Merge branch 'main' into ci-update-prometheus-blackbox-exporter-to-11.9.1

svcAPLBot · web-flow · commit c9b1f3bdea6f · 2026-04-01T11:53:11.000+02:00
diff --git a/charts/apl-harbor-operator/Chart.yaml b/charts/apl-harbor-operator/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.16.0"
diff --git a/charts/apl-harbor-operator/templates/deployment.yaml b/charts/apl-harbor-operator/templates/deployment.yaml
@@ -17,6 +17,9 @@ spec:
       {{- end }}
       labels:
         {{- include "apl-harbor-operator.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
diff --git a/charts/apl-harbor-operator/values.yaml b/charts/apl-harbor-operator/values.yaml
@@ -20,6 +20,8 @@ serviceAccount:
   name: "apl-harbor-operator"
   annotations: {}
 
+podLabels: {}
+
 podAnnotations: {}
 
 podSecurityContext:
diff --git a/charts/kubeflow-pipelines/templates/ml-pipeline-ui/deployment.yaml b/charts/kubeflow-pipelines/templates/ml-pipeline-ui/deployment.yaml
@@ -14,9 +14,13 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
-      labels: {{- include "kfp.labels" . | nindent 8 }}
+      labels:
+        {{- include "kfp.labels" . | nindent 8 }}
         app: ml-pipeline-ui
         application-crd-id: kubeflow-pipelines
+        {{- with .Values.mlPipelineUi.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       containers:
       - env:
diff --git a/charts/kubeflow-pipelines/values.yaml b/charts/kubeflow-pipelines/values.yaml
@@ -40,6 +40,7 @@ mlPipelineScheduledworkflow:
   resources: {}
 
