Update images to support Kubernetes 1.30 (#3214)

* update DNSNodeCache * update ccm-aws * fix missing md annotation for metrics-server * update csi-external-snapshotter to v8.0.1 * update csi-aws-ebs also removes the copy of external-snapshotter CRDs in the AWS EBS CSI addon * update ccm-azure / cnm-azure * update csi-azurefile * update csi-azuredisk * use non-MCR images for CSI snapshotter to keep them aligned with the ext-snapshotter addon * update ccm-digitalocean With the new version, DO removed some of manifests that we originally deleted in our kustomization. * update csi-digitalocean * fix readme in update ccm-hetzner There was no new chart or new image for ccm * update csi-hetzner * update ccm-openstack * update csi-openstack * fix typos in csi-vmware * update ccm-vsphere * update csi-vsphere * update csi-gcp * update cilium and hubble * update cluster-autoscaler * update restic * remove hcloud storageclass from the CSI addon --------- Co-authored-by: Christoph Mewes <christoph@kubermatic.com>
kubermatic · Jun 14, 2024 · cbaab7a · cbaab7a
1 parent fabed7f
commit cbaab7a
Show file tree

Hide file tree

Showing 35 changed files with 838 additions and 1,729 deletions.
diff --git a/addons/backups-restic/backups-restic.yaml b/addons/backups-restic/backups-restic.yaml
@@ -52,7 +52,7 @@ spec:
               path: /etc/kubernetes/pki
           initContainers:
           - name: snapshotter
-            image: {{ Registry "gcr.io" }}/etcd-development/etcd:v3.5.12
+            image: {{ Registry "gcr.io" }}/etcd-development/etcd:v3.5.14
             imagePullPolicy: IfNotPresent
             command:
               - etcdctl
@@ -83,7 +83,7 @@ spec:
               readOnly: true
           containers:
           - name: uploader
-            image: {{ Registry "docker.io" }}/restic/restic:0.16.3
+            image: {{ Registry "docker.io" }}/restic/restic:0.16.4
             imagePullPolicy: IfNotPresent
             command:
             - /bin/sh

diff --git a/addons/ccm-azure/Kustomization b/addons/ccm-azure/Kustomization
@@ -4,7 +4,7 @@ kind: Kustomization
 helmCharts:
 - name: cloud-provider-azure
   repo: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo
-  version: v1.29.0
+  version: v1.30.3
   releaseName: cloud-provider-azure
   namespace: kube-system
   valuesFile: helm-values

diff --git a/addons/ccm-digitalocean/Kustomization b/addons/ccm-digitalocean/Kustomization
@@ -3,37 +3,9 @@ kind: Kustomization
 namespace: kube-system
 
 resources:
-  - https://raw.githubusercontent.com/digitalocean/digitalocean-cloud-controller-manager/master/releases/v0.1.47.yml
+  - https://raw.githubusercontent.com/digitalocean/digitalocean-cloud-controller-manager/master/releases/digitalocean-cloud-controller-manager/v0.1.53.yml
 
 patches:
-  # remove webhook from the upstream manifest
-  - patch: |-
-      apiVersion: cert-manager.io/v1
-      kind: Certificate
-      metadata:
-        name: digitalocean-cloud-controller-manager-serving-certs
-        namespace: kube-system
-      $patch: delete
-  - patch: |-
-      apiVersion: cert-manager.io/v1
-      kind: Issuer
-      metadata:
-        name: digitalocean-cloud-controller-manager-selfsigned-issuer
-        namespace: kube-system
-      $patch: delete
-  - patch: |-
-      apiVersion: admissionregistration.k8s.io/v1
-      kind: ValidatingWebhookConfiguration
-      metadata:
-        name: digitalocean-cloud-controller-manager-admission-webhook
-      $patch: delete
-  - patch: |-
-      apiVersion: v1
-      kind: Service
-      metadata:
-        name: digitalocean-cloud-controller-manager
-        namespace: kube-system
-      $patch: delete
   - patch: |-
       apiVersion: apps/v1
       kind: Deployment

diff --git a/addons/ccm-hetzner/README.md b/addons/ccm-hetzner/README.md
@@ -4,7 +4,7 @@ See more: https://github.com/hetznercloud/hcloud-cloud-controller-manager
 
 basic YAML generated by:
 
-```
+```shell
 helm repo add hcloud https://charts.hetzner.cloud
 helm repo update hcloud
 

diff --git a/addons/ccm-openstack/Kustomization b/addons/ccm-openstack/Kustomization
@@ -0,0 +1,14 @@
+namespace: kube-system
+
+resources:
+  - ccm-openstack.yaml
+
+patches:
+  - target:
+      kind: DaemonSet
+      namespace: kube-system
+      name: openstack-cloud-controller-manager
+    patch: |-
+      - op: replace
+        path: "/spec/template/spec/containers/0/env/0/value"
+        value: "/etc/config/cloud-config"
diff --git a/addons/ccm-openstack/README.md b/addons/ccm-openstack/README.md
@@ -4,14 +4,16 @@ See more: https://github.com/kubernetes/cloud-provider-openstack/tree/master/cha
 
 basic YAML generated by:
 
-```
+```shell
 helm repo add cpo https://kubernetes.github.io/cloud-provider-openstack
 helm repo update
 helm template openstack-ccm cpo/openstack-cloud-controller-manager \
     --namespace=kube-system \
     --values=generate-values-ccm \
-    --version=2.28.3 \
+    --version=2.30.1 \
     > ccm-openstack.yaml
+
+kubectl kustomize --output ccm-openstack.yaml .
 ```
 
 **Note:** some manual adjustments are required (e.g. CA certs env/volumes), images...
diff --git a/addons/ccm-openstack/ccm-openstack.yaml b/addons/ccm-openstack/ccm-openstack.yaml
@@ -1,18 +1,25 @@
----
-# Source: openstack-cloud-controller-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: openstack-cloud-controller-manager
+  labels:
+    app.kubernetes.io/instance: openstack-ccm
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: openstack-cloud-controller-manager
+    app.kubernetes.io/version: v1.30.0
+    helm.sh/chart: openstack-cloud-controller-manager-2.30.1
+  name: cloud-controller-manager
   namespace: kube-system
-  annotations:
 ---
-# Source: openstack-cloud-controller-manager/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:openstack-cloud-controller-manager
-  annotations:
+  labels:
+    app.kubernetes.io/instance: openstack-ccm
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: openstack-cloud-controller-manager
+    app.kubernetes.io/version: v1.30.0
+    helm.sh/chart: openstack-cloud-controller-manager-2.30.1
+  name: system:cloud-controller-manager
 rules:
 - apiGroups:
   - coordination.k8s.io
@@ -103,115 +110,113 @@ rules:
   - get
   - watch
 ---
-# Source: openstack-cloud-controller-manager/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:openstack-cloud-controller-manager
-  annotations:
+  labels:
+    app.kubernetes.io/instance: openstack-ccm
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: openstack-cloud-controller-manager
+    app.kubernetes.io/version: v1.30.0
+    helm.sh/chart: openstack-cloud-controller-manager-2.30.1
+  name: system:cloud-controller-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:openstack-cloud-controller-manager
+  name: system:cloud-controller-manager
 subjects:
 - kind: ServiceAccount
-  name: openstack-cloud-controller-manager
-  namespace: "kube-system"
+  name: cloud-controller-manager
+  namespace: kube-system
 ---
-# Source: openstack-cloud-controller-manager/templates/daemonset.yaml
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: openstack-cloud-controller-manager
-  namespace: kube-system
   labels:
-    app.kubernetes.io/name: openstack-cloud-controller-manager
-    helm.sh/chart: openstack-cloud-controller-manager-2.27.1
     app.kubernetes.io/instance: openstack-ccm
-    app.kubernetes.io/version: "v1.27.1"
     app.kubernetes.io/managed-by: Helm
-  annotations:
+    app.kubernetes.io/name: openstack-cloud-controller-manager
+    app.kubernetes.io/version: v1.30.0
+    helm.sh/chart: openstack-cloud-controller-manager-2.30.1
+  name: openstack-cloud-controller-manager
+  namespace: kube-system
 spec:
   selector:
     matchLabels:
-      component: controllermanager
       app: openstack-cloud-controller-manager
+      component: controllermanager
       release: openstack-ccm
-  updateStrategy:
-    type: RollingUpdate
   template:
     metadata:
       annotations:
         "kubeone.k8c.io/cabundle-hash": "{{ .Config.CABundle | sha256sum }}"
         "kubeone.k8c.io/cloudconfig-hash": "{{ .Config.CloudProvider.CloudConfig | sha256sum }}"
       labels:
-        component: controllermanager
         app: openstack-cloud-controller-manager
-        k8s-app: openstack-cloud-controller-manager
-        release: openstack-ccm
-        chart: openstack-cloud-controller-manager-2.27.1
+        chart: openstack-cloud-controller-manager-2.30.1
+        component: controllermanager
         heritage: Helm
-      annotations:
+        release: openstack-ccm
     spec:
-      securityContext:
-        runAsUser: 1001
-      tolerations:
-        - effect: NoSchedule
-          key: node.cloudprovider.kubernetes.io/uninitialized
-          value: "true"
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/control-plane
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/master
-      serviceAccountName: openstack-cloud-controller-manager
       containers:
-        - name: openstack-cloud-controller-manager
-          image: {{ .InternalImages.Get "OpenstackCCM" }}
-          args:
-            - /bin/openstack-cloud-controller-manager
-            - --v=1
-            - --cloud-config=$(CLOUD_CONFIG)
-            - --cluster-name=$(CLUSTER_NAME)
-            - --cloud-provider=openstack
-            - --controllers=cloud-node,cloud-node-lifecycle,route,service
-            - --bind-address=127.0.0.1
-            {{- with .Params.CCM_CONCURRENT_SERVICE_SYNCS }}
-            - --concurrent-service-syncs={{ . }}
-            {{- end }}
-          volumeMounts:
-            - mountPath: /etc/config
-              name: cloud-config-volume
-              readOnly: true
-            - mountPath: /etc/kubernetes/pki
-              name: k8s-certs
-              readOnly: true
-            - mountPath: /etc/ssl/certs
-              name: ca-certs
-              readOnly: true
-            - mountPath: /etc/pki
-              name: pki-certs
-              readOnly: true
-            - mountPath: /usr/share/ca-certificates
-              name: usr-ca-certs
-              readOnly: true
-{{ if .Config.CABundle }}
-{{ caBundleVolumeMount | indent 12 }}
-{{ end }}
-          env:
-            - name: CLOUD_CONFIG
-              value: /etc/config/cloud-config
-            - name: CLUSTER_NAME
-              value: {{ default "kubernetes" .CCMClusterName }}
+      - args:
+        - /bin/openstack-cloud-controller-manager
+        - --v=1
+        - --cloud-config=$(CLOUD_CONFIG)
+        - --cluster-name=$(CLUSTER_NAME)
+        - --cloud-provider=openstack
+        - --use-service-account-credentials=false
+        - --controllers=cloud-node,cloud-node-lifecycle,route,service
+        - --bind-address=127.0.0.1
+        {{- with .Params.CCM_CONCURRENT_SERVICE_SYNCS }}
+        - --concurrent-service-syncs={{ . }}
+        {{- end }}
+        env:
+        - name: CLOUD_CONFIG
+          value: /etc/config/cloud-config
+        - name: CLUSTER_NAME
+          value: {{ default "kubernetes" .CCMClusterName }}
+        image: {{ .InternalImages.Get "OpenstackCCM" }}
+        name: openstack-cloud-controller-manager
+        volumeMounts:
+        - mountPath: /etc/config
+          name: cloud-config-volume
+          readOnly: true
+        - mountPath: /etc/kubernetes/pki
+          name: k8s-certs
+          readOnly: true
+        - mountPath: /etc/ssl/certs
+          name: ca-certs
+          readOnly: true
+        - mountPath: /etc/pki
+          name: pki-certs
+          readOnly: true
+        - mountPath: /usr/share/ca-certificates
+          name: usr-ca-certs
+          readOnly: true
 {{ if .Config.CABundle }}
-{{ caBundleEnvVar | indent 12 }}
+{{ caBundleVolumeMount | indent 8 }}
 {{ end }}
+      dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
-      priorityClassName: "system-cluster-critical"
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      priorityClassName: system-cluster-critical
+      securityContext:
+        runAsUser: 1001
+      serviceAccountName: cloud-controller-manager
+      tolerations:
+      - effect: NoSchedule
+        key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
       volumes:
       - name: cloud-config-volume
         secret:
           secretName: cloud-config
-
       - hostPath:
           path: /etc/kubernetes/pki
           type: DirectoryOrCreate
@@ -231,3 +236,5 @@ spec:
 {{ if .Config.CABundle }}
 {{ caBundleVolume | indent 6 }}
 {{ end }}
+  updateStrategy:
+    type: RollingUpdate
diff --git a/addons/ccm-vsphere/README.md b/addons/ccm-vsphere/README.md
@@ -4,14 +4,18 @@ See more: https://github.com/kubernetes/cloud-provider-vsphere
 
 basic YAML generated by:
 
-```
+```shell
 helm repo add vsphere-cpi https://kubernetes.github.io/cloud-provider-vsphere
 helm repo update
 
 helm template vsphere-cpi vsphere-cpi/vsphere-cpi \
     --namespace=kube-system \
     --values=generate-values-ccm \
+    --version=1.30.1 \
     > ccm-vsphere.yaml
+
+# unwrap List objects into standalone documents
+yq ea --inplace '[[.][] | (.items[] // .)][] | split_doc' ccm-vsphere.yaml
 ```
 
 **Note:** some manual adjustments are required (e.g. CA certs env/volumes), images...