Ingres-nginx upgrade

This PS bumps up ingress-nginx version to 1.11.2 due to critical CVE Also we bump up helm to 3.15.4 Change-Id: Id8e40bbbd10fb5aa525cc666f938f3803823ea48
2024-08-23 23:40:52 +00:00 · 2024-08-23 23:40:52 +00:00 · 01d4c1b751
commit 01d4c1b751
parent c831a4c658
10 changed files with 34 additions and 24 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -175,7 +175,7 @@
    voting: true
    vars:
      site: airskiff
-      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
+      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
      HTK_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_INFRA_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_COMMIT: 049e679939fbd3b0c659dd0977911b8dc3b5a015
@ -192,6 +192,7 @@
        - ./tools/deployment/airskiff/developer/100-deploy-osh.sh
        - ./tools/deployment/airskiff/common/os-env.sh
        - ./tools/gate/wait-for-shipyard.sh
        # - ./tools/deployment/airskiff/common/sleep.sh
 - job:
    name: treasuremap-airskiff-1node-reduced-site
@ -203,7 +204,7 @@
    voting: true
    vars:
      site: airskiff
-      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
+      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
      HTK_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_INFRA_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_COMMIT: 049e679939fbd3b0c659dd0977911b8dc3b5a015
@ -218,6 +219,7 @@
        - ./tools/deployment/airskiff/developer/017-make-all-images.sh
        - ./tools/deployment/airskiff/developer/025-start-artifactory.sh
        - ./tools/deployment/airskiff/developer/026-reduce-site.sh
        - ./tools/deployment/airskiff/developer/020-setup-client.sh
        - ./tools/deployment/airskiff/developer/030-armada-bootstrap.sh
        - ./tools/deployment/airskiff/developer/100-deploy-osh.sh
        - ./tools/deployment/airskiff/common/os-env.sh
@ -234,7 +236,7 @@
    voting: true
    vars:
      site: airskiff
-      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
+      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
      HTK_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_INFRA_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_COMMIT: 049e679939fbd3b0c659dd0977911b8dc3b5a015
@ -382,7 +384,7 @@
    post-run: tools/gate/playbooks/debug-report.yaml
    vars:
      site: airskiff
-      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
+      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
      HTK_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_INFRA_COMMIT: 05f2f45971abcf483189358d663e2b46c3fc2fe8
      OSH_COMMIT: 049e679939fbd3b0c659dd0977911b8dc3b5a015
--- a/global/software/config/versions.yaml
+++ b/global/software/config/versions.yaml
@ -32,7 +32,7 @@ data:
        subpath: haproxy
        type: tar
      ingress:
-        location: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.8.3/ingress-nginx-4.8.3.tgz
+        location: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.11.2/ingress-nginx-4.11.2.tgz
        subpath: ingress-nginx
        type: tar
      proxy:
@ -75,7 +75,7 @@ data:
        subpath: helm-toolkit
        type: git
      ingress:
-        location: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.8.3/ingress-nginx-4.8.3.tgz
+        location: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.11.2/ingress-nginx-4.11.2.tgz
        subpath: ingress-nginx
        type: tar
      keystone:
@ -267,7 +267,7 @@ data:
        subpath: drydock
        type: tar
      ingress:
-        location: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.8.3/ingress-nginx-4.8.3.tgz
+        location: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.11.2/ingress-nginx-4.11.2.tgz
        subpath: ingress-nginx
        type: tar
      keystone:
@ -488,7 +488,7 @@ data:
        anchor: gcr.io/google-containers/hyperkube-amd64:v1.17.3
        controller_manager: gcr.io/google-containers/hyperkube-amd64:v1.17.3
      coredns:
-        coredns: coredns/coredns:1.9.4
+        coredns: coredns/coredns:1.11.1
        test: quay.io/airshipit/promenade:latest
      etcd:
        etcd: quay.io/coreos/etcd:v3.5.11
@ -499,9 +499,9 @@ data:
        test: docker.io/library/python:3.6
      hyperkube: gcr.io/google-containers/hyperkube-amd64:v1.17.3
      ingress:
-        controller: registry.k8s.io/ingress-nginx/controller:v1.9.4
+        controller: registry.k8s.io/ingress-nginx/controller:v1.11.2
        defaultBackend: k8s.gcr.io/defaultbackend-amd64:1.5
-        patch: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343
+        patch: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.4.3
      pause: gcr.io/google-containers/pause-amd64:3.1
      proxy:
        proxy: gcr.io/google-containers/hyperkube-amd64:v1.17.3
@ -584,9 +584,9 @@ data:
        horizon_db_sync: docker.io/openstackhelm/horizon:ocata-ubuntu_xenial-20200513
        test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_bionic
      ingress:
-        controller: registry.k8s.io/ingress-nginx/controller:v1.9.4
+        controller: registry.k8s.io/ingress-nginx/controller:v1.11.2
        defaultBackend: k8s.gcr.io/defaultbackend-amd64:1.5
-        patch: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343
+        patch: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.4.3
      keystone:
        bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
        test: docker.io/xrally/xrally-openstack:2.0.0
@ -822,7 +822,7 @@ data:
        drydock_db_cleanup: quay.io/airshipit/drydock:master
        drydock_db_sync: quay.io/airshipit/drydock:master
      ingress:
-        controller: registry.k8s.io/ingress-nginx/controller:v1.9.4
+        controller: registry.k8s.io/ingress-nginx/controller:v1.11.2
        defaultBackend: k8s.gcr.io/defaultbackend-amd64:1.5
        patch: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343
      keystone:
@ -857,8 +857,8 @@ data:
        maas_syslog: quay.io/airshipit/maas-region-controller:latest
      mariadb:
        mariadb: docker.io/openstackhelm/mariadb:latest-ubuntu_focal
-        ingress: registry.k8s.io/ingress-nginx/controller:v1.5.1
+        ingress: registry.k8s.io/ingress-nginx/controller:v1.11.2
-        error_pages: registry.k8s.io/defaultbackend:1.4
+        error_pages: k8s.gcr.io/defaultbackend-amd64:1.5
        prometheus_create_mysql_user: docker.io/library/mariadb:10.6.14-focal
        prometheus_mysql_exporter: docker.io/prom/mysqld-exporter:v0.12.1
        prometheus_mysql_exporter_helm_tests: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
--- a/tools/deployment/airskiff/developer/000-clone-dependencies.sh
+++ b/tools/deployment/airskiff/developer/000-clone-dependencies.sh
@ -18,8 +18,8 @@
 set -xe
 : "${INSTALL_PATH:="../"}"
-: "${OSH_COMMIT:="176b412072969f982386db9560b6f50fcb7e0148"}"
+: "${OSH_COMMIT:="049e679939fbd3b0c659dd0977911b8dc3b5a015"}"
-: "${OSH_INFRA_COMMIT:="6ca83be78013446540b68fd28d0a75d5b2329f40"}"
+: "${OSH_INFRA_COMMIT:="05f2f45971abcf483189358d663e2b46c3fc2fe8"}"
 : "${CLONE_ARMADA:=true}"
 : "${CLONE_ARMADA_GO:=true}"
 : "${CLONE_ARMADA_OPERATOR:=true}"
@ -87,14 +87,14 @@ if [[ ${CLONE_PORTHOLE} = true ]] ; then
    git clone "https://review.opendev.org/airship/porthole.git"
 fi
 if [[ ${CLONE_OSH} = true ]] ; then
-    git clone https://opendev.org/openstack/openstack-helm.git
+    git clone "https://opendev.org/openstack/openstack-helm.git"
    pushd openstack-helm
    git checkout "${OSH_COMMIT}"
    popd
 fi
-git clone https://opendev.org/openstack/openstack-helm-infra.git
+git clone "https://opendev.org/openstack/openstack-helm-infra.git"
 pushd openstack-helm-infra
 git checkout "${OSH_INFRA_COMMIT}"
 popd
--- a/tools/deployment/airskiff/developer/000-sleep.sh
+++ b/tools/deployment/airskiff/developer/000-sleep.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 set -ex
 while true; do
    echo "Sleeping for 100 seconds..."
 done
--- a/tools/deployment/airskiff/developer/010-deploy-k8s.sh
+++ b/tools/deployment/airskiff/developer/010-deploy-k8s.sh
@ -25,7 +25,7 @@ if [ -n "${PROXY}" ]; then
 fi
 # Deploy K8s with Minikube
-: "${HELM_VERSION:="v3.13.2"}"
+: "${HELM_VERSION:="v3.15.4"}"
 : "${KUBE_VERSION:="v1.29.2"}"
 : "${MINIKUBE_VERSION:="v1.30.1"}"
 : "${CRICTL_VERSION:="v1.29.0"}"
--- a/tools/gate/playbooks/prepare-hosts.yaml
+++ b/tools/gate/playbooks/prepare-hosts.yaml
@ -14,4 +14,5 @@
 - hosts: all
  roles:
    - start-zuul-console
 ...
--- a/tools/gate/playbooks/roles/airship-run-script-set/defaults/main.yaml
+++ b/tools/gate/playbooks/roles/airship-run-script-set/defaults/main.yaml
@ -19,7 +19,7 @@ osh_params:
  container_distro_version: focal
  # feature_gates:
 site: airskiff
-HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
+HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
 HTK_COMMIT: 6ca83be78013446540b68fd28d0a75d5b2329f40
 OSH_INFRA_COMMIT: 6ca83be78013446540b68fd28d0a75d5b2329f40
 OSH_COMMIT: 176b412072969f982386db9560b6f50fcb7e0148
--- a/tools/gate/playbooks/roles/airship-run-script-set/tasks/main.yaml
+++ b/tools/gate/playbooks/roles/airship-run-script-set/tasks/main.yaml
@ -35,7 +35,7 @@
        FEATURE_GATES: "{{ osh_params.feature_gates | default('') }}"
        RUN_HELM_TESTS: "{{ run_helm_tests | default('yes') }}"
        PL_SITE: "{{ site | default('airskiff') }}"
-        HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz') }}"
+        HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz') }}"
        HTK_COMMIT: "{{ HTK_COMMIT | default('6ca83be78013446540b68fd28d0a75d5b2329f40') }}"
        OSH_INFRA_COMMIT: "{{ OSH_INFRA_COMMIT | default('6ca83be78013446540b68fd28d0a75d5b2329f40') }}"
        OSH_COMMIT: "{{ OSH_COMMIT | default('176b412072969f982386db9560b6f50fcb7e0148') }}"
--- a/tools/gate/playbooks/roles/airship-run-script/defaults/main.yaml
+++ b/tools/gate/playbooks/roles/airship-run-script/defaults/main.yaml
@ -19,7 +19,7 @@ osh_params:
  container_distro_version: focal
  # feature_gates:
 site: airskiff
-HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
+HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
 HTK_COMMIT: 6ca83be78013446540b68fd28d0a75d5b2329f40
 OSH_INFRA_COMMIT: 6ca83be78013446540b68fd28d0a75d5b2329f40
 OSH_COMMIT: 176b412072969f982386db9560b6f50fcb7e0148
--- a/tools/gate/playbooks/roles/airship-run-script/tasks/main.yaml
+++ b/tools/gate/playbooks/roles/airship-run-script/tasks/main.yaml
@ -32,7 +32,7 @@
    FEATURE_GATES: "{{ osh_params.feature_gates | default('') }}"
    RUN_HELM_TESTS: "{{ run_helm_tests | default('yes') }}"
    PL_SITE: "{{ site | default('airskiff') }}"
-    HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz') }}"
+    HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz') }}"
    HTK_COMMIT: "{{ HTK_COMMIT | default('6ca83be78013446540b68fd28d0a75d5b2329f40') }}"
    OSH_INFRA_COMMIT: "{{ OSH_INFRA_COMMIT | default('6ca83be78013446540b68fd28d0a75d5b2329f40') }}"
    OSH_COMMIT: "{{ OSH_COMMIT | default('176b412072969f982386db9560b6f50fcb7e0148') }}"