feat(helm): update truenas group - abandoned

[repo-jeeves]

This PR contains the following updates:

Package	Update	Change
ingress-nginx	minor	4.11.3 -> 4.12.0
rook-ceph	minor	v1.15.7 -> v1.16.0
rook-ceph-cluster	minor	v1.15.7 -> v1.16.0

---

Release Notes

rook/rook (rook-ceph)

v1.16.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• Removed support for Ceph Quincy (v17) since it has reached end of life. Reef (v18) and Squid (v19) are the currently supported Ceph versions.
• Rook has removed CSI network "holder" pods. If there are pods named csi-plugin-holder- in the Rook operator namespace, see the detailed documentation to disable them before upgrading to v1.16.
• The minimum K8s version is increased to v1.27.

Features

• Ceph-CSI driver v3.13, including support for volume group snapshots, CephFS support for omap in rados namespaces, and other csi improvements.
• Enable mirroring for CephBlockPoolRadosNamespaces
• Enable periodic monitoring for CephBlockPoolRadosNamespaces mirroring if the statusCheck is enabled on the parent CephBlockPool.
• Allow migration of PVC based OSDs to enable or disable encryption.
• Support multiple instances of object stores to enable scenarios such as RGW instances with only admin-ops enabled.
• ObjectBucketClaim management of s3 bucket policy via the additionalConfig.bucketPolicy field (see #​15138).
• Object stores enable arbitrary command line parameters or ceph configuration settings.
• Enable RGW admin ops logs by enabling the opsLogSidecar in the gateway settings.
• Added support for K8s version v1.32.

[repo-jeeves]

--- kubernetes/staging/apps/networking/ingress-nginx/app Kustomization: flux-system/networking-ingress-nginx HelmRelease: networking/ingress-nginx

+++ kubernetes/staging/apps/networking/ingress-nginx/app Kustomization: flux-system/networking-ingress-nginx HelmRelease: networking/ingress-nginx

@@ -12,13 +12,13 @@

     spec:
       chart: ingress-nginx
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx-charts
         namespace: flux-system
-      version: 4.11.3
+      version: 4.12.0
   install:
     createNamespace: true
     remediation:
       retries: 3
   interval: 15m
   maxHistory: 3
--- kubernetes/staging/apps/rook-ceph/rook-ceph/operator Kustomization: flux-system/rook-ceph-operator HelmRelease: rook-ceph/rook-ceph-operator

+++ kubernetes/staging/apps/rook-ceph/rook-ceph/operator Kustomization: flux-system/rook-ceph-operator HelmRelease: rook-ceph/rook-ceph-operator

@@ -13,13 +13,13 @@

       chart: rook-ceph
       interval: 15m
       sourceRef:
         kind: HelmRepository
         name: rook-ceph-charts
         namespace: flux-system
-      version: v1.15.7
+      version: v1.16.0
   install:
     crds: CreateReplace
     createNamespace: true
     remediation:
       retries: 3
   interval: 15m
--- kubernetes/staging/apps/rook-ceph/rook-ceph/cluster Kustomization: flux-system/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster

+++ kubernetes/staging/apps/rook-ceph/rook-ceph/cluster Kustomization: flux-system/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster

@@ -13,13 +13,13 @@

       chart: rook-ceph-cluster
       interval: 15m
       sourceRef:
         kind: HelmRepository
         name: rook-ceph-charts
         namespace: flux-system
-      version: v1.15.7
+      version: v1.16.0
   install:
     createNamespace: true
     remediation:
       retries: 5
   interval: 15m
   maxHistory: 3

[repo-jeeves]

--- HelmRelease: networking/ingress-nginx Deployment: networking/ingress-nginx-controller

+++ HelmRelease: networking/ingress-nginx Deployment: networking/ingress-nginx-controller

@@ -30,13 +30,13 @@

         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: controller
     spec:
       dnsPolicy: ClusterFirst
       containers:
       - name: controller
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
             exec:
               command:
               - /wait-shutdown
@@ -47,16 +47,18 @@

         - --controller-class=k8s.io/ingress-nginx
         - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
         - --validating-webhook-key=/usr/local/certificates/key
+        - --enable-metrics=true
         - --default-ssl-certificate=networking/wildcard-tls
         securityContext:
           runAsNonRoot: true
           runAsUser: 101
+          runAsGroup: 82
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
           capabilities:
             drop:
             - ALL
--- HelmRelease: networking/ingress-nginx ServiceMonitor: networking/ingress-nginx-controller

+++ HelmRelease: networking/ingress-nginx ServiceMonitor: networking/ingress-nginx-controller

