Merge branch 'main' into add-dependabot

.github/workflows/integration.yml

@@ -203,7 +203,6 @@ jobs:
             --node_pools.autoscaler.max 3 \
             --node_pools.autoscaler.min 3 \
             --tags testing \
-            --tags delete_me_tonight \
             --no-defaults
       - name: Retrieve cluster id
         run: echo "LINODE_CLUSTER_ID=$(linode-cli lke clusters-list --json | jq -ce '.[] | select(.label | startswith("${{ env.LINODE_CLUSTER_NAME }}")) | .id')" >> $GITHUB_ENV

.github/workflows/main.yml

@@ -15,7 +15,7 @@ env:
 jobs:
   build-test-cache:
     if: (!contains(github.event.head_commit.message, 'ci skip') && !startsWith(github.ref, 'refs/tags/') && !github.event.act)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       COMMIT_MSG: ${{ github.event.head_commit.message }}
       BOT_EMAIL: ${{ vars.BOT_EMAIL }}
@@ -49,7 +49,7 @@ jobs:
   push-to-docker:
     needs: build-test-cache
     if: always() && ((contains(needs.build-test-cache.result, 'success') && !contains(needs.integration.outputs.started, 'true')) || (contains(needs.integration.result, 'success'))) && !github.event.act
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       BOT_EMAIL: ${{ vars.BOT_EMAIL }}
       BOT_USERNAME: ${{ vars.BOT_USERNAME }}
@@ -71,7 +71,7 @@ jobs:
   release:
     needs: push-to-docker
     if: always() && (startsWith(github.ref, 'refs/heads/releases/') || startsWith(github.ref, 'refs/heads/main')) && startsWith(github.event.head_commit.message, 'chore(release)') && !github.event.act
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       COMMIT_MSG: ${{ github.event.head_commit.message }}
       BOT_EMAIL: ${{ vars.BOT_EMAIL }}
@@ -91,7 +91,7 @@ jobs:
           docker pull $REPO:$TAG
           docker tag $REPO:$TAG $REPO:latest
           docker push $REPO:latest
-          release_tag="v$(echo $COMMIT_MSG | cut -d' ' -f2)"
+          release_tag=v$(jq -r '.version' < package.json)
           echo tag=$release_tag >> $GITHUB_OUTPUT
           echo "Releasing $REPO:$release_tag"
           docker tag $REPO:$TAG $REPO:$release_tag
@@ -115,10 +115,10 @@ jobs:
   chart-release:
     needs: release
     if: always() && contains(needs.release.result, 'success') && !github.event.act
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     container:
-      image: linode/apl-tools:2.7.0
-      options: --user 0
+      image: linode/apl-tools:v2.8.2
+      options: --user 0 # See https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user
     env:
       COMMIT_MSG: ${{ github.event.head_commit.message }}
       BOT_EMAIL: ${{ vars.BOT_EMAIL }}
@@ -187,7 +187,7 @@ jobs:
   # test-otomi-release:
   #   name: Test Helm Chart Installation
   #   needs: [release, chart-release]
-  #   runs-on: ubuntu-latest
+  #   runs-on: ubuntu-22.04
   #   steps:
   #     - name: Use Scaleway CLI
   #       uses: scaleway/action-scw@v0
@@ -274,7 +274,7 @@ jobs:
   # notification:
   #   needs: [build-test-cache, push-to-docker, release, chart-release]
   #   if: always()
-  #   runs-on: ubuntu-latest
+  #   runs-on: ubuntu-22.04
   #   steps:
   #     - name: Slack Notification
   #       uses: rtCamp/action-slack-notify@v2

.nvmrc

@@ -1 +1 @@
-v16.20
+v20.18

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.1.0](https://github.com/linode/apl-core/compare/v4.0.0...v4.1.0) (2024-11-12)
+
+
+### Features
+
+* added cors for ouath2-proxy ingress ([#1799](https://github.com/linode/apl-core/issues/1799)) ([d0ee298](https://github.com/linode/apl-core/commit/d0ee2981378f4f2234c0ca161fd8cb98f8c25dd8))
+* added policy setting to external-dns values ([#1793](https://github.com/linode/apl-core/issues/1793)) ([d6d9741](https://github.com/linode/apl-core/commit/d6d9741d001ca1694a14e8c689a49770a73cfe22))
+* adjust retry factor to 1 and 30 retries of 1 minute ([#1801](https://github.com/linode/apl-core/issues/1801)) ([70099bc](https://github.com/linode/apl-core/commit/70099bceb34e525bdf8d58e30e087f044b43fb6e))
+* object storage wizard ([#1790](https://github.com/linode/apl-core/issues/1790)) ([4d28234](https://github.com/linode/apl-core/commit/4d28234da70c6cb0e81b72f4e1ad03c37fcc60f2))
+* set datasource for trivy dashboard to default ([#1796](https://github.com/linode/apl-core/issues/1796)) ([cd52cc0](https://github.com/linode/apl-core/commit/cd52cc0f86e7347b2c6c249c6d2902912b030c7f))
+* update tools version ([#1794](https://github.com/linode/apl-core/issues/1794)) ([718719b](https://github.com/linode/apl-core/commit/718719b2d4890a0dc56e4525880c96290e012f65))
+
+
+### Bug Fixes
+
+* change default falco driver ([#1795](https://github.com/linode/apl-core/issues/1795)) ([5fc6f14](https://github.com/linode/apl-core/commit/5fc6f149eb10e920be4f6b64b6b98f01d840d5a2))
+* datasource for team and platform Grafana dashboards ([#1785](https://github.com/linode/apl-core/issues/1785)) ([6782421](https://github.com/linode/apl-core/commit/6782421ac651aea5cebdc68c9aaa98f1b2897b38))
+* falco team grafana falco dashboard datasource ([#1806](https://github.com/linode/apl-core/issues/1806)) ([378903f](https://github.com/linode/apl-core/commit/378903f7f433113658f6178b5540de734eb8ec0a))
+
+
+### Others
+
+* rename application  to app ([#1804](https://github.com/linode/apl-core/issues/1804)) ([9d886eb](https://github.com/linode/apl-core/commit/9d886eb3d6c3038eb439ac6f7371d3fc34523909))
+* update packages and docker image [TOOLS][MINOR] ([#1788](https://github.com/linode/apl-core/issues/1788)) ([1ab0fca](https://github.com/linode/apl-core/commit/1ab0fca52a9f794ef872eb115d130db47f4d9f8f))
+* versions ([#1802](https://github.com/linode/apl-core/issues/1802)) ([8dca419](https://github.com/linode/apl-core/commit/8dca419f5433039a73a901857ba30f8274ef748a))
+
 ## [4.0.0](https://github.com/linode/apl-core/compare/v3.0.0...v4.0.0) (2024-11-01)
 
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM linode/apl-tools:v2.8.0 as ci
+FROM linode/apl-tools:v2.8.2 as ci
 
 ENV APP_HOME=/home/app/stack
 
@@ -26,9 +26,7 @@ FROM ci as clean
 # below command removes the packages specified in devDependencies and set NODE_ENV to production
 RUN npm prune --production
 
-#-----------------------------
-FROM linode/apl-tools:v2.8.0  as prod
-
+FROM linode/apl-tools:v2.8.2  as prod
 ENV APP_HOME=/home/app/stack
 ENV ENV_DIR=/home/app/stack/env
 ENV VERBOSITY='0'

charts/otomi-db/templates/cluster.yaml

@@ -46,6 +46,10 @@ spec:
         secretAccessKey:
           name: minio-creds
           key: MINIO_SECRET_KEY
+      wal:
+        compression: gzip
+      data:
+        compression: gzip
   {{- end }}
   {{- if eq .Values.backup.type "linode" }}
   backup:
@@ -60,6 +64,10 @@ spec:
         secretAccessKey:
           name: linode-creds
           key: S3_STORAGE_KEY
+      wal:
+        compression: gzip
+      data:
+        compression: gzip
   {{- end }}
 {{- end }}
 

charts/otomi-pipelines/templates/tekton-otomi-git-clone.yaml

@@ -48,7 +48,7 @@ spec:
 
         # Reading gitea credentials
         GITEA_USERNAME=$(cat /etc/gitea-credentials/username)
-        GITEA_PASSWORD=$(cat /etc/gitea-credentials/password)
+        GITEA_PASSWORD=$(cat /etc/gitea-credentials/password | jq -s -R -r @uri )
 
         # Getting the full repository url
         export fullRepoUrl=$(params["repoUrl"])

charts/otomi-pipelines/templates/tekton-otomi-task-teams.yaml

@@ -49,7 +49,7 @@ spec:
         git config --global --add safe.directory '*'
         # Reading gitea credentials
         GITEA_USERNAME=$(cat /etc/gitea-credentials/username)
-        GITEA_PASSWORD=$(cat /etc/gitea-credentials/password)
+        GITEA_PASSWORD=$(cat /etc/gitea-credentials/password | jq -s -R -r @uri )
 
         # Parsing the repo url
         export fullRepoUrl=$(params["repoUrl"])
@@ -70,6 +70,7 @@ spec:
         - 'binzx/otomi validate-values'
     - name: apply
       computeResources: {}
+      {{/* Be aware that during the upgrade this task is not immediately upgraded */}}
       script: |
         #!/bin/bash
         set -e

charts/otomi-pipelines/templates/tekton-otomi-task.yaml

@@ -49,7 +49,7 @@ spec:
         git config --global --add safe.directory '*'
         # Reading gitea credentials
         GITEA_USERNAME=$(cat /etc/gitea-credentials/username)
-        GITEA_PASSWORD=$(cat /etc/gitea-credentials/password)
+        GITEA_PASSWORD=$(cat /etc/gitea-credentials/password | jq -s -R -r @uri )
 
         # Parsing the repo url
         export fullRepoUrl=$(params["repoUrl"])
@@ -77,6 +77,7 @@ spec:
         - 'binzx/otomi validate-values'
     - name: apply
       computeResources: {}
+      {{/* Be aware that during the upgrade this task is not immediately upgraded */}}
       script: |
         #!/bin/bash
         set -e

charts/team-ns/templates/argocd/argocd-project.yaml

@@ -58,8 +58,11 @@ spec:
     - p, proj:team-{{ $v.teamId }}:platform-admin, *, *, team-{{ $v.teamId }}/*, allow
     groups:
     - platform-admin
+    {{- if not (eq $v.teamId "admin") }}
     - team-{{ $v.teamId }}
+    {{- end }}
 {{- end }}
+{{- if not (eq $v.teamId "admin") }}
   - name: team-member
     description: Team member privileges to team-{{ $v.teamId }}
 {{- if or (has "argocd" $v.selfService.apps) $v.otomi.isMultitenant }}
@@ -76,13 +79,12 @@ spec:
 {{- end }}
     groups:
     - team-{{ $v.teamId }}
+{{- end }}
   # A role which provides read-only access to all applications in the project
   - name: read-only
     description: Read-only privileges to team-{{ $v.teamId }}
     policies:
     - p, proj:team-{{ $v.teamId }}:read-only, applications, get, team-{{ $v.teamId }}/*, allow
-{{- if not $v.otomi.isMultitenant }}
-{{- end }}
     groups:
     - team-viewer
   - name: ci-role