zalando-incubator · linki · Jul 29, 2024 · Jun 20, 2024 · Jun 24, 2024 · Jun 24, 2024
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -510,7 +510,7 @@ Resources:
           FromPort: 9998
           IpProtocol: tcp
           ToPort: 9999
-{{- if ne .Cluster.ConfigItems.skipper_redis_replicas "0"}}
+{{- if eq .Cluster.ConfigItems.skipper_ingress_redis_swim_enabled "true" }}
         - CidrIp: "{{.Values.vpc_ipv4_cidr}}"
           FromPort: 9990
           IpProtocol: tcp

diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -112,6 +112,8 @@ skipper_validate_query: "true"
 skipper_validate_query_log: "false"
 
 skipper_default_filters: 'disableAccessLog(2,3,404,429) -> fifo(2000,20,"1s")'
+# skipper_default_filters_authentication defines filters that implement default request authentication
+skipper_default_filters_authentication: ''
 skipper_default_filters_append: 'stateBagToTag("auth-user", "client.uid")'
 skipper_disabled_filters: "static,bearerinjector"
 skipper_lua_sources: "file"
@@ -122,7 +124,8 @@ skipper_endpointslices_enabled: "true"
 
 skipper_compress_encodings: "gzip,deflate,br"
 
-skipper_prometheus_start_label_enabled: "false"
+# Adds "start" label to each prometheus counter with the value of counter creation timestamp as unix nanoseconds
+skipper_prometheus_start_label_enabled: "true"
 
 # skipper profiling settings, 0 keeps default, <0 disable, >0 enable with value
 # https://pkg.go.dev/runtime@master#SetBlockProfileRate
@@ -163,8 +166,6 @@ skipper_termination_grace_period: "392"
 
 # skipper redis settings
 enable_dedicate_nodepool_skipper_redis: "false"
-# TODO: skipper_redis_replicas cleanup after merge
-skipper_redis_replicas: 1
 skipper_redis_cpu: "100m"
 skipper_redis_memory: "512Mi"
 skipper_redis_dial_timeout: "25ms"
@@ -173,6 +174,7 @@ skipper_redis_read_timeout: "25ms"
 skipper_redis_write_timeout: "25ms"
 
 skipper_ingress_redis_swarm_enabled: "true"
+skipper_ingress_redis_swim_enabled: "false"
 skipper_ingress_redis_target_average_utilization_cpu: "30"
 skipper_ingress_redis_target_average_utilization_memory: "60"
 skipper_ingress_redis_min_replicas: "1"
@@ -228,15 +230,6 @@ zmon_kairosdb_url: "https://data-service.zmon.zalan.do/kairosdb-proxy"
 ## Nakadi URL (for the stats API)
 nakadi_url: ""
 
-# skipper east-west feature - deprecated configuration
-# enable_skipper_eastwest is the legacy feature gate for the automatic
-# ingress.cluster.local addresses created by skipper.
-# enable_skipper_eastwest_dns only enables DNS and assumes users define the
-# ingress.cluster.local names explicitly on ingress/routegroup/stacksets
-enable_skipper_eastwest_dns: "true"
-enable_skipper_eastwest: "false"
-
-
 # enable temporary logging of ingress.cluster.local names
 # used to find services for which it's being used.
 skipper_eastwest_dns_log_enabled: "false"
@@ -336,14 +329,13 @@ skipper_open_policy_agent_styra_token: ""
 #
 # FabricGateway controller config
 #
-# fabric_gateway_controller_mode:
-#   - disabled: scales controller to zero replicas
-#   - production: runs the controller
+# fabric_gateway_controller_enabled:
+#   - false: scales controller to zero replicas
+#   - true: runs the controller
 #
-fabric_gateway_controller_mode: "disabled"
+fabric_gateway_controller_enabled: "true"
 fabric_gateway_controller_cpu: "50m"
 fabric_gateway_controller_memory: "150Mi"
-fabric_gateway_crd_v1_enabled: "false"
 fabric_gateway_controller_allow_all_filters: "false"
 fabric_gateway_controller_ssl_policy: ""
 fabric_gateway_controller_log_level: "INFO"
@@ -360,7 +352,7 @@ event_rate_limit_config_burst: "1000"
 cadvisor_cpu: "150m"
 cadvisor_memory: "150Mi"
 cadvisor_profiling_enabled: "false"
-cadvisor_enabled: "true"
+cadvisor_enabled: "false"
 
