Kyma 2.8.4 (#3372)

* successful local install * change cli version * fix leftover and patches * remove unused flag * try to fix benchmark * install kyma once * reuse existing kyma * initial changes * change * add patch * unify kyma cli version * initial changes * change kyma version in comments * use ns var and label ory ns * add message * update kyma cli version * fix benchmark * fix ory ns * fix ns typo * typo * update docs * initial changes * update image * update images and kyma cli * change workarounds * remove unnecesarry workaround * update docs * initial changes * isito changes * clean up * cli version change and others * update docs --------- Co-authored-by: PetarTodorovv <todorovv.petar@gmail.com>
kyma-incubator · Oct 13, 2023 · dd32884 · dd32884
1 parent 534b377
commit dd32884
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 72 deletions.
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ For more information about the Compass architecture, technical details, and comp
 - [Docker](https://www.docker.com/get-started)
 - [k3d](https://github.com/k3d-io/k3d) v5.2.2+
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 1.23.0+
-- [Kyma CLI](https://github.com/kyma-project/cli) 2.8.0
+- [Kyma CLI](https://github.com/kyma-project/cli) 2.8.4
 - [helm](https://github.com/helm/helm) v3.8.0+
 - [yq](https://github.com/mikefarah/yq) v4+
 

diff --git a/docs/compass/04-01-installation.md b/docs/compass/04-01-installation.md
@@ -46,7 +46,7 @@ Therefore, `serviceAccountTokenJWKS` and `serviceAccountTokenIssuer` need to be
 
 > **NOTE:** During the installation of Compass, the installed Kyma version (as a basis to Compass) must match to the one in the [`KYMA_VERSION`](../../installation/resources/KYMA_VERSION) file in the specific Compass commit.
 
-If custom domains and certificates are needed, see the [Set up your custom domain TLS certificate](https://github.com/kyma-project/kyma/blob/2.7.3/docs/03-tutorials/sec-01-tls-certificates-security.md) document in the Kyma installation guide, as well as the resources in the [Certificate Management](#certificate-management) section in this document.
+If custom domains and certificates are needed, see the [Set up your custom domain TLS certificate](https://github.com/kyma-project/kyma/blob/2.8.4/docs/03-tutorials/00-security/sec-01-tls-certificates-security.md) document in the Kyma installation guide, as well as the resources in the [Certificate Management](#certificate-management) section in this document.
 
 Save the following .yaml code with installation overrides into a file (for example: additionalKymaOverrides.yaml)
 ```yaml
@@ -383,9 +383,9 @@ To install the Compass and Runtime components on a single cluster, perform the f
 
 > **NOTE:** During the installation of Kyma, the installed version must match to the one in the [`KYMA_VERSION`](../../installation/resources/KYMA_VERSION) file in the specific Compass commit.
 
-You must have a Kyma installation with an enabled Runtime Agent. For more information, see [Enable Kyma with Runtime Agent](https://github.com/kyma-project/kyma/blob/2.7.3/docs/04-operation-guides/operations/ra-01-enable-kyma-with-runtime-agent.md). Therefore, you must add the compass-runtime-agent module in the compass-system namespace to the list of [minimal kyma components file](../../installation/resources/kyma/kyma-components-minimal.yaml).
+You must have a Kyma installation with an enabled Runtime Agent. For more information, see [Enable Kyma with Runtime Agent](https://github.com/kyma-project/kyma/blob/2.8.4/docs/04-operation-guides/operations/ra-01-enable-kyma-with-runtime-agent.md). Therefore, you must add the compass-runtime-agent module in the compass-system namespace to the list of [minimal kyma components file](../../installation/resources/kyma/kyma-components-minimal.yaml).
 
-If custom domains and certificates are needed, see the [Set up your custom domain TLS certificate](https://github.com/kyma-project/kyma/blob/2.7.3/docs/03-tutorials/sec-01-tls-certificates-security.md) document in the Kyma installation guide, as well as the resources in the [Certificate Management](#certificate-management) section in this document.
+If custom domains and certificates are needed, see the [Set up your custom domain TLS certificate](https://github.com/kyma-project/kyma/blob/2.8.4/docs/03-tutorials/00-security/sec-01-tls-certificates-security.md) document in the Kyma installation guide, as well as the resources in the [Certificate Management](#certificate-management) section in this document.
 
 Save the following .yaml code with installation overrides to a file (for example: additionalKymaOverrides.yaml)
 ```yaml

diff --git a/installation/resources/KYMA_VERSION b/installation/resources/KYMA_VERSION
@@ -1 +1 @@
-2.7.3
+2.8.4
diff --git a/installation/resources/kyma/kyma-overrides-minimal.yaml b/installation/resources/kyma/kyma-overrides-minimal.yaml
@@ -1,8 +1,3 @@
-api-gateway:
-  deployment:
-    resources:
-      limits:
-        cpu: 200m
 cluster-essentials:
   global:
     disableLegacyConnectivity: true
@@ -30,52 +25,32 @@ helm-broker:
       limits:
         memory: 256Mi
 istio:
+  global:
+    # Use official images that have support for arm and amd as Kyma's images are only for amd
+    images:
+      istio_proxyv2:
+        name: "proxyv2"
+        version: "1.15.3-distroless"
+        directory: "istio"
+        containerRegistryPath: "docker.io"
+      istio_pilot:
+        name: "pilot"
+        version: "1.15.3-distroless"
+        directory: "istio"
+        containerRegistryPath: "docker.io"
+      istio_install-cni:
+        name: "install-cni"
+        version: "1.15.3-distroless"
+        directory: "istio"
+        containerRegistryPath: "docker.io"
+
   components:
     egressGateways:
       enabled: false
     ingressGateways:
-      config:
-        affinity:
-          nodeAffinity:
-            preferredDuringSchedulingIgnoredDuringExecution:
-              - preference:
-                  matchExpressions:
-                    - key: beta.kubernetes.io/arch
-                      operator: In
-                      values:
-                        - arm64
-                        - amd64
-                weight: 2
-            requiredDuringSchedulingIgnoredDuringExecution:
-              nodeSelectorTerms:
-                - matchExpressions:
-                    - key: beta.kubernetes.io/arch
-                      operator: In
-                      values:
-                        - arm64
-                        - amd64
       enabled: true
     pilot:
       config:
-        affinity:
-          nodeAffinity:
-            preferredDuringSchedulingIgnoredDuringExecution:
-              - preference:
-                  matchExpressions:
-                    - key: beta.kubernetes.io/arch
-                      operator: In
-                      values:
-                        - arm64
-                        - amd64
-                weight: 2
-            requiredDuringSchedulingIgnoredDuringExecution:
-              nodeSelectorTerms:
-                - matchExpressions:
-                    - key: beta.kubernetes.io/arch
-                      operator: In
-                      values:
-                        - arm64
-                        - amd64
         hpaSpec:
           maxReplicas: 5
           metrics:
@@ -114,10 +89,6 @@ istio:
           requests:
             cpu: 50m
             memory: 160Mi
-    pilot:
-      resources:
-        limits:
-          memory: 2048Mi
   meshConfig:
     defaultConfig:
       holdApplicationUntilProxyStarts: true

diff --git a/installation/scripts/install-kyma.sh b/installation/scripts/install-kyma.sh
@@ -26,16 +26,6 @@ cp ${KYMA_OVERRIDES_MINIMAL} ${MINIMAL_OVERRIDES_TEMP}
 
 yq -i ".istio.helmValues.pilot.jwksResolverExtraRootCA = \"$CERT\"" "${MINIMAL_OVERRIDES_TEMP}"
 
-if [[ $(uname -m) == 'arm64' ]]; then
-  yq -i ".istio.global.images.istio_proxyv2.containerRegistryPath = \"europe-west1-docker.pkg.dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio.global.images.istio_proxyv2.directory = \"sap-cp-cmp-dev/ucl-dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio.global.images.istio_proxyv2.version = \"1.14.4-distroless\"" "${MINIMAL_OVERRIDES_TEMP}"
-
-  yq -i ".istio.global.images.istio_pilot.containerRegistryPath = \"europe-west1-docker.pkg.dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio.global.images.istio_pilot.directory = \"sap-cp-cmp-dev/ucl-dev\"" "${MINIMAL_OVERRIDES_TEMP}"
-  yq -i ".istio.global.images.istio_pilot.version = \"1.14.4-distroless\"" "${MINIMAL_OVERRIDES_TEMP}"
-fi
-
 trap "rm -f ${MINIMAL_OVERRIDES_TEMP}" EXIT INT TERM
 
 KYMA_SOURCE=$(<"${ROOT_PATH}"/installation/resources/KYMA_VERSION)

diff --git a/installation/scripts/prom-mtls-patch.sh b/installation/scripts/prom-mtls-patch.sh
@@ -8,6 +8,9 @@ function enableNodeExporterMTLS() {
   # The patches around the DaemonSet involve an addition of two init containers that together setup certificates
   # for the node-exporter application to use. There are also two new mounts - a shared directory (node-certs)
   # and the Istio CA secret (istio-certs).
+  # This can be moved to the Helm values.yaml but it depends on the existence of Istio (its certificate Secret has to be
+  # replicated in the kyma-system namespace as well). As Istio and the monitoring stack are both deployed by Kyma this
+  # Secret replication is tricky, that's why the patch is kept.
 
   daemonset=$(cat <<"EOF"
 apiVersion: apps/v1
@@ -164,7 +167,6 @@ function patchKymaServiceMonitorsForMTLS() {
   # Some of the ServiceMonitor MTLS overrides were moved to the Kyma Helm chart overrides
   kymaSvcMonitors=(
     monitoring-operator
-    monitoring-prometheus-pushgateway
     ory-stack-oathkeeper-maester
   )
 

diff --git a/installation/scripts/prow/jobs/compass-gke-benchmark.sh b/installation/scripts/prow/jobs/compass-gke-benchmark.sh
@@ -162,7 +162,7 @@ function installHelm() {
 }
 
 function installKymaCLI() {
-  KYMA_CLI_VERSION="2.8.0"
+  KYMA_CLI_VERSION="2.8.4"
   log::info "Installing Kyma CLI version: $KYMA_CLI_VERSION"
 
   PREV_WD=$(pwd)
@@ -214,9 +214,6 @@ function installCompassOld() {
   COMPASS_OVERRIDES="$PWD/compass_benchmark_overrides.yaml"
   COMPASS_COMMON_OVERRIDES="$PWD/compass_common_overrides.yaml"
 
-  echo "Installing Ory"
-  installOry
-
   echo 'Installing DB'
   mkdir "$COMPASS_SOURCES_DIR/installation/data"
   bash "${COMPASS_SCRIPTS_DIR}"/install-db.sh --overrides-file "${COMPASS_OVERRIDES}" --overrides-file "${COMPASS_COMMON_OVERRIDES}" --timeout 30m0s
@@ -247,9 +244,6 @@ function installCompassNew() {
   COMPASS_OVERRIDES="$PWD/compass_benchmark_overrides.yaml"
   COMPASS_COMMON_OVERRIDES="$PWD/compass_common_overrides.yaml"
 
-  echo "Installing Ory"
-  installOry
-
   echo 'Installing DB'
   bash "${COMPASS_SCRIPTS_DIR}"/install-db.sh --overrides-file "${COMPASS_OVERRIDES}" --overrides-file "${COMPASS_COMMON_OVERRIDES}" --timeout 30m0s
   STATUS=$(helm status localdb -n compass-system -o json | jq .info.status)
@@ -304,6 +298,9 @@ installKymaCLI
 log::info "Installing Kyma"
 installKyma
 
+log::info "Installing Ory"
+installOry
+
 NEW_VERSION_COMMIT_ID=$(cd "$COMPASS_SOURCES_DIR" && git rev-parse --short HEAD)
 log::info "Install Compass version from main"
 installCompassOld

diff --git a/installation/scripts/prow/jobs/provision-compass.sh b/installation/scripts/prow/jobs/provision-compass.sh
@@ -48,7 +48,7 @@ cp yq "$HOME/bin/yq" && cp yq "/usr/local/bin/yq"
 log::info "Successfully installed yq version: $YQ_VERSION"
 
 # Install Kyma to be later used in run.sh
-KYMA_CLI_VERSION="2.8.0"
+KYMA_CLI_VERSION="2.8.4"
 log::info "Installing Kyma CLI version: $KYMA_CLI_VERSION"
 
 curl -Lo kyma.tar.gz "https://github.com/kyma-project/cli/releases/download/${KYMA_CLI_VERSION}/kyma_Linux_x86_64.tar.gz" \