UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit a29c1619 authored by Micah Nagel's avatar Micah Nagel :moneybag:
Browse files

Merge branch 'velero1-10' into 'master' 

Update Velero to 1.10.0

Closes platform-one/big-bang/apps/cluster-utilities/velero#40

See merge request platform-one/big-bang/bigbang!2367
parents 8fa55f03 84779cd2
No related branches found
No related tags found
1 merge request!2367Update Velero to 1.10.0
Pipeline #1254483 passed
Stage: .pre
Stage: 🔥 smoke tests
Hide whitespace changes
Inline Side-by-side
chart/templates/gatekeeper/values.yaml
+ 8
8
View file @ a29c1619
......@@ -43,7 +43,7 @@ violations: # Try to keep this in alpha order to make it easier to find keys
- registry1.dso.mil
- registry.dso.mil
{{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled .Values.neuvector.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic)}}
{{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled .Values.neuvector.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployNodeAgent)}}
allowedHostFilesystem:
parameters:
excludedResources:
......@@ -67,9 +67,9 @@ violations: # Try to keep this in alpha order to make it easier to find keys
# https://github.com/grafana/helm-charts/blob/main/charts/promtail/templates/daemonset.yaml#L120
- logging/logging-promtail-.*
{{- end }}
{{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic }}
# Restic requires hostpath volume mount access in order to facilitate backing up cluster PV/C resources
- velero/restic-.*
{{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployNodeAgent }}
# NodeAgent requires hostpath volume mount access in order to facilitate backing up cluster PV/C resources
- velero/node-agent-.*
{{- end }}
{{- end }}
......@@ -160,7 +160,7 @@ violations: # Try to keep this in alpha order to make it easier to find keys
{{- end }}
{{- end }}
{{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.neuvector.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic) }}
{{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.neuvector.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployNodeAgent) }}
volumeTypes:
parameters:
excludedResources:
......@@ -190,9 +190,9 @@ violations: # Try to keep this in alpha order to make it easier to find keys
- neuvector/neuvector-enforcer-pod.*
- neuvector/neuvector-controller-pod.*
{{- end }}
{{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic }}
# Restic requires hostpath volume mounts in order to facilitate backing up cluster PV/C resources
- velero/restic-.*
{{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployNodeAgent }}
# NodeAgent requires hostpath volume mounts in order to facilitate backing up cluster PV/C resources
- velero/node-agent-.*
{{- end }}
{{- end }}
......
chart/templates/kyverno/policies/values.yaml
+ 27
27
View file @ a29c1619
......@@ -6,7 +6,7 @@
{{- define "bigbang.defaults.kyvernopolicies" -}}
{{- $deployRestic := (and .Values.addons.velero.enabled (dig "deployRestic" false .Values.addons.velero.values)) }}
{{- $deployNodeAgent := (and .Values.addons.velero.enabled (dig "deployNodeAgent" false .Values.addons.velero.values)) }}
waitforready:
imagePullSecrets:
......@@ -264,17 +264,17 @@ policies:
require-non-root-group:
validationFailureAction: audit
{{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.addons.gitlab.enabled }}
{{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.addons.gitlab.enabled }}
exclude:
any:
{{- if $deployRestic }}
# Velero. The restic backup tool requires root group access to see the host's runtime pod directory which is
# mounted inside velero/restic pods.
{{- if $deployNodeAgent }}
# Velero. The node agent backup tool requires root group access to see the host's runtime pod directory which is
# mounted inside velero/node agent pods.
- resources:
namespaces:
- velero
names:
- restic*
- node-agent*
{{- end }}
{{- if .Values.twistlock.enabled }}
# Twistlock Defenders run as root to perform real time scanning on the nodes/cluster, including:
......@@ -326,17 +326,17 @@ policies:
excludeContainers:
- istio-init
{{- end }}
{{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.addons.gitlab.enabled }}
{{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.addons.gitlab.enabled }}
exclude:
any:
{{- if $deployRestic }}
# Velero. The restic backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/restic pods.
{{- if $deployNodeAgent }}
# Velero. The node agent backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/node agent pods.
- resources:
namespaces:
- velero
names:
- restic*
- node-agent*
{{- end }}
{{- if .Values.twistlock.enabled }}
# Twistlock Defenders run as root to perform real time scanning on the nodes/cluster, including:
......@@ -429,7 +429,7 @@ policies:
restrict-host-path-mount:
validationFailureAction: enforce
{{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployRestic }}
{{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployNodeAgent }}
exclude:
any:
{{- if or .Values.fluentbit.enabled .Values.promtail.enabled }}
......@@ -495,15 +495,15 @@ policies:
- neuvector-enforcer-pod*
- neuvector-controller-pod*
{{- end }}
{{- if $deployRestic }}
# Velero. The restic backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/restic pods. Since the host's pod runtime directory may expose sensitive information,
# it is better to exclude the restic pods than to add the path as allowable mounts
{{- if $deployNodeAgent }}
# Velero. The node agent backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/node agent pods. Since the host's pod runtime directory may expose sensitive information,
# it is better to exclude the node agent pods than to add the path as allowable mounts
- resources:
namespaces:
- velero
names:
- restic*
- node-agent*
{{- end }}
{{- end }}
......@@ -597,22 +597,22 @@ policies:
{{- end }}
{{- end }}
{{- if $deployRestic }}
{{- if $deployNodeAgent }}
restrict-user-id:
exclude:
any:
{{- if $deployRestic }}
# Velero. The restic backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/restic pods.
{{- if $deployNodeAgent }}
# Velero. The node agent backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/node agent pods.
- resources:
namespaces:
- velero
names:
- restic*
- node-agent*
{{- end }}
{{- end }}
{{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployRestic }}
{{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployNodeAgent }}
restrict-volume-types:
exclude:
any:
......@@ -660,14 +660,14 @@ policies:
- neuvector-enforcer-pod*
- neuvector-controller-pod*
{{- end }}
{{- if $deployRestic }}
# Velero. The restic backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/restic pods.
{{- if $deployNodeAgent }}
# Velero. The node agent backup tool requires root user access to the host's runtime pod directory which is
# mounted inside velero/node agent pods.
- resources:
namespaces:
- velero
names:
- restic*
- node-agent*
{{- end }}
{{- end }}
......
chart/templates/velero/values.yaml
+ 3
3
View file @ a29c1619
......@@ -57,7 +57,7 @@ initContainers:
{{- range .Values.addons.velero.plugins }}
{{- if eq . "aws" }}
- name: velero-plugin-for-aws
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.5.2
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.6.0
imagePullPolicy: {{ dig "image" "pullPolicy" "IfNotPresent" $.Values.addons.velero.values }}
volumeMounts:
- mountPath: /target
......@@ -76,7 +76,7 @@ initContainers:
{{- end }}
{{- if eq . "azure" }}
- name: velero-plugin-for-azure
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure:v1.5.2
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure:v1.6.0
imagePullPolicy: {{ dig "image" "pullPolicy" "IfNotPresent" $.Values.addons.velero.values }}
volumeMounts:
- mountPath: /target
......@@ -95,7 +95,7 @@ initContainers:
{{- end }}
{{- if eq . "csi" }}
- name: velero-plugin-for-csi
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.3.2
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.4.0
imagePullPolicy: {{ dig "image" "pullPolicy" "IfNotPresent" $.Values.addons.velero.values }}
volumeMounts:
- mountPath: /target
......
chart/values.yaml
+ 1
1
View file @ a29c1619
......@@ -1375,7 +1375,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
path: "./chart"
tag: "2.32.2-bb.0"
tag: "3.1.0-bb.0"
# -- Flux reconciliation overrides specifically for the Velero Package
flux: {}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED - NO CUI