Revert "beta to stable"

cluster/cluster.yaml

@@ -399,7 +399,7 @@ Resources:
     Type: AWS::EKS::Addon
     Properties:
       AddonName: vpc-cni
-      AddonVersion: "v1.21.1-eksbuild.7"
+      AddonVersion: "v1.21.1-eksbuild.3"
       ClusterName: !Ref EKSCluster
       ConfigurationValues: !Sub |
 {{- if eq .Cluster.ConfigItems.aws_vpc_cni_custom_networking "true" }}
@@ -434,7 +434,7 @@ Resources:
     Type: AWS::EKS::Addon
     Properties:
       AddonName: eks-pod-identity-agent
-      AddonVersion: "v1.3.10-eksbuild.3"
+      AddonVersion: "v1.3.10-eksbuild.2"
       ClusterName: !Ref EKSCluster
       ConfigurationValues: |
         {
@@ -447,7 +447,7 @@ Resources:
     Type: AWS::EKS::Addon
     Properties:
       AddonName: kube-proxy
-      AddonVersion: "v1.35.3-eksbuild.5"
+      AddonVersion: "v1.35.0-eksbuild.2"
       ClusterName: !Ref EKSCluster
       ConfigurationValues: |
         {
@@ -461,7 +461,7 @@ Resources:
     Type: AWS::EKS::Addon
     Properties:
       AddonName: eks-node-monitoring-agent
-      AddonVersion: "v1.6.3-eksbuild.1"
+      AddonVersion: "v1.6.1-eksbuild.1"
       ClusterName: !Ref EKSCluster
       ConfigurationValues: |
         {

cluster/config-defaults.yaml

@@ -220,10 +220,34 @@ skipper_idle_timeout_server: "352s"
 skipper_termination_grace_period: "392"
 
 # skipper redis settings
-skipper_redis_cleanup_enabled: "true"
+skipper_redis_cleanup_enabled: "false" # if set to true we should be able to cleanup all of the cfg items below
+skipper_redis_cpu: "100m"
+skipper_redis_memory: "512Mi"
+skipper_redis_dial_timeout: "25ms"
+skipper_redis_pool_timeout: "250ms"
+skipper_redis_read_timeout: "25ms"
+skipper_redis_write_timeout: "25ms"
+skipper_redis_min_conns: 25
+skipper_redis_max_conns: 100
+skipper_ingress_redis_swarm_enabled: "true"
+skipper_ingress_redis_target_average_utilization_cpu: "30"
+skipper_ingress_redis_target_average_utilization_memory: "60"
+skipper_ingress_redis_min_replicas: "1"
+skipper_ingress_redis_max_replicas: "100"
+skipper_ingress_redis_cluster_scaling_schedules: ""
+skipper_ingress_redis_hpa_scale_down_wait: "600"
 # requires cleanup in cluster.yaml
 skipper_ingress_redis_swim_enabled: "false"
 
+# to switch redis/valkey force and back
+# switch to redis: "redis"
+# switch to valkey: "valkey"
+{{if eq .Cluster.Environment "production"}}
+skipper_ingress_swarm_type: "redis"
+{{else}}
+skipper_ingress_swarm_type: "valkey"
+{{end}}
+
 # skipper valkey settings
 skipper_valkey_cpu: "100m"
 skipper_valkey_memory: "512Mi"
@@ -460,7 +484,6 @@ skipper_open_policy_agent_enabled: "false"
 skipper_open_policy_agent_styra_token: ""
 skipper_open_policy_agent_data_preprocessing_optimization_enabled: "true"
 skipper_open_policy_agent_preloading_enabled: "true"
-skipper_open_policy_agent_print_tracing_enabled: "true"
 skipper_open_policy_agent_decision_log_export_enabled: "false"
 skipper_open_policy_agent_console_logs_enabled: "false"
 skipper_open_policy_agent_decision_log_s3_endpoint: ""

cluster/manifests/01-coredns-local/daemonset-coredns.yaml

@@ -111,7 +111,7 @@ spec:
           name: unbound-socket
           readOnly: false
       - name: coredns
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/coredns:1.14.3-master-34
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/coredns:1.14.2-master-33
         args: [ "-conf", "/etc/coredns/Corefile" ]
         env:
         - name: ZONE

