From 9515ba3f16ecd80496edc16419c6de0d132c7947 Mon Sep 17 00:00:00 2001 From: stxkxs Date: Sun, 7 Jun 2026 19:50:03 -0700 Subject: [PATCH] feat(addons): bump 9 charts across major versions to current MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cross-major half of the eks-gitops catalog version-currency bump. Each researched against the real upstream changelogs + chart values diffs, then helm-template-validated at the new version with the eks-gitops values (the appsets reference remote charts, so this render is the schema gate — CI's task validate covers structure only). Key per-env settings confirmed to still bind (no silent drop from a rename). Pure version bumps — values already schema-compatible, render + bindings verified: - external-secrets 0.17.0 -> 2.6.0 (IRSA SA annotation binds; image registry default moved to ghcr.io) - prometheus-operator-crds 19.1.0 -> 29.0.0 (CRDs-only, additive) - loki 6.29.0 -> 7.0.0 - velero 11.3.2 -> 12.0.2 - argo-workflows 0.45.1 -> 1.0.14 (app v3.6 -> v4.0) - aws-load-balancer-controller 1.14.1 -> 3.4.0 - goldilocks 9.2.0 -> 10.3.0 Bumped + values migrated (the edits also fix pre-existing silently-dropped keys surfaced by the research): - opencost 1.42.2 -> 2.5.22: removed the dead exporter.aws.spot_data_region; collapsed the invalid per-component exporter/ui tolerations into the chart's global opencost.tolerations — so the CriticalAddonsOnly toleration actually applies now (it never did before, wrong path). - falco 8.0.1 -> 9.0.0: removed the grpc / grpc_output blocks (gone in 9.0 — use falcosidekick for an output sink) and the invalid syscall_drop_failed_exit; fixed the driver ring-buffer keys to camelCase (modernEbpf/cpusForEachBuffer/bufSizePreset) and falco.libs -> falco.falco_libs, so that tuning binds now (base + production). Completes the eks-gitops side of the kx#6 currency reconcile (eks-gitops was a full major behind kx on the original 4). kx pins to these versions in a paired change. Closes #6 --- addons/observability/opencost/values.yaml | 14 ++++++-------- addons/security/falco/values-production.yaml | 4 ++-- addons/security/falco/values.yaml | 18 ++++++++---------- applicationsets/addons-argo-platform.yaml | 2 +- applicationsets/addons-bootstrap.yaml | 4 ++-- applicationsets/addons-networking.yaml | 2 +- applicationsets/addons-observability.yaml | 4 ++-- applicationsets/addons-operations-helm.yaml | 4 ++-- applicationsets/addons-security.yaml | 2 +- 9 files changed, 25 insertions(+), 29 deletions(-) diff --git a/addons/observability/opencost/values.yaml b/addons/observability/opencost/values.yaml index 49694f0..eac9265 100644 --- a/addons/observability/opencost/values.yaml +++ b/addons/observability/opencost/values.yaml @@ -3,8 +3,6 @@ opencost: exporter: defaultClusterId: eks - aws: - spot_data_region: us-west-2 resources: requests: cpu: 50m @@ -12,9 +10,6 @@ opencost: limits: cpu: 200m memory: 256Mi - tolerations: - - key: CriticalAddonsOnly - operator: Exists ui: enabled: true resources: @@ -24,6 +19,9 @@ opencost: limits: cpu: 100m memory: 128Mi - tolerations: - - key: CriticalAddonsOnly - operator: Exists + # Single deployment (exporter + ui), so tolerations live at opencost.tolerations + # — the previous per-component exporter/ui tolerations sat on invalid paths and + # were silently dropped, so CriticalAddonsOnly never actually applied until now. + tolerations: + - key: CriticalAddonsOnly + operator: Exists diff --git a/addons/security/falco/values-production.yaml b/addons/security/falco/values-production.yaml index fc8e11b..802caf1 100644 --- a/addons/security/falco/values-production.yaml +++ b/addons/security/falco/values-production.yaml @@ -8,5 +8,5 @@ resources: memory: 4Gi driver: - modern_ebpf: - cpus_for_each_buffer: 8 + modernEbpf: + cpusForEachBuffer: 8 diff --git a/addons/security/falco/values.yaml b/addons/security/falco/values.yaml index 586f2d2..987105e 100644 --- a/addons/security/falco/values.yaml +++ b/addons/security/falco/values.yaml @@ -2,23 +2,21 @@ driver: kind: modern_ebpf - modern_ebpf: - cpus_for_each_buffer: 4 - buf_size_preset: 4 + # camelCase keys — the previous snake_case (modern_ebpf/cpus_for_each_buffer/ + # buf_size_preset) sat on invalid paths and were silently dropped, so this + # ring-buffer tuning did not apply until now. + modernEbpf: + cpusForEachBuffer: 4 + bufSizePreset: 4 falco: - grpc: - enabled: true - bind_address: "unix:///run/falco/falco.sock" - grpc_output: - enabled: true json_output: true log_stderr: true log_syslog: false priority: warning rule_matching: first - syscall_drop_failed_exit: true - libs: + # falco_libs (not libs) is the real config key for libsinspector tuning. + falco_libs: thread_table_auto_purging_interval_s: 120 thread_table_auto_purging_thread_timeout_s: 120 diff --git a/applicationsets/addons-argo-platform.yaml b/applicationsets/addons-argo-platform.yaml index 2891637..dd51eb9 100644 --- a/applicationsets/addons-argo-platform.yaml +++ b/applicationsets/addons-argo-platform.yaml @@ -35,7 +35,7 @@ spec: namespace: argo-workflows chartRepo: https://argoproj.github.io/argo-helm chart: argo-workflows - chartVersion: "0.45.1" + chartVersion: "1.0.14" path: addons/argo-platform/argo-workflows syncWave: "52" template: diff --git a/applicationsets/addons-bootstrap.yaml b/applicationsets/addons-bootstrap.yaml index ed04719..9249089 100644 --- a/applicationsets/addons-bootstrap.yaml +++ b/applicationsets/addons-bootstrap.yaml @@ -28,14 +28,14 @@ spec: namespace: external-secrets chartRepo: https://charts.external-secrets.io chart: external-secrets - chartVersion: "0.17.0" + chartVersion: "2.6.0" path: addons/bootstrap/external-secrets syncWave: "0" - appName: prometheus-operator-crds namespace: monitoring chartRepo: https://prometheus-community.github.io/helm-charts chart: prometheus-operator-crds - chartVersion: "19.1.0" + chartVersion: "29.0.0" path: addons/bootstrap/prometheus-operator-crds syncWave: "0" - appName: metrics-server diff --git a/applicationsets/addons-networking.yaml b/applicationsets/addons-networking.yaml index 96fbcad..5aa69db 100644 --- a/applicationsets/addons-networking.yaml +++ b/applicationsets/addons-networking.yaml @@ -28,7 +28,7 @@ spec: namespace: kube-system chartRepo: https://aws.github.io/eks-charts chart: aws-load-balancer-controller - chartVersion: "1.14.1" + chartVersion: "3.4.0" path: addons/networking/aws-load-balancer-controller syncWave: "1" - appName: external-dns diff --git a/applicationsets/addons-observability.yaml b/applicationsets/addons-observability.yaml index 8b227b8..188a2ee 100644 --- a/applicationsets/addons-observability.yaml +++ b/applicationsets/addons-observability.yaml @@ -21,7 +21,7 @@ spec: namespace: monitoring chartRepo: https://grafana.github.io/helm-charts chart: loki - chartVersion: 6.29.0 + chartVersion: 7.0.0 path: addons/observability/loki syncWave: "30" - appName: tempo @@ -42,7 +42,7 @@ spec: namespace: opencost chartRepo: https://opencost.github.io/opencost-helm-chart chart: opencost - chartVersion: "1.42.2" + chartVersion: "2.5.22" path: addons/observability/opencost syncWave: "33" - appName: grafana-operator diff --git a/applicationsets/addons-operations-helm.yaml b/applicationsets/addons-operations-helm.yaml index 0a3f91f..ac5366d 100644 --- a/applicationsets/addons-operations-helm.yaml +++ b/applicationsets/addons-operations-helm.yaml @@ -21,7 +21,7 @@ spec: namespace: velero chartRepo: https://vmware-tanzu.github.io/helm-charts chart: velero - chartVersion: 11.3.2 + chartVersion: 12.0.2 path: addons/operations/velero syncWave: "40" - appName: vpa @@ -35,7 +35,7 @@ spec: namespace: goldilocks chartRepo: https://charts.fairwinds.com/stable chart: goldilocks - chartVersion: 9.2.0 + chartVersion: 10.3.0 path: addons/operations/goldilocks syncWave: "42" - appName: descheduler diff --git a/applicationsets/addons-security.yaml b/applicationsets/addons-security.yaml index 14ee2c7..b7d0d1c 100644 --- a/applicationsets/addons-security.yaml +++ b/applicationsets/addons-security.yaml @@ -35,7 +35,7 @@ spec: namespace: falco chartRepo: https://falcosecurity.github.io/charts chart: falco - chartVersion: 8.0.1 + chartVersion: 9.0.0 path: addons/security/falco syncWave: "12" template: