Merge branch 'main' into APL-540

Author: dennisvankekem

chart/chart-index/Chart.yaml

@@ -15,7 +15,7 @@ dependencies:
     version: 0.23.0
     repository: https://cloudnative-pg.github.io/charts
   - name: external-dns
-    version: 8.3.9
+    version: 8.7.8
     repository: https://charts.bitnami.com/bitnami
   - name: falco
     version: 3.8.5

charts/external-dns/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.23.0
-digest: sha256:fbd6439f12ded949c04553b9c52a4c8153a8f2790147d972b314ddcd46921a14
-generated: "2024-10-02T00:30:49.768617272Z"
+  version: 2.30.0
+digest: sha256:46afdf79eae69065904d430f03f7e5b79a148afed20aa45ee83ba88adc036169
+generated: "2025-02-19T17:06:43.001843167Z"

charts/external-dns/Chart.yaml

@@ -2,10 +2,11 @@ annotations:
   category: DeveloperTools
   images: |
     - name: external-dns
-      image: docker.io/bitnami/external-dns:0.15.0-debian-12-r2
+      image: docker.io/bitnami/external-dns:0.16.1-debian-12-r0
   licenses: Apache-2.0
+  tanzuCategory: clusterUtility
 apiVersion: v2
-appVersion: 0.15.0
+appVersion: 0.16.1
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
@@ -15,7 +16,7 @@ dependencies:
 description: ExternalDNS is a Kubernetes addon that configures public DNS servers
   with information about exposed Kubernetes services to make them discoverable.
 home: https://bitnami.com
-icon: https://bitnami.com/assets/stacks/external-dns/img/external-dns-stack-220x234.png
+icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/external-dns/img/external-dns-stack-220x234.png
 keywords:
 - external-dns
 - network
@@ -26,4 +27,4 @@ maintainers:
 name: external-dns
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/external-dns
-version: 8.3.9
+version: 8.7.8

charts/external-dns/README.md

@@ -2,11 +2,11 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.23.0
+appVersion: 2.30.0
 description: A Library Helm Chart for grouping common logic between bitnami charts.
   This chart is not deployable by itself.
 home: https://bitnami.com
-icon: https://bitnami.com/downloads/logos/bitnami-mark.png
+icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png
 keywords:
 - common
 - helper
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/common
 type: library
-version: 2.23.0
+version: 2.30.0

charts/external-dns/charts/common/Chart.yaml

@@ -61,7 +61,7 @@ tag:
 
 pullPolicy:
   type: string
-  description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+  description: Specify a imagePullPolicy.'
 
 pullSecrets:
   type: array
@@ -214,13 +214,13 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
 
 #### Useful links
 
-- <https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-resolve-helm2-helm3-post-migration-issues-index.html>
+- <https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-resolve-helm2-helm3-post-migration-issues-index.html>
 - <https://helm.sh/docs/topics/v2_v3_migration/>
 - <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
 
 ## License
 
-Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

charts/external-dns/charts/common/README.md

@@ -60,13 +60,14 @@ Return a topologyKey definition
 
 {{/*
 Return a soft podAffinity/podAntiAffinity definition
-{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}}
 */}}
 {{- define "common.affinities.pods.soft" -}}
 {{- $component := default "" .component -}}
 {{- $customLabels := default (dict) .customLabels -}}
 {{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
 {{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+{{- $extraNamespaces := default (list) .extraNamespaces -}}
 preferredDuringSchedulingIgnoredDuringExecution:
   - podAffinityTerm:
       labelSelector:
@@ -77,6 +78,13 @@ preferredDuringSchedulingIgnoredDuringExecution:
           {{- range $key, $value := $extraMatchLabels }}
           {{ $key }}: {{ $value | quote }}
           {{- end }}
+      {{- if $extraNamespaces }}
+      namespaces:
+        - {{ .context.Release.Namespace }}
+        {{- with $extraNamespaces }}
+        {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
+        {{- end }}
+      {{- end }}
       topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
     weight: 1
   {{- range $extraPodAffinityTerms }}
@@ -96,13 +104,14 @@ preferredDuringSchedulingIgnoredDuringExecution:
 
