Merge pull request #327 from openinfradev/develop

20241002 release from develop

lma/base/resources.yaml

@@ -748,7 +748,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: lma-addons
-    version: 1.8.7
+    version: 1.9.0
     origin: https://openinfradev.github.io/helm-repo
   releaseName: addons
   targetNamespace: lma
@@ -762,6 +762,9 @@ spec:
       loki:
         enabled: true
         url: "loki-loki-distributed-gateway.lma"
+      lokiuser:
+        enabled: true
+        url: "loki-user-loki-distributed-gateway.lma"
     grafanaDashboard:
       include:
       - kubernetes
@@ -1225,6 +1228,85 @@ spec:
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
+metadata:
+  labels:
+    name: loki-user
+  name: loki-user
+spec:
+  helmVersion: v3
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: loki-distributed
+    version: 0.58.0
+    origin: https://grafana.github.io/helm-charts
+  releaseName: loki-user
+  targetNamespace: lma
+  values:
+    global:
+      clusterDomain: cluster.local # TO_BE_FIXED
+      dnsService: coredns
+    loki:
+      image:
+        registry: harbor.taco-cat.xyz
+        repository: tks/loki
+        tag: null
+      schemaConfig:
+        configs:
+        - from: "2020-09-07"
+          store: boltdb-shipper
+          object_store: s3
+          schema: v11
+          index:
+            prefix: loki_index_
+            period: 24h
+      storageConfig:
+        boltdb_shipper:
+          active_index_directory: /var/loki/index
+          cache_location: /var/loki/cache
+          cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
+          shared_store: s3
+        aws:
+          s3: TO_BE_FIXED
+          bucketnames: tks-loki-user
+          s3forcepathstyle: true
+      structuredConfig:
+        limits_config:
+          ingestion_rate_mb: 25
+          ingestion_burst_size_mb: 50
+          max_streams_per_user: 0
+          max_global_streams_per_user: 0
+        table_manager:
+          retention_deletes_enabled: true
+          retention_period: TO_BE_FIXED
+    serviceMonitor.enabled: true
+    prometheusRule.enabled: true
+    ingester:
+      resources:
+        limits:
+          cpu: '4'
+          memory: 4Gi
+        requests:
+          cpu: 100m
+          memory: 250Mi
+      persistence:
+        enabled: true
+        inMemory: false
+        size: 100Gi
+    memcachedExporter.enabled: true
+    gateway:
+      image:
+        registry: harbor.taco-cat.xyz
+        repository: tks/nginx-unprivileged
+
+      nginxConfig:
+        httpSnippet: |-
+          client_max_body_size 50M;
+        serverSnippet: |-
+          client_max_body_size 50M;
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
 metadata:
   labels:
     name: lma-bucket

lma/base/site-values.yaml

@@ -22,6 +22,8 @@ global:
 
   lokiHost: loki-loki-distributed-gateway
   lokiPort: 80
+  lokiuserHost: loki-user-loki-distributed-gateway
+  lokiuserPort: 80
   grafanaDatasourceMetric: lma-prometheus.lma:9090
 
 charts:
@@ -147,6 +149,7 @@ charts:
     grafanaDatasource.prometheus.url: $(grafanaDatasourceMetric)
     # grafanaDatasource.prometheus.url: "thanos-query.lma:9090"
     grafanaDatasource.loki.url: $(lokiHost):$(lokiPort)
+    grafanaDatasource.lokiuser.url: $(lokiuserHost):$(lokiuserPort)
 
 - name: prometheus-adapter
   override:
@@ -173,11 +176,18 @@ charts:
       purge: false
       versioning: true
       objectlocking: false
+    - name: loki-user
+      policy: public
+      purge: false
+      versioning: true
+      objectlocking: false
     customCommands:
     - command: ilm rule add --expire-days 90 myminio/tks-thanos
     - command: ilm rule add --expire-days 15 myminio/tks-loki
+    - command: ilm rule add --expire-days 15 myminio/tks-loki-user
     - command: ilm ls myminio/tks-thanos
     - command: ilm ls myminio/tks-loki
+    - command: ilm ls myminio/tks-loki-user
     persistence.storageClass: $(storageClassName)
     persistence.accessMode: ReadWriteOnce
     persistence.size: 20Gi
@@ -260,10 +270,16 @@ charts:
     loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio
     loki.structuredConfig.table_manager.retention_period: 672h    # delete logs after 672h = 28 days
 
+- name: loki-user
+  override:
+    loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio
+    loki.structuredConfig.table_manager.retention_period: 72h    # delete logs after 72h = 3 days
+
 - name: lma-bucket
   override:
     s3.enabled: true
     s3.buckets:
     - name: $(clusterName)-tks-thanos
     - name: $(clusterName)-tks-loki
+    - name: $(clusterName)-tks-loki-user
     # tks.iamRoles: arn:aws:iam::12345678:role/control-plane.cluster-api-provider-aws.sigs.k8s.io

policy/base/resources.yaml

@@ -35,4 +35,32 @@ spec:
   helmVersion: v3
   releaseName: policy-resources
   targetNamespace: gatekeeper-system
-  values: {}
+  values: {}
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: ratify
+  name: ratify
+spec:
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: ratify
+    version: 1.13.0
+    origin: https://github.com/ratify-project/ratify/tree/v1.2.0/charts/ratify
+  helmVersion: v3
+  releaseName: ratify
+  targetNamespace: gatekeeper-system
+  values: 
+    oras:
+      useHttp: true
+    provider:
+      tls:
+        skipVerify: true
+    featureFlags:
+      RATIFY_CERT_ROTATION: true
+    sbom:
+      enabled: true
+---

policy/base/site-values.yaml

@@ -25,3 +25,36 @@ charts:
     enableDeleteOperations: true
 
 - name: policy-resources
+
+- name: ratify
+  override:
+    sbom:
+      disallowedLicenses:
+      - "GPL-2.0-only"
+      - "MPL"
+      disallowedPackages:
+      - name: "busybox"
+        version: "1.36.1-r28"
+    notationCerts:
+    # https://github.com/ratify-project/ratify/blob/dev/test/testdata/notation.crt
+    - |-
+      -----BEGIN CERTIFICATE-----
+      MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL
+      BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X
+      DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5
+      MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+      MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8
+      3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4
+      FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo
+      ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa
+      gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo
+      3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci
+      EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE
+      ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL
+      BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt
+      BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ
+      hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF
+      90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync
+      cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp
+      Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg=
+      -----END CERTIFICATE-----

tks-cluster/infra/aws/resources.yaml

@@ -11,15 +11,15 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: cluster-api-aws
-    version: 0.11.1
+    version: 0.11.2
   releaseName: cluster-api-aws
   targetNamespace: argo
   values:
     sshKeyName: TO_BE_FIXED
     cluster:
       name: TO_BE_FIXED
       region: TO_BE_FIXED
-      kubernetesVersion: v1.25.9
+      kubernetesVersion: v1.28.3
       podCidrBlocks:
         - 192.168.0.0/16
       bastion: