Merge branch 'master' into release-0.34

.circleci/config.yml

@@ -110,7 +110,7 @@ jobs:
 
   run_pre_commit:
     docker:
-      - image: quay.io/astronomer/ci-pre-commit:2024-02
+      - image: quay.io/astronomer/ci-pre-commit:2024-03
     steps:
       - checkout
       - run:
@@ -145,7 +145,7 @@ jobs:
 
   unittest-charts:
     docker:
-      - image: quay.io/astronomer/ci-helm-release:2024-02
+      - image: quay.io/astronomer/ci-helm-release:2024-03
     parallelism: 8
     resource_class: xlarge
     steps:
@@ -199,7 +199,7 @@ jobs:
 
   release-to-internal:
     docker:
-      - image: quay.io/astronomer/ci-helm-release:2024-02
+      - image: quay.io/astronomer/ci-helm-release:2024-03
     steps:
       - attach_workspace:
           at: /tmp/workspace
@@ -238,7 +238,7 @@ jobs:
 
   release-to-public:
     docker:
-      - image: quay.io/astronomer/ci-helm-release:2024-02
+      - image: quay.io/astronomer/ci-helm-release:2024-03
     steps:
       - attach_workspace:
           at: /tmp/workspace
@@ -265,68 +265,68 @@ jobs:
             helm template --kube-version=v1.25.16 -f values.yaml --set global.baseDomain=example.com . |
             kubent --cluster=false --helm3=false --filename -
           when: always
-  platform-1-26-13:
+  platform-1-26-14:
     machine:
       image: ubuntu-2204:2024.01.1
       resource_class: xlarge
     environment:
-      KUBE_VERSION: v1.26.13
+      KUBE_VERSION: v1.26.14
     steps:
       - helm-install:
           astronomer-tags: "platform postgresql monitoring logging"
       - run:
-          name: Check chart for k8s 1.26.13 compatibility with kubent
+          name: Check chart for k8s 1.26.14 compatibility with kubent
           command: |
             set -o pipefail
-            helm template --kube-version=v1.26.13 -f values.yaml --set global.baseDomain=example.com . |
+            helm template --kube-version=v1.26.14 -f values.yaml --set global.baseDomain=example.com . |
             kubent --cluster=false --helm3=false --filename -
           when: always
-  platform-1-27-10:
+  platform-1-27-11:
     machine:
       image: ubuntu-2204:2024.01.1
       resource_class: xlarge
     environment:
-      KUBE_VERSION: v1.27.10
+      KUBE_VERSION: v1.27.11
     steps:
       - helm-install:
           astronomer-tags: "platform postgresql monitoring logging"
       - run:
-          name: Check chart for k8s 1.27.10 compatibility with kubent
+          name: Check chart for k8s 1.27.11 compatibility with kubent
           command: |
             set -o pipefail
-            helm template --kube-version=v1.27.10 -f values.yaml --set global.baseDomain=example.com . |
+            helm template --kube-version=v1.27.11 -f values.yaml --set global.baseDomain=example.com . |
             kubent --cluster=false --helm3=false --filename -
           when: always
-  platform-1-28-6:
+  platform-1-28-7:
     machine:
       image: ubuntu-2204:2024.01.1
       resource_class: xlarge
     environment:
-      KUBE_VERSION: v1.28.6
+      KUBE_VERSION: v1.28.7
     steps:
       - helm-install:
           astronomer-tags: "platform postgresql monitoring logging"
       - run:
-          name: Check chart for k8s 1.28.6 compatibility with kubent
+          name: Check chart for k8s 1.28.7 compatibility with kubent
           command: |
             set -o pipefail
-            helm template --kube-version=v1.28.6 -f values.yaml --set global.baseDomain=example.com . |
+            helm template --kube-version=v1.28.7 -f values.yaml --set global.baseDomain=example.com . |
             kubent --cluster=false --helm3=false --filename -
           when: always
-  platform-1-29-1:
+  platform-1-29-2:
     machine:
       image: ubuntu-2204:2024.01.1
       resource_class: xlarge
     environment:
-      KUBE_VERSION: v1.29.1
+      KUBE_VERSION: v1.29.2
     steps:
       - helm-install:
           astronomer-tags: "platform postgresql monitoring logging"
       - run:
-          name: Check chart for k8s 1.29.1 compatibility with kubent
+          name: Check chart for k8s 1.29.2 compatibility with kubent
           command: |
             set -o pipefail
-            helm template --kube-version=v1.29.1 -f values.yaml --set global.baseDomain=example.com . |
+            helm template --kube-version=v1.29.2 -f values.yaml --set global.baseDomain=example.com . |
             kubent --cluster=false --helm3=false --filename -
           when: always
 
