alpha to beta

cluster/config-defaults.yaml

@@ -945,9 +945,6 @@ enable_default_sa: "false"
 vm_dirty_background_bytes: "67108864"
 vm_dirty_bytes: "134217728"
 
-# Option to Enable FeatureGate TopologyAwareHints
-enable_topology_aware_hints: "false"
-
 # Enable FeatureGate HPAScaleToZero
 enable_hpa_scale_to_zero: "true"
 
@@ -1133,7 +1130,11 @@ open_sg_ingress_ranges: ""
 
 # Each DNS label (subdomain) can be 63 octets or less (https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4)
 # This custom value sets the subdomain max allowed length taking into consideration the 'cname-' prefix added by external-dns
+{{ if eq .Cluster.Alias "stups-test" }}
+subdomain_max_length: "100"
+{{ else }}
 subdomain_max_length: "57"
+{{ end }}
 
 # Network monitoring
 network_monitoring_enabled: "false"

cluster/manifests/04-ebs-csi/controller.yaml

@@ -160,7 +160,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-29
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.15.0-eks-1-32-14-master-30
           args:
             - --csi-address=/csi/csi.sock
           resources:

cluster/manifests/04-ebs-csi/node.yaml

@@ -114,7 +114,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-29
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.15.0-eks-1-32-14-master-30
           args:
             - --csi-address=/csi/csi.sock
           volumeMounts:

cluster/manifests/cluster-lifecycle-controller/deployment.yaml

@@ -29,7 +29,7 @@ spec:
       serviceAccountName: cluster-lifecycle-controller
       containers:
       - name: cluster-lifecycle-controller
-        image: container-registry.zalando.net/teapot/cluster-lifecycle-controller:master-52
+        image: container-registry.zalando.net/teapot/cluster-lifecycle-controller:master-54
         args:
             - --drain-grace-period={{.Cluster.ConfigItems.drain_grace_period}}
             - --drain-min-pod-lifetime={{.Cluster.ConfigItems.drain_min_pod_lifetime}}

cluster/manifests/deployment-service/controller-statefulset.yaml

@@ -29,7 +29,7 @@ spec:
       terminationGracePeriodSeconds: 300
       containers:
         - name: "deployment-service-controller"
-          image: "container-registry.zalando.net/teapot/deployment-controller:master-254"
+          image: "container-registry.zalando.net/teapot/deployment-controller:master-256"
           args:
             - "--config-namespace=kube-system"
             - "--decrypt-kms-alias-arn=arn:aws:kms:{{ .Cluster.Region }}:{{ .Cluster.InfrastructureAccount | getAWSAccountID }}:alias/deployment-secret"

cluster/manifests/fabric-gateway/deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image := "container-registry.zalando.net/gwproxy/fabric-gateway:master-330" }}
+# {{ $image := "container-registry.zalando.net/gwproxy/fabric-gateway:master-331" }}
 # {{ $version := index (split $image ":") 1 }}
 apiVersion: apps/v1
 kind: Deployment

cluster/manifests/kube-proxy/configmap.yaml

@@ -23,7 +23,6 @@ data:
       tcpEstablishedTimeout: 24h0m0s
     enableProfiling: false
     featureGates:
-      TopologyAwareHints: {{ .Cluster.ConfigItems.enable_topology_aware_hints }}
       SizeMemoryBackedVolumes: {{ .Cluster.ConfigItems.enable_size_memory_backed_volumes }}
 {{- if eq .Cluster.ConfigItems.enable_image_volumes "true" }}
       ImageVolume: true

cluster/manifests/kubernetes-lifecycle-metrics/deployment.yaml

@@ -32,7 +32,7 @@ spec:
       serviceAccountName: kubernetes-lifecycle-metrics
       containers:
         - name: kubernetes-lifecycle-metrics
-          image: "container-registry.zalando.net/teapot/kubernetes-lifecycle-metrics:master-34"
+          image: "container-registry.zalando.net/teapot/kubernetes-lifecycle-metrics:master-36"
           ports:
             - containerPort: 9090
               protocol: TCP

cluster/manifests/role-sync-controller/cronjob.yaml

@@ -33,7 +33,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: role-sync-controller
-            image: container-registry.zalando.net/teapot/role-sync-controller:main-11
+            image: container-registry.zalando.net/teapot/role-sync-controller:main-13
             args:
               - --subject-group=PowerUser
               - --subject-group=Manual

cluster/manifests/skipper/deployment.yaml

@@ -1,7 +1,7 @@
 {{/* image-updater-bot detects *image variables so use print to disable it for main image */}}
 
