Update Helm release etcd to v11

Signed-off-by: Renovate Bot <tech+renovate@vshn.ch>

Author: vshn-renovate

class/defaults.yml

@@ -23,7 +23,7 @@ parameters:
     charts:
       etcd:
         source: https://charts.bitnami.com/bitnami
-        version: "9.1.0"
+        version: "11.2.3"
 
     helm_release_name: ${_instance}
     helm_values:

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/networkpolicy.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: etcd
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
+  name: etcd
+  namespace: syn-etcd
+spec:
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 2379
+        - port: 2380
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: etcd
+      app.kubernetes.io/instance: etcd
+      app.kubernetes.io/name: etcd
+  policyTypes:
+    - Ingress
+    - Egress

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/pdb.yaml

@@ -2,10 +2,12 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   labels:
+    app.kubernetes.io/component: etcd
     app.kubernetes.io/instance: etcd
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: etcd
-    helm.sh/chart: etcd-9.1.0
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
   name: etcd
   namespace: syn-etcd
 spec:

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/preupgrade-hook-job.yaml

@@ -0,0 +1,127 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+  labels:
+    app.kubernetes.io/component: etcd-pre-upgrade-job
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
+  name: etcd-pre-upgrade
+  namespace: syn-etcd
+spec:
+  template:
+    metadata:
+      annotations: null
+      labels:
+        app.kubernetes.io/component: etcd-pre-upgrade-job
+        app.kubernetes.io/instance: etcd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: etcd
+        app.kubernetes.io/version: 3.5.21
+        helm.sh/chart: etcd-11.2.3
+    spec:
+      affinity:
+        nodeAffinity: null
+        podAffinity: null
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/component: etcd-pre-upgrade-job
+                    app.kubernetes.io/instance: etcd
+                    app.kubernetes.io/name: etcd
+                topologyKey: kubernetes.io/hostname
+              weight: 1
+      automountServiceAccountToken: false
+      containers:
+        - args:
+            - /opt/bitnami/scripts/etcd/preupgrade.sh
+          command:
+            - /opt/bitnami/scripts/etcd/entrypoint.sh
+          env:
+            - name: BITNAMI_DEBUG
+              value: 'false'
+            - name: ETCD_ON_K8S
+              value: 'yes'
+            - name: ETCD_DATA_DIR
+              value: /bitnami/etcd/data
+            - name: ETCD_ROOT_PASSWORD_FILE
+              value: /opt/bitnami/etcd/secrets/password
+            - name: ETCD_INITIAL_CLUSTER
+              value: etcd-0=https://etcd-0.etcd-headless.syn-etcd.svc.cluster.local:2379
+            - name: ETCD_CERT_FILE
+              value: /opt/bitnami/etcd/certs/client/cert.pem
+            - name: ETCD_KEY_FILE
+              value: /opt/bitnami/etcd/certs/client/key.pem
+            - name: ETCD_EXTRA_AUTH_FLAGS
+              value: --insecure-skip-tls-verify
+          envFrom: null
+          image: docker.io/bitnami/etcd:3.5.21-debian-12-r3
+          imagePullPolicy: IfNotPresent
+          name: pre-upgrade-job
+          resources:
+            limits:
+              cpu: 375m
+              ephemeral-storage: 2Gi
+              memory: 384Mi
+            requests:
+              cpu: 250m
+              ephemeral-storage: 50Mi
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add: []
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
+            runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /opt/bitnami/etcd/conf/
+              name: empty-dir
+              subPath: app-conf-dir
+            - mountPath: /tmp
+              name: empty-dir
+              subPath: tmp-dir
+            - mountPath: /opt/bitnami/etcd/certs/token/
+              name: etcd-jwt-token
+              readOnly: true
+            - mountPath: /opt/bitnami/etcd/certs/client/
+              name: etcd-client-certs
+              readOnly: true
+            - mountPath: /opt/bitnami/etcd/secrets
+              name: etcd-secrets
+      restartPolicy: Never
+      securityContext:
+        fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
+      volumes:
+        - emptyDir: {}
+          name: empty-dir
+        - name: etcd-jwt-token
+          secret:
+            defaultMode: 256
+            secretName: etcd-etcd-token-private-key
+        - name: etcd-client-certs
+          secret:
+            defaultMode: 256
+            secretName: etcd-etcd-client-auth
+        - name: etcd-secrets
+          projected:
+            sources:
+              - secret:
+                  name: etcd-etcd-root-auth

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+automountServiceAccountToken: false
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
+  name: etcd
+  namespace: syn-etcd

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/statefulset.yaml

@@ -6,7 +6,8 @@ metadata:
     app.kubernetes.io/instance: etcd
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: etcd
-    helm.sh/chart: etcd-9.1.0
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
   name: etcd
   namespace: syn-etcd
 spec:
@@ -26,7 +27,8 @@ spec:
         app.kubernetes.io/instance: etcd
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: etcd
-        helm.sh/chart: etcd-9.1.0
+        app.kubernetes.io/version: 3.5.21
+        helm.sh/chart: etcd-11.2.3
     spec:
       affinity:
         nodeAffinity: null
@@ -36,10 +38,12 @@ spec:
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
+                    app.kubernetes.io/component: etcd
                     app.kubernetes.io/instance: etcd
                     app.kubernetes.io/name: etcd
                 topologyKey: kubernetes.io/hostname
               weight: 1
+      automountServiceAccountToken: false
       containers:
         - env:
             - name: BITNAMI_DEBUG
@@ -70,11 +74,8 @@ spec:
               value: info
             - name: ALLOW_NONE_AUTHENTICATION
               value: 'no'
-            - name: ETCD_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: etcd-etcd-root-auth
+            - name: ETCD_ROOT_PASSWORD_FILE
+              value: /opt/bitnami/etcd/secrets/password
             - name: ETCD_AUTH_TOKEN
               value: jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10m
             - name: ETCD_ADVERTISE_CLIENT_URLS
@@ -125,13 +126,34 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 375m
+              ephemeral-storage: 2Gi
+              memory: 384Mi
+            requests:
+              cpu: 250m
+              ephemeral-storage: 50Mi
+              memory: 256Mi
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
+            - mountPath: /opt/bitnami/etcd/conf/
+              name: empty-dir
+              subPath: app-conf-dir
+            - mountPath: /tmp
+              name: empty-dir
+              subPath: tmp-dir
             - mountPath: /bitnami/etcd
               name: data
             - mountPath: /opt/bitnami/etcd/certs/token/
@@ -143,10 +165,17 @@ spec:
             - mountPath: /opt/bitnami/etcd/certs/peer/
               name: etcd-peer-certs
               readOnly: true
+            - mountPath: /opt/bitnami/etcd/secrets
+              name: etcd-secrets
       securityContext:
         fsGroup: 1001
-      serviceAccountName: default
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
+      serviceAccountName: etcd
       volumes:
+        - emptyDir: {}
+          name: empty-dir
         - name: etcd-jwt-token
           secret:
             defaultMode: 256
@@ -159,6 +188,11 @@ spec:
           secret:
             defaultMode: 256
             secretName: etcd-etcd-peer-auth
+        - name: etcd-secrets
+          projected:
+            sources:
+              - secret:
+                  name: etcd-etcd-root-auth
   updateStrategy:
     type: RollingUpdate
   volumeClaimTemplates:

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc-headless.yaml

@@ -4,10 +4,12 @@ metadata:
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true'
   labels:
+    app.kubernetes.io/component: etcd
     app.kubernetes.io/instance: etcd
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: etcd
-    helm.sh/chart: etcd-9.1.0
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
   name: etcd-headless
   namespace: syn-etcd
 spec:
@@ -21,6 +23,7 @@ spec:
       targetPort: peer
   publishNotReadyAddresses: true
   selector:
+    app.kubernetes.io/component: etcd
     app.kubernetes.io/instance: etcd
     app.kubernetes.io/name: etcd
   type: ClusterIP

tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc.yaml

@@ -1,12 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
+    app.kubernetes.io/component: etcd
     app.kubernetes.io/instance: etcd
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: etcd
-    helm.sh/chart: etcd-9.1.0
+    app.kubernetes.io/version: 3.5.21
+    helm.sh/chart: etcd-11.2.3
   name: etcd
   namespace: syn-etcd
 spec:
@@ -20,6 +21,7 @@ spec:
       port: 2380
       targetPort: peer
   selector:
+    app.kubernetes.io/component: etcd
     app.kubernetes.io/instance: etcd
     app.kubernetes.io/name: etcd
   sessionAffinity: None