-backup.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -e
+set -e -o pipefail
 : "${PG_HOSTNAME:?Missing PG_HOSTNAME}"
 backup_dir="${BACKUP_DIR:-/backup}"
 dump_dir="${backup_dir}/dbdump"

helmfile.d/charts/harbor/harbor-backup/templates/harbor-backup-job.yaml

@@ -20,7 +20,7 @@ spec:
  fsGroup: 1000
  containers:
  - name: run
- image: ghcr.io/elastisys/backup-postgres:1.4.0
+ image: ghcr.io/elastisys/backup-postgres:1.5.0
  command: ['/bin/bash', '/scripts/harbor-backup.sh']
  env:
  {{- if .Values.s3.enabled }}

helmfile.d/charts/opensearch/configurer/files/dashboards-resources/welcome.md

@@ -4,12 +4,13 @@
 
 Here you can find the most relevant features and changes for the last couple of releases of Compliant Kubernetes
 
+- Disabled kured alerts in WC. **[v0.40]**
+- Opensearch and Opensearch dashboards was upgraded to v2.15.0. **[v0.40]**
+- Harbor was upgraded to v2.11.0. **[v0.40]**
+- Dex was upgraded to v2.40.0. **[v0.40]**
 - Trivy Operator was upgraded to v0.20.1. **[v0.39]**
 - Velero was upgraded to v1.13.0. **[v0.39]**
 - Pods can now be granted access to the API of Prometheus from Application Developer namespaces per request. **[v0.39]**
-- Thanos was upgraded to v0.34.1. **[v0.38]**
-- Gatekeeper was upgraded to v3.15.1. **[v0.38]**
-- A new Gatekeeper constraint was added. It will warn if the user tries to deploy a Deployment or StatefulSet with less than 2 replicas. **[v0.38]**
 
 ## Public docs
 

images/backup-postgres/Dockerfile

@@ -22,6 +22,7 @@ RUN apt-get update \
  && apt-get update \
  && curl -sL https://aka.ms/InstallAzureCLIDeb | bash \
  && apt-get install --no-install-recommends -y \
+ postgresql-client-15 \
  postgresql-client-14 \
  postgresql-client-13 \
  postgresql-client-12 \