 {{ $main_image := print "container-registry.zalando.net/teapot/skipper-internal:" "v0.22.43-1150" }}
-{{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.22.43-1150" }}
+{{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.22.52-1159" }}
 
 {{/* Optional canary arguments separated by "[cf724afc]" to allow whitespaces, e.g. "-foo=has a whitespace[cf724afc]-baz=qux" */}}
 {{ $canary_args := "" }}

cluster/manifests/wiz/002-connector-broker-serviceaccount.yaml

@@ -8,7 +8,7 @@ metadata:
   name: wiz-broker
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-broker-2.3.8
     application: "wiz"
     component: "connector"
 ---
@@ -19,7 +19,7 @@ metadata:
   name: wiz-cluster-reader
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
 {{end}}

cluster/manifests/wiz/002-connector-job-serviceaccount.yaml

@@ -7,7 +7,7 @@ metadata:
   name: wiz-auto-modify-connector
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
-{{ end }}
+{{ end }}

cluster/manifests/wiz/002-sensor-serviceaccount.yaml

@@ -7,7 +7,7 @@ metadata:
   name: wiz-sensor
   namespace: wiz
   labels:
-    helm.sh/chart: wiz-sensor-1.0.4760
+    helm.sh/chart: wiz-sensor-1.0.6440
     application: "wiz"
     component: "connector"
 {{end}}

cluster/manifests/wiz/003-connector-broker-clusterrole.yaml

@@ -8,7 +8,7 @@ kind: ClusterRoleBinding
 metadata:
   name: wiz-cluster-reader
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
 roleRef:

cluster/manifests/wiz/003-connector-job-role.yaml

@@ -7,7 +7,7 @@ metadata:
   name: wiz-auto-modify-connector
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
 rules:
@@ -29,7 +29,7 @@ metadata:
   name: wiz-auto-modify-connector
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
 roleRef:

cluster/manifests/wiz/003-sensor-clusterrole.yaml

@@ -6,7 +6,7 @@ kind: ClusterRole
 metadata:
   name: wiz-sensor
   labels:
-    helm.sh/chart: wiz-sensor-1.0.4760
+    helm.sh/chart: wiz-sensor-1.0.6440
     application: "wiz"
     component: "sensor"
 rules:
@@ -28,7 +28,7 @@ kind: ClusterRoleBinding
 metadata:
   name: wiz-sensor
   labels:
-    helm.sh/chart: wiz-sensor-1.0.4760
+    helm.sh/chart: wiz-sensor-1.0.6440
     application: "wiz"
     component: "sensor"
 subjects:

cluster/manifests/wiz/004-connector-broker-secrets.yaml

@@ -9,7 +9,7 @@ metadata:
   name: wiz-connector-connector
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
 type: Opaque
@@ -25,21 +25,21 @@ metadata:
   name: wiz-cluster-reader-token
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
   annotations:
     kubernetes.io/service-account.name: wiz-cluster-reader
 type: kubernetes.io/service-account-token
 ---
-# Source: wiz-sensor/templates/apikeysecret.yaml
+# Source: wiz-sensor/templates/secrets-wiz-api-token.yaml
 apiVersion: v1
 kind: Secret
 metadata:
   name: wiz-api-token
   namespace: wiz
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-integration-0.2.91
     application: "wiz"
     component: "connector"
 type: Opaque

cluster/manifests/wiz/004-sensor-secrets.yaml

@@ -1,13 +1,13 @@
 {{ if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true"}}
 ---
-# Source: wiz-sensor/templates/apikeysecret.yaml
+# Source: wiz-sensor/templates/secrets-wiz-api-token.yaml
 apiVersion: v1
 kind: Secret
 metadata:
   name: wiz-sensor-apikey
   namespace: wiz
   labels:
-    helm.sh/chart: wiz-sensor-1.0.4760
+    helm.sh/chart: wiz-kubernetes-integration-0.2.91
     application: "wiz"
     component: "sensor"
 type: Opaque