 mlPipelineUi:
+  podLabels: {}
   resources: {}
 
 mlPipelineViewer:
diff --git a/charts/team-ns/templates/servicemonitors/service-monitors.yaml b/charts/team-ns/templates/servicemonitors/service-monitors.yaml
@@ -17,6 +17,9 @@ spec:
   - enableHttp2: true
     path: /metrics
     port: http-web
+    relabelings:
+      - targetLabel: __address__
+        replacement: {{ $v.teamId }}-po-alertmanager.{{ $ns }}.svc.cluster.local:9093
   namespaceSelector:
     matchNames:
     - team-{{ $v.teamId }}
@@ -40,6 +43,9 @@ spec:
     port: http-web
     scheme: http
     scrapeTimeout: 30s
+    relabelings:
+      - targetLabel: __address__
+        replacement: {{ $v.teamId }}-po-grafana.{{ $ns }}.svc.cluster.local:80
   namespaceSelector:
     matchNames:
     - team-{{ $v.teamId }}
@@ -49,4 +55,4 @@ spec:
       app.kubernetes.io/instance: prometheus-{{ $v.teamId }}
 {{- end }}
 ---
-{{- end }}
+{{- end }}
diff --git a/core.yaml b/core.yaml
@@ -58,6 +58,8 @@ k8s:
     - name: kyverno
       app: kyverno
       disableIstioInjection: true
+    - name: tekton-dashboard
+      app: tekton-pipelines
     - name: tekton-pipelines
       disableIstioInjection: true
       disablePolicyChecks: true
@@ -210,7 +212,7 @@ adminApps:
     path: /#/namespaces/team-admin/pipelineruns
     ingress:
       - svc: tekton-dashboard
-        namespace: tekton-pipelines
+        namespace: tekton-dashboard
         port: 9097
         type: public
         auth: true
diff --git a/helmfile.d/helmfile-04.init.yaml.gotmpl b/helmfile.d/helmfile-04.init.yaml.gotmpl
@@ -91,15 +91,15 @@ releases:
     <<: *raw
   - name: tekton-dashboard
     installed: {{ $a | get "tekton.enabled" }}
-    namespace: tekton-pipelines
+    namespace: tekton-dashboard
     labels:
       pkg: tekton-pipelines
     chart: ../charts/tekton-dashboard
     values:
       - ../values/tekton-dashboard/tekton-dashboard.gotmpl
   - name: tekton-dashboard-artifacts
     installed: {{ $a | get "tekton.enabled" }}
-    namespace: tekton-pipelines
+    namespace: tekton-dashboard
     labels:
       pkg: tekton-pipelines
     <<: *raw
diff --git a/helmfile.d/helmfile-08.init.yaml.gotmpl b/helmfile.d/helmfile-08.init.yaml.gotmpl
@@ -32,5 +32,8 @@ releases:
       - alertmanager: {{- $a | get "alertmanager._rawValues" dict | toYaml | nindent 10 }}
         grafana: {{- $a | get "grafana._rawValues" dict | toYaml | nindent 10 }}
         extraManifests:
-          - {{ tpl (readFile "snippets/authpolicy.gotmpl") (dict "prefix" "monitoring" "gatewayName" $v.ingress.platformClass.className "hosts" $hosts) | nindent 12 }}
+          - {{ tpl (readFile "snippets/authpolicy-oauth2-ext.gotmpl") (dict "prefix" "monitoring" "gatewayName" $v.ingress.platformClass.className "hosts" $hosts) | nindent 12 }}
+          - {{ tpl (readFile "snippets/authpolicy-jwt.gotmpl") (dict "name" "prometheus" "excludeNamespaces" (list "grafana" "monitoring" "team-*")) | nindent 12 }}
+          - {{ tpl (readFile "snippets/authpolicy-jwt.gotmpl") (dict "name" "monitoring" "excludeAccount" "monitoring/po-prometheus") | nindent 12 }}
+          - {{ tpl (readFile "snippets/authpolicy-jwt.gotmpl") (dict "name" "monitoring" "namespace" "grafana" "excludeAccount" "monitoring/po-prometheus") | nindent 12 }}
           - {{ tpl (readFile "snippets/serviceentry.gotmpl") (dict "name" "monitoring" "hosts" $hosts) | nindent 12 }}
diff --git a/helmfile.d/helmfile-60.teams.yaml.gotmpl b/helmfile.d/helmfile-60.teams.yaml.gotmpl
@@ -67,17 +67,12 @@ releases:
                     kind: Service
                     name: {{ $teamId }}-tekton-dashboard
                     port: 9097
-                  filters:
-                  - type: RequestHeaderModifier
-                    requestHeaderModifier:
-                      remove:
-                      - authorization
                   matches:
                   - path:
                       type: PathPrefix
                       value: /
                 {{- $httpRoute.authRules | toYaml | nindent 16 }}
-          - {{ tpl (readFile "../helmfile.d/snippets/authpolicy.gotmpl") (dict "prefix" (print "tekton-" $teamId) "gatewayName" $gatewayName "host" $tektonHostname) | nindent 12 }}
+          - {{ tpl (readFile "../helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl") (dict "prefix" (print "tekton-" $teamId) "gatewayName" $gatewayName "host" $tektonHostname) | nindent 12 }}
           - {{ tpl (readFile "../helmfile.d/snippets/serviceentry.gotmpl") (dict "name" (print "tekton-" $teamId) "host" $tektonHostname) | nindent 12 }}
   - name: prometheus-{{ $teamId }}
     installed: {{ or ($teamSettings | get "managedMonitoring.grafana" false) ($teamSettings | get "managedMonitoring.alertmanager" false) }}
@@ -97,13 +92,11 @@ releases:
           namespaceOverride: null
           alertmanagerSpec:
             externalUrl: "https://{{ $alertmanagerHostname }}"
-            podMetadata:
-              annotations:
-                sidecar.istio.io/inject: "true"
-              labels:
-                prometheus: system
             resources:
               {{- $teamApps.alertmanager.resources | toYaml | nindent 14 }}
+            podMetadata:
+              labels:
+                otomi.io/auth-policy: monitoring-{{ $teamId }}
           # to do: load slackTpl and opsgenieTpl only if alerts.receicers = true
           config: {{- tpl (readFile "../helmfile.d/snippets/alertmanager-teams.gotmpl") (dict "instance" $teamSettings "root" $v "slackTpl" $slackTpl "opsgenieTpl" $opsgenieTpl) | nindent 12 }}
           route:
@@ -169,8 +162,11 @@ releases:
               basicAuthUser: {{ $teamId }}
               secureJsonData:
                 basicAuthPassword: {{ $teamSettings.password | quote }}
+          podLabels:
+            otomi.io/auth-policy: monitoring-{{ $teamId }}
         extraManifests:
-          - {{ tpl (readFile "../helmfile.d/snippets/authpolicy.gotmpl") (dict "prefix" (print "monitoring-" $teamId) "gatewayName" $gatewayName "hosts" (list $alertmanagerHostname $grafanaHostname)) | nindent 12 }}
+          - {{ tpl (readFile "../helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl") (dict "prefix" (print "monitoring-" $teamId) "gatewayName" $gatewayName "hosts" (list $alertmanagerHostname $grafanaHostname)) | nindent 12 }}
+          - {{ tpl (readFile "../helmfile.d/snippets/authpolicy-jwt.gotmpl") (dict "name" (print "monitoring-" $teamId) "excludeNamespace" (print "team-" $teamId) "excludeAccount" "monitoring/po-prometheus") | nindent 12 }}
           - {{ tpl (readFile "../helmfile.d/snippets/serviceentry.gotmpl") (dict "name" (print "monitoring-" $teamId) "hosts" (list $alertmanagerHostname $grafanaHostname)) | nindent 12 }}
     {{- if has "msteams" ($teamSettings | get "alerts.receivers" list) }}
   - name: prometheus-msteams-{{ $teamId }}
diff --git a/helmfile.d/snippets/authpolicy-jwt.gotmpl b/helmfile.d/snippets/authpolicy-jwt.gotmpl
@@ -0,0 +1,44 @@
+{{- $v := . }}
+{{- $excludeNamespaces := $v | get "excludeNamespaces" list }}
+{{- with $v | get "excludeNamespace" nil }}
+{{- $excludeNamespaces = append $excludeNamespaces . }}
+{{- end }}
+{{- $excludeAccounts := $v | get "excludeAccounts" list }}
+{{- with $v | get "excludeAccount" nil }}
+{{- $excludeAccounts = append $excludeAccounts . }}
+{{- end }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $v.name }}-auth-require-jwt
+  {{- with $v | get "namespace" nil }}
+  namespace: {{ . }}
+  {{- end }}
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      otomi.io/auth-policy: {{ $v.name }}
+  rules:
+    - from:
+        {{- /* Allow requests with a valid JWT token, which can be provided by OAuth2-Proxy */}}
+        - source:
+            requestPrincipals: ["*"]
+        {{- /* Optionally in addition allow requests from select namespaces */}}
+        {{- with $excludeNamespaces }}
+        - source:
+            namespaces:
+              {{- toYaml . | nindent 14 }}
+        {{- end }}
+        {{- with $excludeAccounts }}
+        - source:
+            serviceAccounts:
+              {{- toYaml . | nindent 14 }}
+        {{- end }}
+    {{- with $v | get "excludePaths" list }}
+    - to:
+        {{- /* Optionally exempt certain paths from checks */}}
+        - operation:
+            paths:
+              {{- toYaml . | nindent 14 }}
+    {{- end }}
diff --git a/helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl b/helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl
@@ -28,6 +28,6 @@ spec:
             notPaths:
               - "/oauth2/*"
               - "/platform-logout"
-            {{- range $path := ($v | get "exclusionPaths" list) }}
+            {{- range $path := ($v | get "excludePaths" list) }}
               - {{ $path | quote }}
             {{- end }}
diff --git a/helmfile.d/snippets/derived.gotmpl b/helmfile.d/snippets/derived.gotmpl
@@ -26,7 +26,7 @@
 {{- $keycloakBaseUrl := printf "https://keycloak.%s" $domainSuffix }}
 {{- $oidcBaseUrl := printf "%s/realms/otomi" $keycloakBaseUrl }}
 {{- $oidcWellKnownUrl := printf "%s/.well-known/openid-configuration" $oidcBaseUrl }}
-{{- $oidcBaseUrlBackchannel := "http://keycloak-keycloakx-http.keycloak/realms/otomi" }}
+{{- $oidcBaseUrlBackchannel := "http://keycloak-keycloakx-http.keycloak:8080/realms/otomi" }}
 {{- $oidcWellKnownBackchannel := printf "%s/.well-known/openid-configuration" $oidcBaseUrlBackchannel }}
 {{- $tlsSecretName := "otomi-cert-manager-wildcard-cert" }}
 {{- if eq $cm.issuer "externally-managed-tls-secret" }}
diff --git a/src/cmd/apply-as-apps.ts b/src/cmd/apply-as-apps.ts
@@ -198,7 +198,7 @@ const setFinalizers = async (name: string) => {
   }
 }
 
-const getFinalizers = async (name: string): Promise<string[]> => {
+const getFinalizers = async (name: string): Promise<string[] | undefined> => {
   try {
     const response = await getCustomApi().getNamespacedCustomObject({
       ...ARGOCD_APP_PARAMS,
@@ -207,6 +207,9 @@ const getFinalizers = async (name: string): Promise<string[]> => {
     const app = response.body as any
     return Array.isArray(app.metadata?.finalizers) ? app.metadata.finalizers : []
   } catch (error) {
+    if (error instanceof ApiException && error.code === 404) {
+      return undefined
+    }
     d.warn(`Failed to get finalizers for ${name}: ${error}`)
     return []
   }
@@ -215,6 +218,9 @@ const getFinalizers = async (name: string): Promise<string[]> => {
 export const removeApplication = async (name: string): Promise<void> => {
   try {
     const finalizers = await getFinalizers(name)
+    if (finalizers === undefined) {
+      return
+    }
     if (!finalizers.includes('resources-finalizer.argocd.argoproj.io')) {
       await setFinalizers(name)
     }
@@ -224,7 +230,9 @@ export const removeApplication = async (name: string): Promise<void> => {
     })
     d.info(`Deleted application ${name}`)
   } catch (e) {
-    d.error(`Failed to delete application ${name}: ${e.message}`)
+    if (!(e instanceof ApiException && e.code === 404)) {
+      d.error(`Failed to delete application ${name}: ${e.message}`)
+    }
   }
 }
 
diff --git a/src/common/runtime-upgrades/ingress-resource-pre-migration.ts b/src/common/runtime-upgrades/ingress-resource-pre-migration.ts
@@ -6,6 +6,7 @@ import { logLevelString, terminal } from '../debug'
 import { loadYaml, rootDir } from '../utils'
 import { RuntimeUpgradeContext } from './runtime-upgrades'
 import { ApiException } from '@kubernetes/client-node'
+import { removeApplication } from '../../cmd/apply-as-apps'
 
 const PLATFORM_LB_SERVICE = 'ingress-nginx-platform-controller'
 const PLATFORM_LB_NAMESPACE = 'ingress'
@@ -93,3 +94,9 @@ export async function syncIngressNginxService(context: RuntimeUpgradeContext): P
   d.info('Removing LoadBalancer service')
   await removeIngressService()
 }
+
+export async function removeTektonDashboardApp(context: RuntimeUpgradeContext) {
+  const d = context.debug
+  d.info('Removing Tekton Dashboard application from tekton-pipelines namespace')
+  await removeApplication('tekton-pipelines-tekton-dashboard')
+}
diff --git a/src/common/runtime-upgrades/runtime-upgrades.ts b/src/common/runtime-upgrades/runtime-upgrades.ts
@@ -2,7 +2,7 @@ import { ApiException, PatchStrategy, setHeaderOptions } from '@kubernetes/clien
 import { OtomiDebugger } from '../debug'
 import { applyServerSide, k8s, restartOtomiApiDeployment } from '../k8s'
 import { getParsedArgs } from '../yargs'
-import { syncIngressNginxService } from './add-linode-nb-annotations'
+import { removeTektonDashboardApp, syncIngressNginxService } from './ingress-resource-pre-migration'
 import { updateDbCollation } from './cloudnative-pg'
 import { migrateGitConfig } from './migrate-git-config'
 import { removeHttpBinApplication } from './remove-httpbin-application'
@@ -170,6 +170,7 @@ export const runtimeUpgrades: RuntimeUpgrades = [
     version: '4.16.0',
     pre: async (context: RuntimeUpgradeContext) => {
       await syncIngressNginxService(context)
+      await removeTektonDashboardApp(context)
     },
   },
 ]
diff --git a/values/apl-harbor-operator/apl-harbor-operator.gotmpl b/values/apl-harbor-operator/apl-harbor-operator.gotmpl
@@ -14,6 +14,13 @@ imagePullSecrets:
   - name: otomi-pullsecret-global
 {{- end }}
 
+podLabels:
+  {{- if $v.apps.istio.defaultRevision }}
+  istio.io/rev: {{ $v.apps.istio.defaultRevision | quote }}
+  {{- else }}
+  sidecar.istio.io/inject: "true"
+  {{- end }}
+
 resources: {{- toYaml $o.resources.operator | nindent 2 }}
 
 env:
diff --git a/values/argocd/argocd.gotmpl b/values/argocd/argocd.gotmpl
@@ -89,6 +89,9 @@ server:
       {{- $httpRoute.parentRefs | toYaml | nindent 6 }}
     hostnames:
       - {{ $hostname }}
+  podLabels:
+    otomi.io/auth: platform
+    otomi.io/auth-policy: platform
 
 configs:
   # General Argo CD configuration
@@ -282,5 +285,5 @@ extraObjects:
                   type: ReplaceFullPath
                   replaceFullPath: /platform-logout
                 statusCode: 302
-  - {{ tpl (readFile "../../helmfile.d/snippets/authpolicy.gotmpl") (dict "prefix" "argocd" "gatewayName" $v.ingress.platformClass.className "host" $hostname) | nindent 4 }}
+  - {{ tpl (readFile "../../helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl") (dict "prefix" "argocd" "gatewayName" $v.ingress.platformClass.className "host" $hostname) | nindent 4 }}
   - {{ tpl (readFile "../../helmfile.d/snippets/serviceentry.gotmpl") (dict "name" "argocd" "host" $hostname) | nindent 4 }}
diff --git a/values/harbor/harbor-raw.gotmpl b/values/harbor/harbor-raw.gotmpl
@@ -104,5 +104,5 @@ resources:
     {{- $httpRoute.parentRefs | toYaml | nindent 4 }}
     rules:
     {{- $httpRoute.authRules | toYaml | nindent 4 }}
-- {{ tpl (readFile "../../helmfile.d/snippets/authpolicy.gotmpl") (dict "prefix" "harbor" "gatewayName" $v.ingress.platformClass.className "host" $harborDomain "exclusionPaths" (list "/v2/*" "/service/*")) | nindent 2 }}
+- {{ tpl (readFile "../../helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl") (dict "prefix" "harbor" "gatewayName" $v.ingress.platformClass.className "host" $harborDomain "excludePaths" (list "/v2/*" "/service/*" "/api/*" "/c/*")) | nindent 2 }}
 - {{ tpl (readFile "../../helmfile.d/snippets/serviceentry.gotmpl") (dict "name" "harbor" "host" $harborDomain) | nindent 2 }}
diff --git a/values/harbor/harbor.gotmpl b/values/harbor/harbor.gotmpl
@@ -153,6 +153,9 @@ portal:
     repository: "{{- $v.otomi.linodeLkeImageRepository }}/docker/goharbor/harbor-portal"
   {{- end }}
   resources: {{- $h.resources.portal | toYaml | nindent 4 }}
+  podLabels:
+    otomi.io/auth: platform
+    otomi.io/auth-policy: platform
 
 redis:
   internal:
diff --git a/values/istiod/istiod.gotmpl b/values/istiod/istiod.gotmpl
@@ -77,6 +77,7 @@ meshConfig:
 
 env:
   PILOT_ENABLE_ALPHA_GATEWAY_API: "true"
+  PILOT_JWT_PUB_KEY_REFRESH_INTERVAL: "1m"
 
 gatewayClasses:
   istio:
diff --git a/values/kubeflow-pipelines/kubeflow-pipelines-raw.gotmpl b/values/kubeflow-pipelines/kubeflow-pipelines-raw.gotmpl
@@ -46,5 +46,5 @@ resources:
                 type: PathPrefix
                 value: /
         {{- $httpRoute.authRules | toYaml | nindent 8 }}
-  - {{ tpl (readFile "../../helmfile.d/snippets/authpolicy.gotmpl") (dict "prefix" "kubeflow-pipelines" "gatewayName" $v.ingress.platformClass.className "host" $hostname) | nindent 4 }}
+  - {{ tpl (readFile "../../helmfile.d/snippets/authpolicy-oauth2-ext.gotmpl") (dict "prefix" "kubeflow-pipelines" "gatewayName" $v.ingress.platformClass.className "host" $hostname) | nindent 4 }}
   - {{ tpl (readFile "../../helmfile.d/snippets/serviceentry.gotmpl") (dict "name" "kubeflow-pipelines" "host" $hostname) | nindent 4 }}
diff --git a/values/kubeflow-pipelines/kubeflow-pipelines.gotmpl b/values/kubeflow-pipelines/kubeflow-pipelines.gotmpl
@@ -46,6 +46,14 @@ mlPipelineScheduledworkflow:
 
 mlPipelineUi:
   resources: {{- $kfp.resources.mlPipelineUi | toYaml | nindent 4 }}
+  podLabels:
+    otomi.io/auth: platform
+    otomi.io/auth-policy: platform
+    {{- if $v.apps.istio.defaultRevision }}
+    istio.io/rev: {{ $v.apps.istio.defaultRevision | quote }}
+    {{- else }}
+    sidecar.istio.io/inject: "true"
+    {{- end }}
 
 mlPipelineViewer:
   resources: {{- $kfp.resources.mlPipelineViewer | toYaml | nindent 4 }}
diff --git a/values/kubernetes-gateways/kubernetes-gateways-raw.gotmpl b/values/kubernetes-gateways/kubernetes-gateways-raw.gotmpl
diff --git a/values/otomi-api/otomi-api.gotmpl b/values/otomi-api/otomi-api.gotmpl
diff --git a/values/otomi-console/otomi-console.gotmpl b/values/otomi-console/otomi-console.gotmpl
diff --git a/values/prometheus-operator/prometheus-operator.gotmpl b/values/prometheus-operator/prometheus-operator.gotmpl
diff --git a/values/prometheus-operator/service-monitors.gotmpl b/values/prometheus-operator/service-monitors.gotmpl
diff --git a/values/tekton-dashboard/tekton-dashboard-raw.gotmpl b/values/tekton-dashboard/tekton-dashboard-raw.gotmpl
diff --git a/values/tekton-dashboard/tekton-dashboard-teams.gotmpl b/values/tekton-dashboard/tekton-dashboard-teams.gotmpl
diff --git a/values/tekton-dashboard/tekton-dashboard.gotmpl b/values/tekton-dashboard/tekton-dashboard.gotmpl