@@ -454,22 +454,22 @@ workflows:
       - platform-1-25-16:
           requires:
             - build-artifact
-      - platform-1-26-13:
+      - platform-1-26-14:
           requires:
             - approve-test-all-platforms
             - build-artifact
 
-      - platform-1-27-10:
+      - platform-1-27-11:
           requires:
             - approve-test-all-platforms
             - build-artifact
 
-      - platform-1-28-6:
+      - platform-1-28-7:
           requires:
             - approve-test-all-platforms
             - build-artifact
 
-      - platform-1-29-1:
+      - platform-1-29-2:
           requires:
             - build-artifact
       - approve-internal-release:
@@ -488,7 +488,7 @@ workflows:
           requires:
             - approve-internal-release
             - platform-1-25-16
-            - platform-1-29-1
+            - platform-1-29-2
       - approve-upgrade-test:
           type: approval
           filters:
@@ -507,9 +507,9 @@ workflows:
           type: approval
           requires:
             - release-to-internal
-            - platform-1-26-13
-            - platform-1-27-10
-            - platform-1-28-6
+            - platform-1-26-14
+            - platform-1-27-11
+            - platform-1-28-7
           filters:
             branches:
               only:
@@ -548,7 +548,7 @@ workflows:
           requires:
             - build-artifact
 
-      - platform-1-29-1:
+      - platform-1-29-2:
           requires:
             - build-artifact
 
@@ -557,7 +557,7 @@ workflows:
             - gcp-astronomer-prod
           requires:
             - platform-1-25-16
-            - platform-1-29-1
+            - platform-1-29-2
           filters:
             branches:
               only:

.pre-commit-config.yaml

@@ -3,34 +3,37 @@ exclude: '(venv|\.vscode|tests/k8s_schema)' # regex
 repos:
   - repo: local
     hooks:
-      - id: verify-image-tags
-        name: Verify image tags
+      - id: check-image-tags
+        language: python
+        additional_dependencies: ["jinja2", "PyYAML"]
+        name: Ensure unique tags per image
         entry: python3
-        args: [bin/verify_image_tags.py]
-        language: system
-        files: ^.*\.(tpl|yaml)$
+        args: ["bin/show-docker-images.py", "--private-registry", "--with-houston", "-c"]
+        files: '(config.yml|config.yml.j2|generate_circleci_config.py|yaml|tpl)$'
+        pass_filenames: false
       - id: circle-config-yaml
-        name: Checks for consistency between config.yml and config.yml.j2
         language: python
-        files: '(config.yml|config.yml.j2|generate_circleci_config.py|values.yaml|metadata.yaml)$'
-        entry: bin/generate_circleci_config.py
         additional_dependencies: ["jinja2", "PyYAML"]
+        name: Checks for consistency between config.yml and config.yml.j2
+        entry: bin/generate_circleci_config.py
+        files: '(config.yml|config.yml.j2|generate_circleci_config.py|yaml|tpl)$'
+        pass_filenames: false
   - repo: https://github.com/codespell-project/codespell
     rev: v2.2.6
     hooks:
       - id: codespell
         args: ["-L", "AKS,aks"]
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.5.4
+    rev: v1.5.5
     hooks:
       - id: remove-tabs
         exclude_types: [makefile, binary]
   - repo: https://github.com/psf/black
-    rev: 24.1.1
+    rev: 24.2.0
     hooks:
       - id: black
   - repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: "v0.2.1"
+    rev: "v0.3.0"
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix, --ignore, E501]
@@ -67,3 +70,13 @@ repos:
     rev: v0.9.0.6
     hooks:
       - id: shellcheck
+  - repo: https://github.com/astronomer/pre-commit-hooks
+    rev: 8b2d969bd549cd7c9454cc8bb54eec5b35c2e5e6
+    hooks:
+      - id: CVE-2017-18342
+      - id: remove-unicode-zero-width-non-breaking-spaces
+      - id: remove-unicode-zero-width-space
+      - id: replace-en-dashes
+        exclude: 'bin/kind/.*'
+      - id: replace-greek-question-mark
+      - id: replace-unicode-non-breaking-spaces

bin/generate_circleci_config.py

@@ -15,7 +15,7 @@
 
 # https://circleci.com/developer/machine/image/ubuntu-2204
 machine_image_version = "ubuntu-2204:2024.01.1"
-ci_runner_version = "2024-02"
+ci_runner_version = "2024-03"
 
 
 def list_docker_images():

bin/install-ci-tools

@@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 set -xeuo pipefail
 
-KIND_VERSION="0.21.0" # https://github.com/kubernetes-sigs/kind/releases
-HELM_VERSION="3.14.0" # https://github.com/helm/helm/releases
-GCLOUD_VERSION="462.0.1"
+KIND_VERSION="0.22.0" # https://github.com/kubernetes-sigs/kind/releases
+HELM_VERSION="3.14.2" # https://github.com/helm/helm/releases
+GCLOUD_VERSION="465.0.0"
 MKCERT_VERSION="1.4.4" # https://github.com/FiloSottile/mkcert/tags
 KUBENT_VERSION="0.7.1" # https://github.com/doitintl/kube-no-trouble/releases
 

bin/setup-kind

@@ -2,7 +2,7 @@
 # shellcheck disable=SC1090
 set -euo pipefail
 
-export KUBE_VERSION="${KUBE_VERSION:-v1.25.11}"
+export KUBE_VERSION="${KUBE_VERSION:-v1.29.2}"
 
 # The path to the working directory - the root of the repo
 GIT_ROOT="$(git -C "${0%/*}" rev-parse --show-toplevel)"

bin/show-docker-images.py

@@ -8,6 +8,8 @@
 import sys
 import json
 
+from collections import defaultdict
+
 
 def get_containers_from_spec(spec):
     """Return a list of images used in a kubernetes pod spec."""
@@ -120,6 +122,12 @@ def main():
         action="store_true",
         help="include images from houston configmap",
     )
+    parser.add_argument(
+        "-c",
+        "--check-tags",
+        action="store_true",
+        help="only check for multiple tags for the same image, do not print the images",
+    )
     args = parser.parse_args()
 
     docs = helm_template(args)
@@ -140,6 +148,20 @@ def main():
             case _:
                 pass
 
+    if args.check_tags:
+        image_tag_counts = defaultdict(int)
+        for x, y in [
+            (tag.rpartition(":")[0], tag.rpartition(":")[2]) for tag in containers
+        ]:
+            image_tag_counts[x] += 1
+        for image, count in image_tag_counts.items():
+            if count > 1:
+                print(
+                    f"ALERT: {image} has {count} different tags: {', '.join([c.rpartition(':')[-1] for c in containers if image in c])}"
+                )
+        # Exit with a return code equal to the number of images with multiple tags
+        raise SystemExit(len([y for x, y in image_tag_counts.items() if y > 1]))
+
     print_results(sorted(containers))
 
 

charts/nginx/templates/_helpers.tpl

@@ -64,3 +64,7 @@ imagePullSecrets:
   - name: {{ .Values.global.privateRegistry.secretName }}
 {{- end -}}
 {{- end -}}
+
+{{- define "defaultBackend.fullname" -}}
+{{ printf "%s-default-backend" (include "nginx.fullname" .)}}
+{{- end -}}

charts/nginx/templates/nginx-default-backend-serviceaccount.yaml

@@ -0,0 +1,14 @@
+################################
+## NGINX ServiceAccount
+#################################
+{{- if .Values.global.rbacEnabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "defaultBackend.fullname" . }}
+  labels:
+    tier: nginx
+    chart: {{ template "nginx.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- end }}