cluster/manifests/wiz/005-connector-job.yaml

@@ -7,7 +7,7 @@ metadata:
   name: wiz-kubernetes-connector-create-connector
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-kubernetes-connector-3.3.11
     application: "wiz"
     component: "connector"
     job: "wiz-connector-agent"
@@ -21,7 +21,7 @@ spec:
   template:
     metadata:
       labels: 
-        helm.sh/chart: wiz-broker-2.1.0
+        helm.sh/chart: wiz-kubernetes-connector-3.3.11
         application: "wiz"
         component: "connector"
         job: "wiz-connector-agent"
@@ -31,6 +31,10 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
+      volumes:
+      - name: api-client
+        secret:
+          secretName: wiz-api-token
       containers:
         - name: wiz-connector-creator
           securityContext:
@@ -58,20 +62,10 @@ spec:
             - --connector-name
             - {{.Cluster.Alias}}
           env:
+          - name: CLI_FILES_AS_ARGS
+            value: "/var/api-client/clientToken,/var/api-client/clientId"
           - name: LOG_LEVEL
             value: info
-          - name: WIZ_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: wiz-api-token
-                key: clientId
-                optional: false
-          - name: WIZ_CLIENT_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: wiz-api-token
-                key: clientToken
-                optional: false
           - name: WIZ_ENV
             value: 
           resources:
@@ -81,4 +75,8 @@ spec:
             requests:
               cpu: {{ .Cluster.ConfigItems.wiz_connector_cpu }}
               memory: {{ .Cluster.ConfigItems.wiz_connector_memory }}
+          volumeMounts:
+          - name: api-client
+            mountPath: /var/api-client
+            readOnly: true
 {{end}}

cluster/manifests/wiz/connector-deployment.yaml

@@ -7,7 +7,7 @@ metadata:
   name: wiz-connector-agent
   namespace: "wiz"
   labels:
-    helm.sh/chart: wiz-broker-2.1.0
+    helm.sh/chart: wiz-broker-2.3.8
     application: "wiz"
     component: "connector"
     deployment: "wiz-connector-agent"
@@ -19,7 +19,7 @@ spec:
   template:
     metadata:
       labels:
-        helm.sh/chart: wiz-broker-2.1.0
+        helm.sh/chart: wiz-broker-2.3.8
         application: "wiz"
         component: "connector"
         deployment: "wiz-connector-agent"
@@ -29,6 +29,9 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
       volumes:
+        - name: api-client
+          secret:
+            secretName: wiz-api-token
         - name: connector-data
           secret:
             secretName: wiz-connector-connector
@@ -44,6 +47,9 @@ spec:
           image: "container-registry.zalando.net/secops-systems/wiz-broker:2.7-main-4"
           imagePullPolicy: IfNotPresent
           volumeMounts:
+          - name: api-client
+            mountPath: /var/api-client
+            readOnly: true
           - name: connector-data
             mountPath: /etc/connectorData
             readOnly: true
@@ -54,16 +60,8 @@ spec:
             value: info
           - name: WIZ_ENV
             value: 
-          - name: WIZ_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: wiz-api-token
-                key: clientId
-          - name: WIZ_CLIENT_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: wiz-api-token
-                key: clientToken
+          - name: CLI_FILES_AS_ARGS
+            value: "/var/api-client/clientToken,/var/api-client/clientId"
           - name: TARGET_IP
             value: kubernetes.default.svc.cluster.local
           - name: TARGET_PORT

cluster/manifests/wiz/sensor-daemonset.yaml

@@ -6,7 +6,8 @@ kind: DaemonSet
 metadata:
   name: wiz-sensor
   labels:
-    helm.sh/chart: wiz-sensor-1.0.4760
+    helm.sh/chart: wiz-sensor-1.0.6440
+    image/tag: 1.0.6572
     application: "wiz"
     component: "sensor"
     daemonset: "wiz-sensor"
@@ -22,7 +23,8 @@ spec:
   template:
     metadata:
       labels:
-        helm.sh/chart: wiz-sensor-1.0.4760
+        helm.sh/chart: wiz-sensor-1.0.6440
+        image/tag: 1.0.6572
         application: "wiz"
         component: "sensor"
         daemonset: "wiz-sensor"
@@ -51,6 +53,15 @@ spec:
       - name: wiz-sensor
         image: container-registry.zalando.net/secops-systems/wiz-sensor:1.0.6572-main-4
         imagePullPolicy: IfNotPresent
+        startupProbe:
+            exec:
+              command:
+              - "/usr/src/app/wiz-sensor"
+              - "version"
+            initialDelaySeconds: 15
+            periodSeconds: 60
+            timeoutSeconds: 30
+            failureThreshold: 5
         securityContext:
           capabilities:
             add:
@@ -131,6 +142,10 @@ spec:
           value: info
         - name: STDOUT_LOG
           value: error
+        - name: POD_IMAGE_TAG
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.labels['image/tag']
         - name: POD_MEM_LIMITS
           valueFrom:
             resourceFieldRef: