Merge branch 'main' into release

.github/workflows/pr-title.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5.1.0
+      - uses: amannn/action-semantic-pull-request@v5.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.77.0
+  rev: v1.77.1
   hooks:
     - id: terraform_fmt
     - id: terraform_validate

README.md

@@ -87,7 +87,7 @@ here](https://github.com/particuleio/terraform-kubernetes-addons/blob/master/.gi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.23 |
+| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.25 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 5.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3 |
@@ -99,7 +99,7 @@ here](https://github.com/particuleio/terraform-kubernetes-addons/blob/master/.gi
 
 | Name | Version |
 |------|---------|
-| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.23 |
+| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.25 |
 | <a name="provider_github"></a> [github](#provider\_github) | ~> 5.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3 |

flux2.tf

@@ -11,7 +11,7 @@ locals {
       namespace                = "flux-system"
       target_path              = "production"
       default_network_policy   = true
-      version                  = "v0.38.2"
+      version                  = "v0.41.2"
       github_url               = "ssh://git@<host>/<org>/<repository>"
       create_github_repository = false
       github_token             = ""

helm-dependencies.yaml

@@ -6,19 +6,19 @@ dependencies:
     version: 0.13.2
     repository: https://charts.admiralty.io
   - name: secrets-store-csi-driver
-    version: 1.3.1
+    version: 1.3.2
     repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
   - name: aws-ebs-csi-driver
-    version: 2.17.0
+    version: 2.17.2
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver
-    version: 2.3.8
+    version: 2.4.1
     repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver
   - name: aws-for-fluent-bit
-    version: 0.1.22
+    version: 0.1.24
     repository: https://aws.github.io/eks-charts
   - name: aws-load-balancer-controller
-    version: 1.4.7
+    version: 1.4.8
     repository: https://aws.github.io/eks-charts
   - name: aws-node-termination-handler
     version: 0.21.0
@@ -33,7 +33,7 @@ dependencies:
     version: v0.5.0
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.24.0
+    version: 9.26.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
     version: 1.12.1
@@ -54,7 +54,7 @@ dependencies:
     version: 1.7.2
     repository: https://charts.helm.sh/stable
   - name: keda
-    version: 2.9.4
+    version: 2.10.1
     repository: https://kedacore.github.io/charts
   - name: keycloak
     version: 18.4.0
@@ -63,10 +63,10 @@ dependencies:
     version: 2.16.5
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
-    version: 45.1.1
+    version: 45.7.1
     repository: https://prometheus-community.github.io/helm-charts
   - name: kyverno
-    version: 2.7.0
+    version: 2.7.1
     repository: https://kyverno.github.io/kyverno/
   - name: kyverno-crds
     version: v2.0.3
@@ -84,16 +84,16 @@ dependencies:
     version: 2.9.9
     repository: https://grafana.github.io/helm-charts
   - name: loki
-    version: 4.6.1
+    version: 4.8.0
     repository: https://grafana.github.io/helm-charts
   - name: promtail
-    version: 6.8.3
+    version: 6.9.3
     repository: https://grafana.github.io/helm-charts
   - name: metrics-server
-    version: 3.8.3
+    version: 3.8.4
     repository: https://kubernetes-sigs.github.io/metrics-server/
   - name: node-problem-detector
-    version: 2.3.3
+    version: 2.3.4
     repository: https://charts.deliveryhero.io/
   - name: prometheus-adapter
     version: 4.1.1
@@ -102,40 +102,40 @@ dependencies:
     version: 0.24.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: prometheus-blackbox-exporter
-    version: 7.5.0
+    version: 7.6.1
     repository: https://prometheus-community.github.io/helm-charts
   - name: rabbitmq-cluster-operator
-    version: 3.2.3
+    version: 3.2.7
     repository: https://charts.bitnami.com/bitnami
   - name: scaleway-webhook
     version: v0.0.1
     repository: https://particuleio.github.io/charts
   - name: sealed-secrets
-    version: 2.7.4
+    version: 2.8.1
     repository: https://bitnami-labs.github.io/sealed-secrets
   - name: strimzi-kafka-operator
-    version: 0.33.1
+    version: 0.34.0
     repository: https://strimzi.io/charts/
   - name: thanos
-    version: 12.0.5
+    version: 12.3.1
     repository: https://charts.bitnami.com/bitnami
   - name: tigera-operator
     version: v3.25.0
     repository: https://docs.projectcalico.org/charts
   - name: traefik
-    version: 21.1.0
+    version: 21.2.0
     repository: https://helm.traefik.io/traefik
   - name: memcached
-    version: 6.3.6
+    version: 6.3.13
     repository: https://charts.bitnami.com/bitnami
   - name: vault
     version: 0.23.0
     repository: https://helm.releases.hashicorp.com
   - name: velero
-    version: 3.1.2
+    version: 3.1.4
     repository: https://vmware-tanzu.github.io/helm-charts
   - name: victoria-metrics-k8s-stack
-    version: 0.14.8
+    version: 0.14.16
     repository: https://victoriametrics.github.io/helm-charts/
   - name: yet-another-cloudwatch-exporter
     version: 0.14.0

modules/aws/README.md

@@ -21,8 +21,8 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
-| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.23 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.42 |
+| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.25 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 5.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3 |
@@ -34,8 +34,8 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72 |
-| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.23 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.42 |
+| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.25 |
 | <a name="provider_github"></a> [github](#provider\_github) | ~> 5.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3 |
@@ -356,6 +356,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [aws_iam_policy_document.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws-efs-csi-driver_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cert-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cni-metrics-helper](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

modules/aws/aws-efs-csi-driver.tf

@@ -92,7 +92,7 @@ resource "aws_efs_file_system" "aws-efs-csi-driver" {
   encrypted                       = lookup(local.aws-efs-csi-driver, "encrypted", "true")
   performance_mode                = lookup(local.aws-efs-csi-driver, "performance_mode", "generalPurpose")
   provisioned_throughput_in_mibps = lookup(local.aws-efs-csi-driver, "provisioned_throughput_in_mibps", 0)
-  throughput_mode                 = lookup(local.aws-efs-csi-driver, "provisioned_throughput_in_mibps", 0) == 0 ? "bursting" : "provisioned"
+  throughput_mode                 = lookup(local.aws-efs-csi-driver, "throughput_mode", "bursting")
   dynamic "lifecycle_policy" {
     for_each = lookup(local.aws-efs-csi-driver, "lifecycle_policy", [])
     content {

modules/aws/aws-load-balancer-controller.tf

@@ -10,6 +10,7 @@ locals {
       service_account_name      = "aws-load-balancer-controller"
       create_iam_resources_irsa = true
       enabled                   = false
+      additional_iam_statements = null
       iam_policy_override       = null
       default_network_policy    = true
       allowed_cidrs             = ["0.0.0.0/0"]
@@ -43,10 +44,18 @@ module "iam_assumable_role_aws-load-balancer-controller" {
 resource "aws_iam_policy" "aws-load-balancer-controller" {
   count  = local.aws-load-balancer-controller["enabled"] && local.aws-load-balancer-controller["create_iam_resources_irsa"] ? 1 : 0
   name   = local.aws-load-balancer-controller["name_prefix"]
-  policy = local.aws-load-balancer-controller["iam_policy_override"] == null ? templatefile("${path.module}/iam/aws-load-balancer-controller.json", { arn-partition = local.arn-partition }) : local.aws-load-balancer-controller["iam_policy_override"]
+  policy = local.aws-load-balancer-controller["iam_policy_override"] == null ? data.aws_iam_policy_document.aws-load-balancer-controller[0].json : local.aws-load-balancer-controller["iam_policy_override"]
   tags   = local.tags
 }
 
+data "aws_iam_policy_document" "aws-load-balancer-controller" {
+  count = local.aws-load-balancer-controller.enabled && local.aws-load-balancer-controller.create_iam_resources_irsa ? 1 : 0
+  source_policy_documents = compact([
+    templatefile("${path.module}/iam/aws-load-balancer-controller.json", { arn-partition = local.arn-partition }),
+    try(local.aws-load-balancer-controller.additional_iam_statements, "")
+  ])
+}
+
 resource "kubernetes_namespace" "aws-load-balancer-controller" {
   count = local.aws-load-balancer-controller["enabled"] ? 1 : 0
 

modules/aws/iam/aws-load-balancer-controller.json

@@ -4,12 +4,24 @@
         {
             "Effect": "Allow",
             "Action": [
-                "iam:CreateServiceLinkedRole",
+                "iam:CreateServiceLinkedRole"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeAddresses",
                 "ec2:DescribeAvailabilityZones",
                 "ec2:DescribeInternetGateways",
                 "ec2:DescribeVpcs",
+                "ec2:DescribeVpcPeeringConnections",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeInstances",
@@ -184,6 +196,28 @@
                 }
             }
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": [
+                "arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "elasticloadbalancing:CreateAction": [
+                        "CreateTargetGroup",
+                        "CreateLoadBalancer"
+                    ]
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [

modules/aws/versions.tf

@@ -1,7 +1,7 @@
 terraform {
   required_version = ">= 1.0"
   required_providers {
-    aws        = ">= 3.72"
+    aws        = ">= 4.42"
     helm       = "~> 2.0"
     kubernetes = "~> 2.0, != 2.12"
     kubectl = {
@@ -10,7 +10,7 @@ terraform {
     }
     flux = {
       source  = "fluxcd/flux"
-      version = "~> 0.23"
+      version = "~> 0.25"
     }
     github = {
       source  = "integrations/github"

modules/azure/README.md

@@ -9,7 +9,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with Azure
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.0 |
-| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.23 |
+| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.25 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 5.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3 |
@@ -21,7 +21,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with Azure
 
 | Name | Version |
 |------|---------|
-| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.23 |
+| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.25 |
 | <a name="provider_github"></a> [github](#provider\_github) | ~> 5.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3 |

modules/azure/version.tf

@@ -10,7 +10,7 @@ terraform {
     }
     flux = {
       source  = "fluxcd/flux"
-      version = "~> 0.23"
+      version = "~> 0.25"
     }
     github = {
       source  = "integrations/github"

modules/scaleway/README.md

@@ -20,7 +20,7 @@ User guides, feature documentation and examples are available [here](https://git
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.23 |
+| <a name="requirement_flux"></a> [flux](#requirement\_flux) | ~> 0.25 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~> 5.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3 |
@@ -33,7 +33,7 @@ User guides, feature documentation and examples are available [here](https://git
 
 | Name | Version |
 |------|---------|
-| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.23 |
+| <a name="provider_flux"></a> [flux](#provider\_flux) | ~> 0.25 |
 | <a name="provider_github"></a> [github](#provider\_github) | ~> 5.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3 |

modules/scaleway/versions.tf

@@ -9,7 +9,7 @@ terraform {
     }
     flux = {
       source  = "fluxcd/flux"
-      version = "~> 0.23"
+      version = "~> 0.25"
     }
     github = {
       source  = "integrations/github"

versions.tf

@@ -9,7 +9,7 @@ terraform {
     }
     flux = {
       source  = "fluxcd/flux"
-      version = "~> 0.23"
+      version = "~> 0.25"
     }
     github = {
       source  = "integrations/github"