cluster/manifests/02-scheduled-scaling-vpa/cronjob.yaml

@@ -33,5 +33,5 @@ spec:
           restartPolicy: Never
           containers:
           - name: main
-            image: container-registry.zalando.net/cloud-platform/scheduled-scaling-vpa:main-8
+            image: container-registry.zalando.net/cloud-platform/scheduled-scaling-vpa:main-7
 {{- end }}

cluster/manifests/03-skipper-validation-webhook/deployment.yaml

@@ -54,6 +54,43 @@ spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: skipper-validation-webhook
       containers:
+{{- if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "redis" }}
+      - name: redis-sidecar
+        image: container-registry.zalando.net/library/redis-7-alpine:7.2-alpine-20250805
+        args:
+        - /usr/local/bin/docker-entrypoint.sh
+        - --save
+        - ""  # Disable persistence for sidecar use
+        - --maxmemory
+        - "256mb"
+        - --maxmemory-policy
+        - "allkeys-lru"
+        ports:
+        - containerPort: 6379
+          protocol: TCP
+          name: redis
+        readinessProbe:
+          exec:
+            command:
+            - redis-cli
+            - ping
+          failureThreshold: 3
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "100m"
+            memory: "128Mi"
+        lifecycle:
+          preStop:
+            sleep:
+              seconds: 10
+{{- else if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "valkey" }}
       - name: valkey-sidecar
         image: container-registry.zalando.net/library/valkey-9-alpine:9-alpine3.22-20260414
         args:
@@ -89,8 +126,9 @@ spec:
           preStop:
             sleep:
               seconds: 10
+{{ end }}
       - name: skipper-admission-webhook
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.24.80
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.24.71
         env:
 {{ if or (eq .Cluster.ConfigItems.skipper_local_tokeninfo "production") (eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge") }}
         - name: LOCAL_TOKENINFO
@@ -152,9 +190,20 @@ spec:
           - "-enable-ratelimits"
           - "-enable-swarm"
           - "-cluster-ratelimit-max-group-shards={{ .Cluster.ConfigItems.skipper_cluster_ratelimit_max_group_shards }}"
+{{- if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "valkey" }}
           - "-swarm-valkey-conn-timeout=5s"
           - "-swarm-valkey-update-interval=720h"
           - "-swarm-valkey-urls=127.0.0.1:6379"
+{{- else if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "redis" }}
+          - "-swarm-redis-dial-timeout=5s"
+          - "-swarm-redis-pool-timeout=5s"
+          - "-swarm-redis-read-timeout=5s"
+          - "-swarm-redis-write-timeout=5s"
+          - "-swarm-redis-heartbeat-frequency=720h"
+          - "-swarm-redis-min-conns=1"
+          - "-swarm-redis-max-conns=1"
+          - "-swarm-redis-urls=127.0.0.1:6379"
+{{ end }}
           - "-lua-sources={{ .Cluster.ConfigItems.skipper_lua_sources }}"
           - "-default-filters-dir=/etc/config/default-filters"
           - '-default-filters-prepend={{ .Cluster.ConfigItems.skipper_default_filters }}'

cluster/manifests/audittrail-adapter/daemonset.yaml

@@ -34,7 +34,7 @@ spec:
       hostNetwork: true
       containers:
       - name: audittrail-adapter
-        image: container-registry.zalando.net/teapot/audittrail-adapter:master-109
+        image: container-registry.zalando.net/teapot/audittrail-adapter:master-107
         env:
           - name: AWS_REGION
             value: "{{ .Cluster.Region }}"

cluster/manifests/deletions.yaml

@@ -304,7 +304,7 @@ post_apply:
 - name: wiz-sensor
   kind: ServiceAccount
   namespace: wiz
-- name: wiz-sensor-api-token
+- name: wiz-sensor-apikey
   kind: Secret
   namespace: wiz
 - name: wiz-sensor
@@ -314,13 +314,6 @@ post_apply:
   kind : ClusterRoleBinding
   namespace: wiz
 {{- end }}
-# cleanup unused wiz secrets, regardless of sensor/connector status
-- name: wiz-sensor-apikey
-  kind: Secret
-  namespace: wiz
-- name: custom-wiz-sensor-api-token
-  kind: Secret
-  namespace: wiz
 {{- if and (ne .Cluster.ConfigItems.wiz_enable_runtime_connector_broker "true") (ne .Cluster.ConfigItems.wiz_enable_runtime_sensor "true") }}
 - name: wiz
   kind: Namespace

cluster/manifests/deployment-service/status-service-deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image   := "container-registry.zalando.net/teapot/deployment-status-service:master-309" }}
+# {{ $image   := "container-registry.zalando.net/teapot/deployment-status-service:master-307" }}
 # {{ $version := index (split $image ":") 1 }}
 
 apiVersion: apps/v1

cluster/manifests/kube-node-decommissioner/cronjob.yaml

@@ -29,7 +29,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: kube-node-decommissioner
-            image: container-registry.zalando.net/teapot/kube-node-decommissioner:main-20
+            image: container-registry.zalando.net/teapot/kube-node-decommissioner:main-19
             resources:
               limits:
                 cpu: "{{.Cluster.ConfigItems.kube_node_decommissioner_cpu}}"

cluster/manifests/skipper/deployment.yaml

@@ -1,7 +1,7 @@
 {{/* image-updater-bot detects *image variables so use name with suffix to disable it for the main image */}}
 
 {{ $main_image_updated_manually := "container-registry.zalando.net/teapot/skipper-internal:v0.24.74-1406" }}
-{{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.24.80-1412" }}
+{{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.24.74-1406" }}
 
 {{/* Allow to override manually canary image by config item */}}
 {{ if ne .Cluster.ConfigItems.skipper_ingress_canary_image "" }}
@@ -223,7 +223,7 @@ spec:
           - "-validate-query={{ .Cluster.ConfigItems.skipper_validate_query }}"
           - "-validate-query-log={{ .Cluster.ConfigItems.skipper_validate_query_log }}"
 {{ if eq .Cluster.ConfigItems.skipper_routesrv_enabled "exec" }}
-{{ if ne .name "skipper-ingress-canary" }}
+{{ if ne "{{ .name }}" "skipper-ingress-canary" }}
           - "-routes-urls=http://skipper-ingress-routesrv.kube-system.svc.cluster.local/routes"
 {{ end }}
           - "-normalize-host"
@@ -281,8 +281,18 @@ spec:
           - "-max-audit-body=0"
           - "-enable-swarm"
           - "-cluster-ratelimit-max-group-shards={{ .Cluster.ConfigItems.skipper_cluster_ratelimit_max_group_shards }}"
+{{ if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "redis" }}
+          - "-swarm-redis-dial-timeout={{ .Cluster.ConfigItems.skipper_redis_dial_timeout }}"
+          - "-swarm-redis-pool-timeout={{ .Cluster.ConfigItems.skipper_redis_pool_timeout }}"
+          - "-swarm-redis-read-timeout={{ .Cluster.ConfigItems.skipper_redis_read_timeout }}"
+          - "-swarm-redis-write-timeout={{ .Cluster.ConfigItems.skipper_redis_write_timeout }}"
+          - "-swarm-redis-min-conns={{ .Cluster.ConfigItems.skipper_redis_min_conns }}"
+          - "-swarm-redis-max-conns={{ .Cluster.ConfigItems.skipper_redis_max_conns }}"
+          - "-swarm-redis-remote=http://skipper-ingress-routesrv.kube-system.svc.cluster.local/swarm/redis/shards"
+{{ else if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "valkey" }}
           - "-swarm-valkey-conn-timeout={{ .Cluster.ConfigItems.skipper_valkey_conn_timeout }}"
           - "-swarm-valkey-remote=http://skipper-ingress-routesrv.kube-system.svc.cluster.local/swarm/valkey/shards"
+{{ end }}
           - "-histogram-metric-buckets=.0001,.00025,.0005,.00075,.001,.0025,.005,.0075,.01,.025,.05,.075,.1,.2,.3,.4,.5,.75,1,2,3,4,5,7,10,15,20,30,60,120,300,600"
 {{if ne .Cluster.ConfigItems.skipper_ingress_response_size_buckets ""}}
           - "-response-size-buckets={{ .Cluster.ConfigItems.skipper_ingress_response_size_buckets }}"
@@ -384,9 +394,6 @@ spec:
           - "-open-policy-agent-envoy-metadata=/etc/skipper/open-policy-agent/envoymetadata.json"
           - "-enable-open-policy-agent-data-preprocessing-optimization={{ .Cluster.ConfigItems.skipper_open_policy_agent_data_preprocessing_optimization_enabled }}"
           - "-enable-open-policy-agent-preloading={{ .Cluster.ConfigItems.skipper_open_policy_agent_preloading_enabled }}"
-{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_print_tracing_enabled "true" }}
-          - "-enable-open-policy-agent-print-tracing"
-{{ end }}
 {{ end }}
 {{ if or (eq .Cluster.ConfigItems.nlb_switch "pre") (eq .Cluster.ConfigItems.nlb_switch "exec") }}
           - "-forwarded-headers=X-Forwarded-For,X-Forwarded-Proto=https,X-Forwarded-Port=443"
@@ -659,9 +666,15 @@ spec:
           - '-default-filters-append={{ .Cluster.ConfigItems.skipper_default_filters_authentication }}'
           - '-default-filters-append={{ .Cluster.ConfigItems.skipper_default_filters_append }}'
           - "-enable-swarm"
+{{ if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "redis" }}
+          - "-kubernetes-redis-service-namespace=kube-system"
+          - "-kubernetes-redis-service-name=skipper-ingress-redis"
+          - "-kubernetes-redis-service-port=6379"
+{{ else if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "valkey" }}
           - "-kubernetes-valkey-service-namespace=kube-system"
           - "-kubernetes-valkey-service-name=skipper-ingress-valkey"
           - "-kubernetes-valkey-service-port=6379"
+{{ end }}
 {{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
           - "-enable-oauth2-grant-flow"
           - "-oauth2-callback-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}"

cluster/manifests/skipper/hpa-redis.yaml

@@ -0,0 +1,56 @@
+{{- if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "redis" }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: skipper-ingress-redis
+  namespace: kube-system
+  labels:
+    application: skipper-ingress-redis
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: skipper-ingress-redis
+  minReplicas: {{ .Cluster.ConfigItems.skipper_ingress_redis_min_replicas }}
+  maxReplicas: {{ .Cluster.ConfigItems.skipper_ingress_redis_max_replicas }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Cluster.ConfigItems.skipper_ingress_redis_target_average_utilization_cpu }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Cluster.ConfigItems.skipper_ingress_redis_target_average_utilization_memory }}
+{{ if .Cluster.ConfigItems.skipper_ingress_redis_cluster_scaling_schedules }}
+  {{ range split .Cluster.ConfigItems.skipper_ingress_redis_cluster_scaling_schedules "," }}
+  {{ $name_target := split . "=" }}
+  - type: Object
+    object:
+      describedObject:
+        apiVersion: zalando.org/v1
+        kind: ClusterScalingSchedule
+        name: {{ index $name_target 0 }}
+      metric:
+        name: {{ index $name_target 0 }}
+      target:
+        averageValue: {{ index $name_target 1 }}
+        type: AverageValue
+  {{ end }}
+{{ end }}
+  behavior:
+    scaleDown:
+      stabilizationWindowSeconds: {{ .Cluster.ConfigItems.skipper_ingress_redis_hpa_scale_down_wait }}
+      policies:
+      - type: Pods
+        value: 10
+        periodSeconds: 60
+      - type: Percent
+        value: 100
+        periodSeconds: 60
+      selectPolicy: Min
+{{ end }}

cluster/manifests/skipper/hpa-valkey.yaml

@@ -1,3 +1,4 @@
+{{- if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "valkey" }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
@@ -53,3 +54,4 @@ spec:
         value: 100
         periodSeconds: 60
       selectPolicy: Min
+{{ end }}

cluster/manifests/skipper/pod-deletion-cost-controller.yaml

@@ -35,7 +35,7 @@ spec:
         - -resync
         - -resync-interval={{ .Cluster.ConfigItems.skipper_pod_deletion_cost_controller_resync_interval }}
         # {{ end }}
-        image: container-registry.zalando.net/gwproxy/pod-deletion-cost-controller:main-37
+        image: container-registry.zalando.net/gwproxy/pod-deletion-cost-controller:main-35
         name: pod-deletion-cost-controller
         terminationMessagePolicy: FallbackToLogsOnError
         ports:

cluster/manifests/skipper/skipper-redis-service.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Cluster.ConfigItems.skipper_ingress_swarm_type "redis" }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    application: skipper-ingress-redis
+  name: skipper-ingress-redis
+  namespace: kube-system
+spec:
+  clusterIP: None
+  ports:
+  - port: 6379
+    protocol: TCP
+    targetPort: 6379
+  selector:
+    application: skipper-ingress-redis
+  type: ClusterIP
+{{ end }}