@@ -8,17 +8,17 @@

     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
 spec:
-  endpoints:
-  - port: metrics
-    interval: 30s
   namespaceSelector:
     any: true
   selector:
     matchLabels:
       app.kubernetes.io/name: ingress-nginx
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
+  endpoints:
+  - port: metrics
+    interval: 30s
 
--- HelmRelease: networking/ingress-nginx Job: networking/ingress-nginx-admission-create

+++ HelmRelease: networking/ingress-nginx Job: networking/ingress-nginx-admission-create

@@ -23,13 +23,13 @@

         app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
       - name: create
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
         imagePullPolicy: IfNotPresent
         args:
         - create
         - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
         - --namespace=$(POD_NAMESPACE)
         - --secret-name=ingress-nginx-admission
@@ -41,12 +41,13 @@

         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
--- HelmRelease: networking/ingress-nginx Job: networking/ingress-nginx-admission-patch

+++ HelmRelease: networking/ingress-nginx Job: networking/ingress-nginx-admission-patch

@@ -23,13 +23,13 @@

         app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
       - name: patch
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
         imagePullPolicy: IfNotPresent
         args:
         - patch
         - --webhook-name=ingress-nginx-admission
         - --namespace=$(POD_NAMESPACE)
         - --patch-mutating=false
@@ -43,12 +43,13 @@

         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
--- HelmRelease: rook-ceph/rook-ceph-operator ConfigMap: rook-ceph/rook-ceph-operator-config

+++ HelmRelease: rook-ceph/rook-ceph-operator ConfigMap: rook-ceph/rook-ceph-operator-config

@@ -17,29 +17,28 @@

   CSI_ENABLE_NFS_SNAPSHOTTER: 'true'
   CSI_ENABLE_RBD_SNAPSHOTTER: 'true'
   CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: 'false'
   CSI_ENABLE_ENCRYPTION: 'false'
   CSI_ENABLE_OMAP_GENERATOR: 'false'
   CSI_ENABLE_HOST_NETWORK: 'true'
-  CSI_DISABLE_HOLDER_PODS: 'true'
   CSI_ENABLE_METADATA: 'false'
   CSI_ENABLE_VOLUME_GROUP_SNAPSHOT: 'false'
   CSI_PLUGIN_PRIORITY_CLASSNAME: system-node-critical
   CSI_PROVISIONER_PRIORITY_CLASSNAME: system-cluster-critical
   CSI_RBD_FSGROUPPOLICY: File
   CSI_CEPHFS_FSGROUPPOLICY: File
   CSI_NFS_FSGROUPPOLICY: File
-  ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.12.3
+  ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.13.0
   ROOK_CSI_REGISTRAR_IMAGE: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
   ROOK_CSI_PROVISIONER_IMAGE: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
   ROOK_CSI_SNAPSHOTTER_IMAGE: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
   ROOK_CSI_ATTACHER_IMAGE: registry.k8s.io/sig-storage/csi-attacher:v4.6.1
   ROOK_CSI_RESIZER_IMAGE: registry.k8s.io/sig-storage/csi-resizer:v1.11.1
   ROOK_CSI_IMAGE_PULL_POLICY: IfNotPresent
   CSI_ENABLE_CSIADDONS: 'false'
-  ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.9.1
+  ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.11.0
   CSI_ENABLE_TOPOLOGY: 'false'
   ROOK_CSI_ENABLE_NFS: 'false'
   CSI_ENABLE_LIVENESS: 'true'
   CSI_FORCE_CEPHFS_KERNEL_CLIENT: 'true'
   CSI_GRPC_TIMEOUT_SECONDS: '150'
   CSI_PROVISIONER_REPLICAS: '2'
--- HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/rook-ceph-operator

+++ HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/rook-ceph-operator

@@ -26,13 +26,13 @@

       - effect: NoExecute
         key: node.kubernetes.io/unreachable
         operator: Exists
         tolerationSeconds: 5
       containers:
       - name: rook-ceph-operator
-        image: docker.io/rook/ceph:v1.15.7
+        image: docker.io/rook/ceph:v1.16.0
         imagePullPolicy: IfNotPresent
         args:
         - ceph
         - operator
         securityContext:
           capabilities:

[repo-jeeves]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ COPYPASTE	jscpd	yes		no	1.08s
✅ REPOSITORY	git_diff	yes		no	0.04s
✅ REPOSITORY	secretlint	yes		no	3.13s
✅ YAML	prettier	3		0	0.6s
✅ YAML	yamllint	3		0	0.43s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by

[repo-jeeves]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.