kong 3.4 + PSS/PSP migration

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Changes
+
+- Align with upstream chart version [2.29.0](https:/Kong/charts/releases/tag/kong-2.29.0) ([Changes in upstream repository](https:/Kong/charts/compare/kong-2.23.0...kong-2.29.0))
+- Update kong to [3.4.1](https:/Kong/kong/blob/3.4.1/CHANGELOG.md#341)
+- Update kong ingress controller to [2.12.0](https:/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#2120)
+- Execute enterprise tests with kong-gateway container image version [3.4.1.0-debian](https://docs.konghq.com/gateway/changelog/#3410)
+- Add `Values.global.podSecurityStandards.enforced` flag in preparation of PSP to PSS migration
+
 ## [3.4.0] - 2023-08-22
 
 ### Changes

README.md

@@ -12,7 +12,7 @@ Giant Swarm offers a Kong Managed App which can be installed in workload cluster
 
 | Giant Swarm Chart Release | Upstream Chart Release | Kong Version | Kong IC Version | Kong-Gateway Enterprise container tag |
 | --- | --- | --- | --- | --- |
-| Unreleased | [2.23.0](https:/Kong/charts/blob/main/charts/kong/CHANGELOG.md#2230) | [3.3.1](https:/Kong/kong/blob/3.3.1/CHANGELOG.md#331) | [2.10.4](https:/Kong/kubernetes-ingress-controller/blob/v2.10.4/CHANGELOG.md#2103) | 3.3.1.0-debian |
+| Unreleased | [2.29.0](https:/Kong/charts/blob/main/charts/kong/CHANGELOG.md#2290) | [3.4.1](https:/Kong/kong/blob/3.4.1/CHANGELOG.md#341) | [2.12.0](https:/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#2111) | 3.4.1.0-debian |
 | [v3.4.0](https:/giantswarm/kong-app/blob/main/CHANGELOG.md#340---2023-08-22) | [2.23.0](https:/Kong/charts/blob/main/charts/kong/CHANGELOG.md#2230) | [3.3.1](https:/Kong/kong/blob/3.3.1/CHANGELOG.md#331) | [2.10.4](https:/Kong/kubernetes-ingress-controller/blob/v2.10.4/CHANGELOG.md#2103) | 3.3.1.0-debian |
 | [v3.3.0](https:/giantswarm/kong-app/blob/main/CHANGELOG.md#330---2023-05-17) | [2.21.0](https:/Kong/charts/blob/main/charts/kong/CHANGELOG.md#2210) | [3.2.2](https:/Kong/kong/blob/3.2.2/CHANGELOG.md#322) | [2.9.3](https:/Kong/kubernetes-ingress-controller/blob/v2.9.3/CHANGELOG.md#293) | 3.2.2.1-debian |
 | [v3.2.0](https:/giantswarm/kong-app/blob/main/CHANGELOG.md#320---2023-05-04) | [2.20.1](https:/Kong/charts/blob/main/charts/kong/CHANGELOG.md#2201) | [3.2.2](https:/Kong/kong/blob/3.2.2/CHANGELOG.md#322) | [2.9.3](https:/Kong/kubernetes-ingress-controller/blob/v2.9.3/CHANGELOG.md#293) | 3.2.2.1-debian |

helm/kong-app/CHANGELOG.md

@@ -2,14 +2,128 @@
 
 ## Unreleased
 
+Nothing yet.
+
+## 2.29.0
+
+### Improvements
+* Make it possible to set the admission webhook's `timeoutSeconds`.
+
+## 2.28.1
+
+### Fixed
+
+* The admission webhook now includes Gateway API resources and Ingress
+ resources for controller versions 2.12+. This version introduces new
+ validations for Kong's regex path implementation.
+
+## 2.28.0
+
+### Improvements
+
+* Bump default `kong` image tag to 3.4.
+ [#883](https:/Kong/charts/pull/883)
+* Bump default ingress controller image tag to 2.12.
+* Added validation rule for `latency` upstream load balancing algorithm to
+ CRDs. [Upgrade your CRDs](https:/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds)
+ when installing this release.
+
+## 2.27.0
+
+### Improvements
+
+* Listens now all support `.address` configuration. This was an existing
+ setting that was not applied properly for some listens.
+ [#881](https:/Kong/charts/pull/881)
+
+## 2.26.5
+
+### Fixed 
+
+* Kuma ServiceAccount Token hints and volumes are also available in migrations
+ Pods.
+ [#877](https:/Kong/charts/pull/877)
+
+## 2.26.4
+
+### Fixed 
+
+* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). 
+
+## 2.26.3
+
+### Fixed 
+
+* Enabled Service and Ingress in Kong Manager for non enterprise users.
+
+## 2.26.2
+
+### Fixed 
+
+* Add missing CRD KongConsumerGroup and extend status subresource for CRDs
+
+## 2.26.1
+
+### Fixed
+
+* Fix parsing enterprise tags (like e.g. `3.4.0.0`)
+ [#857](https:/Kong/charts/pull/857)
+
+## 2.26.0
+
+### Breaking changes
+
+2.26 changes the default proxy readiness endpoint for newer Kong versions. This
+causes an issue in a narrow edge case. If all of the following are true:
+
+* You use Kong 3.3 or newer.
+* You use controller 2.10 or older.
+* You run the controller and proxy in separate Deployments.
+
+you are affected and should review [the 2.26 upgrade instructions](https:/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260).
+
 ### Improvements
+
+* Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if
+ available. If not available, use the old `/status` default.
+ [#844](https:/Kong/charts/pull/844)
+* Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
+ to the the init and pre-upgrade migrations Jobs.
+* Add controller's RBAC rules for `KongConsumerGroups` CRD.
+ [#850](https:/Kong/charts/pull/850)
+* Updated controller version to 2.11.
+
+## 2.25.0
+
+- Generate the `adminApiService.name` value from `.Release.Name` rather than
+ hardcoding to `kong`
+ [#839](https:/Kong/charts/pull/839)
+
+## 2.24.0
+
+### Improvements
+
 * Running `tpl` against user-supplied labels and annotations used in Deployment
- #### example:
+ [#814](https:/Kong/charts/pull/814)
+
+ Example:
  ```yaml
  podLabels:
  version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream
  ```
- [#814](https:/Kong/charts/pull/814)
+
+* Fail to render templates when PodSecurityPolicy was requested but cluster doesn't
+ serve its API.
+ [#823](https:/Kong/charts/pull/823)
+* Add support for multiple hosts and tls configurations for Kong proxy `Ingress`.
+ [#813](https:/Kong/charts/pull/813)
+* Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images.
+ [#834](https:/Kong/charts/pull/834)
+
+### Fixed
+
+* Fix Ingress and HPA API versions during capabilities checking
+ [#827](https:/Kong/charts/pull/827)
 
 ## 2.23.0
 
@@ -49,7 +163,7 @@
 
 ## 2.20.2
 
-### Fixed 
+### Fixed
 
 * Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
  is disabled by default.

helm/kong-app/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
  version: 11.9.13
 - name: kubectl-apply-job
  repository: https://giantswarm.github.io/giantswarm-playground-catalog
- version: 0.5.0
-digest: sha256:d4a83cf99b88c825bc7ef7b57d1ae81ea5165b7ed286f2e4704ee47b5a5308ab
-generated: "2023-05-10T11:06:29.427359585+02:00"
+ version: 0.6.0
+digest: sha256:0c2d305422eab215a4c44a89c0e4cfba43fd2fcd89a53d3ef992dfa9526c127d
+generated: "2023-10-05T16:27:58.100212305+02:00"

helm/kong-app/Chart.yaml

@@ -13,7 +13,7 @@ sources:
  - https://konghq.com/
  - https:/Kong/charts/tree/main/charts/kong
 version: 3.4.0
-appVersion: "3.3.1"
+appVersion: "3.4.1"
 annotations:
  application.giantswarm.io/team: team-cabbage
 kubeVersion: ">=1.22.0-0"
@@ -23,5 +23,5 @@ dependencies:
  repository: https://charts.bitnami.com/bitnami
  condition: postgresql.enabled
  - name: kubectl-apply-job
- version: "0.5.0"
+ version: "0.6.0"
  repository: https://giantswarm.github.io/giantswarm-playground-catalog