 # settings for enabling the kubelet-summary-metrics proxy and prometheus metric
 # collection.
@@ -389,6 +381,9 @@ kube_proxy_verbose_level: "2"
 flannel_cpu: "25m"
 flannel_memory: "100Mi"
 
+flannel_awaiter_cpu: "25m"
+flannel_awaiter_memory: "50Mi"
+
 # nvidia device plugin
 nvidia_device_plugin_cpu: "10m"
 nvidia_device_plugin_memory: "50Mi"
@@ -707,10 +702,8 @@ tracing_coredns_local_zone_traces_endpoint: ""
 # AMI id given the image name and the Image AWS account owner.
 #
 # [0]: https://github.com/zalando-incubator/cluster-lifecycle-manager/blob/8a9bd1cb2d094038a9e23e646421f8146b48886a/provisioner/template.go#L116
-kuberuntu_image_v1_29_jammy_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.29.4-amd64-master-328" "861068367966" }}
-kuberuntu_image_v1_29_jammy_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.29.4-arm64-master-328" "861068367966" }}
-kuberuntu_image_v1_30_jammy_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.30.2-amd64-master-337" "861068367966" }}
-kuberuntu_image_v1_30_jammy_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.30.2-arm64-master-337" "861068367966" }}
+kuberuntu_image_v1_30_jammy_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.30.2-amd64-master-341" "861068367966" }}
+kuberuntu_image_v1_30_jammy_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.30.2-arm64-master-341" "861068367966" }}
 
 # Which distro from the previous config items should be used. Valid options are only `jammy` for now. Can be set for each node pool.
 kuberuntu_distro_master: "jammy"
@@ -814,7 +807,7 @@ auditlog_metric_dimensions: "authorization_decision"
 auditlog_read_access: "false"
 
 # allow ssh access for internal VPC IPs only
-ssh_vpc_only: "false"
+ssh_vpc_only: "true"
 
 # configure custom dns zone
 custom_dns_zone: "" # zone name e.g. example.org
@@ -968,7 +961,7 @@ deployment_service_ml_experiments_enabled: "true"
 deployment_service_cf_auto_expand_enabled: "false"
 deployment_service_cf_update_source_branch_changes: "true"
 deployment_service_executor_cdp_permissions: "false"
-deployment_service_skip_mustache_rendering: "false"
+deployment_service_skip_mustache_rendering: "true"
 {{- if eq .Cluster.Environment "test" }}
 # disable CF update of source branch changes in test to avoid updating CF stacks
 # on any PR.

diff --git a/cluster/etcd/stack.yaml b/cluster/etcd/stack.yaml
@@ -43,7 +43,7 @@ Resources:
           - Key: component
             Value: etcd-cluster
           - Key: Name
-            Value: 'etcd-cluster ({{.Cluster.ID}})'
+            Value: 'etcd-cluster'
         NetworkInterfaces:
           - DeviceIndex: 0
             AssociatePublicIpAddress: true

diff --git a/cluster/manifests/01-coredns-local/configmap-local.yaml b/cluster/manifests/01-coredns-local/configmap-local.yaml
@@ -65,7 +65,6 @@ data:
     }
 {{ end }}
 
-{{ if eq .Cluster.ConfigItems.enable_skipper_eastwest_dns "true"}}
     ingress.cluster.local:9254 {
 {{ if eq .Cluster.ConfigItems.skipper_eastwest_dns_log_enabled "true"}}
         log
@@ -81,7 +80,6 @@ data:
         prometheus :9153
         ready :9155
     }
-{{ end }}
 
     # Defines that this server is authority for reverse
     # lookups for these ranges.

diff --git a/cluster/manifests/02-admission-control/config.yaml b/cluster/manifests/02-admission-control/config.yaml
@@ -27,7 +27,7 @@ data:
   pod.service-account-iam.enable: "true"
   pod.service-account-iam.base-aws-account-id: "{{ accountID .Cluster.InfrastructureAccount }}"
 {{- if eq .Cluster.ConfigItems.teapot_admission_controller_inject_aws_waiter "true" }}
-  pod.aws-waiter.image: "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/automata/aws-credentials-waiter:master-173"
+  pod.aws-waiter.image: "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/automata/aws-credentials-waiter:master-226"
 {{- end }}
   pod.env-inject.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_inject_environment_variables }}"
   pod.env-inject.variable._PLATFORM_ACCOUNT: "{{ .Cluster.Alias }}"

diff --git a/cluster/manifests/02-vertical-pod-autoscaler/admission-controller-deployment.yaml b/cluster/manifests/02-vertical-pod-autoscaler/admission-controller-deployment.yaml
@@ -26,9 +26,9 @@ spec:
       containers:
       - name: admission-controller
         {{if eq .Cluster.ConfigItems.vertical_pod_autoscaler_version "current"}}
-        image: container-registry.zalando.net/teapot/vpa-admission-controller:v1.1.2-main-2-custom
+        image: container-registry.zalando.net/teapot/vpa-admission-controller:v1.1.2-main-5-custom
         {{else if eq .Cluster.ConfigItems.vertical_pod_autoscaler_version "legacy"}}
-        image: container-registry.zalando.net/teapot/vpa-admission-controller:v1.1.1-main-1-custom
+        image: container-registry.zalando.net/teapot/vpa-admission-controller:v1.1.2-main-2-custom
         {{end}}
         command:
           - /admission-controller

diff --git a/cluster/manifests/02-vertical-pod-autoscaler/recommender-deployment.yaml b/cluster/manifests/02-vertical-pod-autoscaler/recommender-deployment.yaml
@@ -24,9 +24,9 @@ spec:
       containers:
       - name: recommender
         {{if eq .Cluster.ConfigItems.vertical_pod_autoscaler_version "current"}}
-        image: container-registry.zalando.net/teapot/vpa-recommender:v1.1.2-main-2-custom
+        image: container-registry.zalando.net/teapot/vpa-recommender:v1.1.2-main-5-custom
         {{else if eq .Cluster.ConfigItems.vertical_pod_autoscaler_version "legacy"}}
-        image: container-registry.zalando.net/teapot/vpa-recommender:v1.1.1-main-1-custom
+        image: container-registry.zalando.net/teapot/vpa-recommender:v1.1.2-main-2-custom
         {{end}}
         args:
         - --logtostderr

diff --git a/cluster/manifests/02-vertical-pod-autoscaler/updater-deployment.yaml b/cluster/manifests/02-vertical-pod-autoscaler/updater-deployment.yaml
@@ -24,9 +24,9 @@ spec:
       containers:
       - name: updater
         {{if eq .Cluster.ConfigItems.vertical_pod_autoscaler_version "current"}}
-        image: container-registry.zalando.net/teapot/vpa-updater:v1.1.2-main-2-custom
+        image: container-registry.zalando.net/teapot/vpa-updater:v1.1.2-main-5-custom
         {{else if eq .Cluster.ConfigItems.vertical_pod_autoscaler_version "legacy"}}
-        image: container-registry.zalando.net/teapot/vpa-updater:v1.1.1-main-1-custom
+        image: container-registry.zalando.net/teapot/vpa-updater:v1.1.2-main-2-custom
         {{end}}
         command:
           - ./updater

diff --git a/cluster/manifests/03-kube-aws-iam-controller/deployment.yaml b/cluster/manifests/03-kube-aws-iam-controller/deployment.yaml
@@ -27,7 +27,7 @@ spec:
       hostNetwork: true
       containers:
       - name: kube-aws-iam-controller
-        image: container-registry.zalando.net/teapot/kube-aws-iam-controller:v0.3.0-12-g1eb9449
+        image: container-registry.zalando.net/teapot/kube-aws-iam-controller:v0.3.0-23-g4f4bbaf
         env:
         - name: AWS_DEFAULT_REGION
           value: "{{.Cluster.Region}}"

diff --git a/cluster/manifests/04-ebs-csi/controller.yaml b/cluster/manifests/04-ebs-csi/controller.yaml
@@ -37,7 +37,7 @@ spec:
         runAsUser: 1000
       containers:
         - name: ebs-plugin
-          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.29.1-master-17
+          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.32.0-master-19
           args:
             - controller
             - --endpoint=$(CSI_ENDPOINT)
@@ -84,7 +84,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-provisioner
-          image: container-registry.zalando.net/teapot/external-provisioner:v4.0.1-eks-1-29-10-master-17
+          image: container-registry.zalando.net/teapot/external-provisioner:v5.0.1-eks-1-30-8-master-19
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -109,7 +109,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-attacher
-          image: container-registry.zalando.net/teapot/external-attacher:v4.5.1-eks-1-29-10-master-17
+          image: container-registry.zalando.net/teapot/external-attacher:v4.6.1-eks-1-30-8-master-19
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -131,7 +131,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-resizer
-          image: container-registry.zalando.net/teapot/external-resizer:v1.10.1-eks-1-29-10-master-17
+          image: container-registry.zalando.net/teapot/external-resizer:v1.11.1-eks-1-30-8-master-19
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -153,7 +153,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.12.0-eks-1-29-10-master-17
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.13.0-eks-1-30-8-master-19
           args:
             - --csi-address=/csi/csi.sock
           resources:

diff --git a/cluster/manifests/04-ebs-csi/node.yaml b/cluster/manifests/04-ebs-csi/node.yaml
@@ -34,7 +34,7 @@ spec:
         runAsUser: 0
       containers:
         - name: ebs-plugin
-          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.29.1-master-17
+          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.32.0-master-19
           args:
             - node
             - --endpoint=$(CSI_ENDPOINT)
@@ -77,7 +77,7 @@ spec:
             privileged: true
             readOnlyRootFilesystem: true
         - name: node-driver-registrar
-          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.10.1-eks-1-29-10-master-17
+          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.11.0-eks-1-30-8-master-19
           args:
             - --csi-address=$(ADDRESS)
             - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
@@ -114,7 +114,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.12.0-eks-1-29-10-master-17
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.13.0-eks-1-30-8-master-19
           args:
             - --csi-address=/csi/csi.sock
           volumeMounts:

diff --git a/cluster/manifests/audittrail-adapter/daemonset.yaml b/cluster/manifests/audittrail-adapter/daemonset.yaml
@@ -33,7 +33,7 @@ spec:
       hostNetwork: true
       containers:
       - name: audittrail-adapter
-        image: container-registry.zalando.net/teapot/audittrail-adapter:master-64
+        image: container-registry.zalando.net/teapot/audittrail-adapter:master-65
         env:
           - name: AWS_REGION
             value: "{{ .Cluster.Region }}"

diff --git a/cluster/manifests/aws-cloud-controller-manager/daemonset.yaml b/cluster/manifests/aws-cloud-controller-manager/daemonset.yaml
@@ -28,7 +28,7 @@ spec:
         - --cloud-provider=aws
         - --use-service-account-credentials=true
         - --configure-cloud-routes=false
-        image: container-registry.zalando.net/teapot/aws-cloud-controller-manager-internal:v1.30.0-master-120
+        image: container-registry.zalando.net/teapot/aws-cloud-controller-manager-internal:v1.30.2-master-126
         name: aws-cloud-controller-manager
         resources:
           requests:

diff --git a/cluster/manifests/cluster-lifecycle-controller/deployment.yaml b/cluster/manifests/cluster-lifecycle-controller/deployment.yaml
@@ -39,7 +39,7 @@ spec:
 {{- end}}
       containers:
       - name: cluster-lifecycle-controller
-        image: container-registry.zalando.net/teapot/cluster-lifecycle-controller:master-41
+        image: container-registry.zalando.net/teapot/cluster-lifecycle-controller:master-42
         args:
             - --drain-grace-period={{.Cluster.ConfigItems.drain_grace_period}}
             - --drain-min-pod-lifetime={{.Cluster.ConfigItems.drain_min_pod_lifetime}}

diff --git a/cluster/manifests/cronjob-fixer/deployment.yaml b/cluster/manifests/cronjob-fixer/deployment.yaml
@@ -27,7 +27,7 @@ spec:
       serviceAccountName: cronjob-fixer
       containers:
         - name: cronjob-fixer
-          image: "container-registry.zalando.net/teapot/cronjob-fixer:master-15"
+          image: "container-registry.zalando.net/teapot/cronjob-fixer:master-16"
           resources:
             limits:
               cpu: 5m