 {{/*
 Return a hard podAffinity/podAntiAffinity definition
-{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}}
 */}}
 {{- define "common.affinities.pods.hard" -}}
 {{- $component := default "" .component -}}
 {{- $customLabels := default (dict) .customLabels -}}
 {{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
 {{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+{{- $extraNamespaces := default (list) .extraNamespaces -}}
 requiredDuringSchedulingIgnoredDuringExecution:
   - labelSelector:
       matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
@@ -112,6 +121,13 @@ requiredDuringSchedulingIgnoredDuringExecution:
         {{- range $key, $value := $extraMatchLabels }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
+      {{- if $extraNamespaces }}
+      namespaces:
+        - {{ .context.Release.Namespace }}
+        {{- with $extraNamespaces }}
+        {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
+        {{- end }}
+      {{- end }}
     topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
   {{- range $extraPodAffinityTerms }}
   - labelSelector:

charts/external-dns/charts/common/templates/_affinities.tpl

@@ -12,6 +12,20 @@ Return the target Kubernetes version
 {{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}}
 {{- end -}}
 
+{{/*
+Return true if the apiVersion is supported
+Usage:
+{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }}
+*/}}
+{{- define "common.capabilities.apiVersions.has" -}}
+{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}}
+{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}}
+    {{- true -}}
+{{- else if has .version $providedAPIVersions -}}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for poddisruptionbudget.
 */}}
@@ -36,6 +50,18 @@ Return the appropriate apiVersion for networkpolicy.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the appropriate apiVersion for job.
+*/}}
+{{- define "common.capabilities.job.apiVersion" -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
+{{- print "batch/v1beta1" -}}
+{{- else -}}
+{{- print "batch/v1" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for cronjob.
 */}}
@@ -157,14 +183,12 @@ Return the appropriate apiVersion for Vertical Pod Autoscaler.
 */}}
 {{- define "common.capabilities.vpa.apiVersion" -}}
 {{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
-{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
-{{- if .beta2 -}}
-{{- print "autoscaling/v2beta2" -}}
-{{- else -}}
-{{- print "autoscaling/v2beta1" -}}
-{{- end -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.11-0" $kubeVersion) -}}
+{{- print "autoscaling/v1beta1" -}}
+{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
+{{- print "autoscaling/v1beta2" -}}
 {{- else -}}
-{{- print "autoscaling/v2" -}}
+{{- print "autoscaling/v1" -}}
 {{- end -}}
 {{- end -}}
 

charts/external-dns/charts/common/templates/_capabilities.tpl

@@ -40,7 +40,7 @@ Usage:
 {{- end -}}
 {{/* Remove fields that are disregarded when running the container in privileged mode */}}
 {{- if $adaptedContext.privileged -}}
-  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+  {{- $adaptedContext = omit $adaptedContext "capabilities" -}}
 {{- end -}}
 {{- omit $adaptedContext "enabled" | toYaml -}}
 {{- end -}}

charts/external-dns/charts/common/templates/_compatibility.tpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0
 
 {{/* vim: set filetype=mustache: */}}
 {{/*
-Through error when upgrading using empty passwords values that must not be empty.
+Throw error when upgrading using empty passwords values that must not be empty.
 
 Usage:
 {{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
@@ -26,3 +26,60 @@ Required password params:
     {{- printf $errorString $validationErrors | fail -}}
   {{- end -}}
 {{- end -}}
+
+{{/*
+Throw error when original container images are replaced.
+The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
+a warning message will be shown instead.
+
+Usage:
+{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
+*/}}
+{{- define "common.errors.insecureImages" -}}
+{{- $relocatedImages := list -}}
+{{- $replacedImages := list -}}
+{{- $retaggedImages := list -}}
+{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
+{{- $originalImages := .context.Chart.Annotations.images -}}
+{{- range .images -}}
+  {{- $registryName := default .registry $globalRegistry -}}
+  {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
+  {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
+  {{- if not (contains $fullImageNameNoTag $originalImages) -}}
+    {{- if not (contains $registryName $originalImages) -}}
+      {{- $relocatedImages = append $relocatedImages $fullImageName  -}}
+    {{- else if not (contains .repository $originalImages) -}}
+      {{- $replacedImages = append $replacedImages $fullImageName  -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
+    {{- $retaggedImages = append $retaggedImages $fullImageName  -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
+  {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
+{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
+  {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
+  {{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
+  {{- range (concat $relocatedImages $replacedImages) -}}
+    {{- $errorString = print $errorString "\n  - " . -}}
+  {{- end -}}
+  {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}}
+    {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
+    {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
+    {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
+    {{- print $errorString | fail -}}
+  {{- else if gt (len $replacedImages) 0 -}}
+    {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
+    {{- print $errorString -}}
+  {{- end -}}
+{{- else if gt (len $retaggedImages) 0 -}}
+  {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}}
+  {{- $warnString = print $warnString "\n\nRetagged images:" -}}
+  {{- range $retaggedImages -}}
+    {{- $warnString = print $warnString "\n  - " . -}}
+  {{- end -}}
+  {{- print $warnString -}}
+{{- end -}}
+{{- end -}}

charts/external-dns/charts/common/templates/_errors.tpl

@@ -67,7 +67,7 @@ Params:
 Generate secret password or retrieve one if already created.
 
 Usage:
-{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
+{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }}
 
 Params:
   - secret - String - Required - Name of the 'Secret' resource where the password is stored.
@@ -80,12 +80,15 @@ Params:
   - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
   - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
   - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
+  - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret
 The order in which this function returns a secret password:
-  1. Already existing 'Secret' resource
+  1. Password provided via the values.yaml if honorProvidedValues = true
+     (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
+  2. Already existing 'Secret' resource
      (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
-  2. Password provided via the values.yaml
+  3. Password provided via the values.yaml if honorProvidedValues = false
      (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
-  3. Randomly generated secret password
+  4. Randomly generated secret password
      (A new random secret password with the length specified in the 'length' parameter will be generated and returned)
 
 */}}
@@ -106,6 +109,10 @@ The order in which this function returns a secret password:
   {{- end -}}
 {{- end }}
 
+{{- if and $providedPasswordValue .honorProvidedValues }}
+  {{- $password = $providedPasswordValue | toString }}
+{{- end }}
+
 {{- if not $password }}
   {{- if $providedPasswordValue }}
     {{- $password = $providedPasswordValue | toString }}

charts/external-dns/charts/common/templates/_secrets.tpl

@@ -36,3 +36,17 @@ Usage:
 {{- end -}}
 {{ $dst | toYaml }}
 {{- end -}}
+
+{{/*
+Merge a list of values that contains template after rendering them.
+Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite
+Usage:
+{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
+*/}}
+{{- define "common.tplvalues.merge-overwrite" -}}
+{{- $dst := dict -}}
+{{- range .values -}}
+{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}}
+{{- end -}}
+{{ $dst | toYaml }}
+{{- end -}}

charts/external-dns/charts/common/templates/_tplvalues.tpl

@@ -13,7 +13,7 @@ Usage:
 
 {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
 WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
-+info https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html
++info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html
 {{- end }}
 {{- end -}}
 

charts/external-dns/charts/common/templates/_warnings.tpl

@@ -4,32 +4,6 @@ SPDX-License-Identifier: APACHE-2.0
 */}}
 
 {{/* vim: set filetype=mustache: */}}
-{{/*
-Validate Cassandra required passwords are not empty.
-
-Usage:
-{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
-Params:
-  - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
-  - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
-*/}}
-{{- define "common.validations.values.cassandra.passwords" -}}
-  {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
-  {{- $enabled := include "common.cassandra.values.enabled" . -}}
-  {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
-  {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
-
-  {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
-    {{- $requiredPasswords := list -}}
-
-    {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
-    {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
-
-    {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
-
-  {{- end -}}
-{{- end -}}
-
 {{/*
 Auxiliary function to get the right value for existingSecret.