Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md

Merge remote-tracking branch 'upstream/master'
79996706 · Benguria Elguezabal, Gorka · c429d4cf · 594027b9 · 79996706 · 79996706
Commit 79996706 authored 2 months ago by Benguria Elguezabal, Gorka
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [6.5.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/compare/6.4.0...6.5.0) (2025-01-29)
+## [7.3.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.3.0...7.3.1) (2025-04-11)
+
+
+### Bug Fixes
+
+* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([f8164e7](https://gitlab.com/to-be-continuous/kubernetes/commit/f8164e79e74a592742ceb94b23aa7cfdfc845798)), closes [#50](https://gitlab.com/to-be-continuous/kubernetes/issues/50)
+
+# [7.3.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.2.1...7.3.0) (2025-03-10)
+
+
+### Features
+
+* skip GCP ADC authent when GCP_JWT is not present ([9ffc632](https://gitlab.com/to-be-continuous/kubernetes/commit/9ffc6327e2f6b1f9775457eb413799d4ca4090c3))
+
+## [7.2.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.2.0...7.2.1) (2025-02-25)
+
+
+### Bug Fixes
+
+* **security:** remove generated-deployment.yml from artifact ([24ea8bd](https://gitlab.com/to-be-continuous/kubernetes/commit/24ea8bde6ffa706d8f42694872242050f2c574e1))
+
+# [7.2.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.1.1...7.2.0) (2025-02-24)
+
+
+### Features
+
+* **AWS:** add AWS authent with STS ([a08a897](https://gitlab.com/to-be-continuous/kubernetes/commit/a08a897a2615d0c7e984ebee8842d795cf6d84b9))
+
+## [7.1.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.1.0...7.1.1) (2025-02-03)
+
+
+### Bug Fixes
+
+* **gcp:** reduce scope of GCP App Default Creds script to template ([8a3c727](https://gitlab.com/to-be-continuous/kubernetes/commit/8a3c72777b9bcc1dbb205464903c00feb6ccf753))
+
+# [7.1.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.0.0...7.1.0) (2025-02-01)
+
+
+### Features
+
+* **kustomize:** add TBC envsubst support for Kustomize based deployment ([ad7d3b6](https://gitlab.com/to-be-continuous/kubernetes/commit/ad7d3b65573396c8f9b5ca04447398fe3c89e3e6))
+
+# [7.0.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.5.0...7.0.0) (2025-01-31)
+
+
+### Features
+
+* variables substitution enhancements ([4023f7f](https://gitlab.com/to-be-continuous/kubernetes/commit/4023f7f862fd89b30067c6d548d4dbf06016f622))
+
+
+### BREAKING CHANGES
+
+* Now the variables substitution mechanism
+implements complete YAML string encoding.
+That might break projects that used to workaround the former
+implementation flaws.
+
+# [6.5.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.4.0...6.5.0) (2025-01-27)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
--- a/kicker.json
+++ b/kicker.json
@@ -95,7 +95,7 @@
    {
      "id": "review",
      "name": "Review",
-      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/))",
+      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ci/review_apps/))",
      "variables": [
        {
          "name": "K8S_REVIEW_SPACE",
@@ -360,7 +360,7 @@
      "variables": [
        {
          "name": "GCP_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
          "default": "$CI_SERVER_URL",
          "advanced": true
        },
@@ -370,7 +370,7 @@
        },
        {
          "name": "GCP_OIDC_PROVIDER",
-          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
+          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
        },
        {
          "name": "GCP_REVIEW_OIDC_ACCOUNT",
@@ -379,7 +379,7 @@
        },
        {
          "name": "GCP_REVIEW_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment",
          "advanced": true
        },
        {
@@ -389,7 +389,7 @@
        },
        {
          "name": "GCP_INTEG_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment",
          "advanced": true
        },
        {
@@ -399,7 +399,7 @@
        },
        {
          "name": "GCP_STAGING_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment",
          "advanced": true
        },
        {
@@ -409,7 +409,7 @@
        },
        {
          "name": "GCP_PROD_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment",
          "advanced": true
        },
        {
@@ -418,6 +418,50 @@
          "default": "gcr.io/google.com/cloudsdktool/cloud-sdk:latest"
        }
      ]
+    },
+    {
+      "id": "aws-auth-provider",
+      "name": "Amazon Web service",
+      "description": "This variant uses [OpenID Connect in AWS] to retrieve temporary credentials.",
+      "template_path": "templates/gitlab-ci-k8s-aws.yml",
+      "variables": [
+        {
+          "name": "AWS_OIDC_AUD",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
+          "default": "$CI_SERVER_URL",
+          "advanced": true
+        },
+        {
+          "name": "AWS_OIDC_ROLE_ARN",
+          "description": "The default role ARN configured",
+          "advanced": true
+        },
+        {
+          "name": "AWS_REVIEW_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `review` environment",
+          "advanced": true
+        },
+        {
+          "name": "AWS_INTEG_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `integration` environment",
+          "advanced": true
+        },
+        {
+          "name": "AWS_STAGING_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `staging` environment",
+          "advanced": true
+        },
+        {
+          "name": "AWS_PROD_OIDC_ROLE_ARN",
+          "description": "The role ARN configured for `production` environment",
+          "advanced": true
+        },
+        {
+          "name": "K8S_KUBECTL_IMAGE",
+          "description": "The Docker image used to run Kubernetes `kubectl` commands on [AWS]",
+          "default": "docker.io/alpine/k8s:1.32.1"
+        }
+      ]
    }
  ]
 }
--- a/templates/gitlab-ci-k8s-aws.yml
+++ b/templates/gitlab-ci-k8s-aws.yml
+# =====================================================================================================================
+# === Amazon Web Service template variant
+# =====================================================================================================================
+spec:
+  inputs:
+    kubectl-image:
+      description: The Docker image used to run Kubernetes `kubectl` commands on [AWS]
+      default: docker.io/alpine/k8s:1.32.1
+    aws-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+    aws-oidc-role-arn:
+      description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/)
+      default: ''
+    aws-review-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `review` env _(only define to override default)_
+      default: ''
+    aws-integ-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_
+      default: ''
+    aws-staging-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_
+      default: ''
+    aws-prod-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_
+      default: ''
+
+---
+variables:
+  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
+  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
+  AWS_REVIEW_OIDC_ROLE_ARN: $[[ inputs.aws-review-oidc-role-arn ]]
+  AWS_STAGING_OIDC_ROLE_ARN: $[[ inputs.aws-staging-oidc-role-arn ]]
+  AWS_INTEG_OIDC_ROLE_ARN: $[[ inputs.aws-integ-oidc-role-arn ]]
+  AWS_PROD_OIDC_ROLE_ARN: $[[ inputs.aws-prod-oidc-role-arn ]]
+
+  K8S_KUBECTL_IMAGE: $[[ inputs.kubectl-image ]]
+
+.k8s-aws-sts:
+  # init Assume Role with Web Identity Configuration
+  # see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference
+  - echo "Installing AWS authentication"
+  - |
+    if [[ "$ENV_TYPE" ]]
+    then
+      case "$ENV_TYPE" in
+      review*)
+        env_prefix=REVIEW;;
+      integ*)
+        env_prefix=INTEG;;
+      staging*)
+        env_prefix=STAGING;;
+      prod*)
+        env_prefix=PROD;;
+      esac
+      log_info "Configuring Assume Role with Web Identity for AWS provider..."
+      export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/web_identity_token
+      echo "${AWS_JWT}" > "$AWS_WEB_IDENTITY_TOKEN_FILE"
+      env_role_arn=$(eval echo "\$AWS_${env_prefix}_OIDC_ROLE_ARN")
+      export AWS_ROLE_ARN="${env_role_arn:-$AWS_OIDC_ROLE_ARN}"
+      export AWS_ROLE_SESSION_NAME="GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
+    fi
+
+.k8s-deploy:
+  id_tokens:
+    AWS_JWT:
+      aud: "$AWS_OIDC_AUD"
+  before_script:
+    - !reference [.k8s-scripts]
+    - !reference [.k8s-aws-sts]
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+    - k8s_login
+
+.k8s-cleanup: 
+  id_tokens:
+    AWS_JWT:
+      aud: "$AWS_OIDC_AUD"
+  before_script:
+    - !reference [.k8s-scripts]
+    - !reference [.k8s-aws-sts]
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+    - k8s_login
\ No newline at end of file
--- a/templates/gitlab-ci-k8s-gcp.yml
+++ b/templates/gitlab-ci-k8s-gcp.yml
@@ -13,31 +13,31 @@ spec:
      description: Default Service Account to which impersonate with OpenID Connect authentication
      default: ''
    gcp-oidc-provider:
-      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
      default: ''
    gcp-review-oidc-account:
      description: Service Account to which impersonate with OpenID Connect authentication on `review` environment
      default: ''
    gcp-review-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment
      default: ''
    gcp-integ-oidc-account:
      description: Service Account to which impersonate with OpenID Connect authentication on `integration` environment
      default: ''
    gcp-integ-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment
      default: ''
    gcp-staging-oidc-account:
      description: Service Account to which impersonate with OpenID Connect authentication on `staging` environment
      default: ''
    gcp-staging-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment
      default: ''
    gcp-prod-oidc-account:
      description: Service Account to which impersonate with OpenID Connect authentication on `production` environment
      default: ''
    gcp-prod-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment
      default: ''
 ---
 variables:
@@ -56,11 +56,12 @@ variables:
  
  K8S_KUBECTL_IMAGE: $[[ inputs.kubectl-image ]]

-.gcp-provider-auth:
-  before_script:
-    - echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
-    - echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
-    - |-
+.k8s-gcp-adc:
+  - |
+    if [[ "$GCP_JWT" ]]
+    then
+      echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
+      echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
      if [[ "$ENV_TYPE" ]]
      then
        case "$ENV_TYPE" in
@@ -80,7 +81,6 @@ variables:
      fi
      oidc_provider="${env_oidc_provider:-$GCP_OIDC_PROVIDER}"
      oidc_account="${env_oidc_account:-$GCP_OIDC_ACCOUNT}"
-    - |-
      cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json"
      {
        "type": "external_account",
@@ -93,7 +93,10 @@ variables:
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${oidc_account}:generateAccessToken"
      }
    EOF
-    - export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"
+      export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"
+    else
+      echo '[WARN] $GCP_JWT is not set: cannot setup Application Default Credentials (ADC) authentication'
+    fi

 .k8s-deploy:
  id_tokens:
@@ -101,7 +104,7 @@ variables:
      aud: "$GCP_OIDC_AUD"
  before_script:
    - !reference [.k8s-scripts]
-    - !reference [.gcp-provider-auth, before_script]
+    - !reference [.k8s-gcp-adc]
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
    - k8s_login

@@ -111,6 +114,6 @@ variables:
      aud: "$GCP_OIDC_AUD"
  before_script:
    - !reference [.k8s-scripts]
-    - !reference [.gcp-provider-auth, before_script]    
+    - !reference [.k8s-gcp-adc]
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
    - k8s_login
\ No newline at end of file
--- a/templates/gitlab-ci-k8s-vault.yml
+++ b/templates/gitlab-ci-k8s-vault.yml
@@ -22,7 +22,7 @@ variables:
 .k8s-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "--port", "8082", "kubernetes", "6.5.0"]
+      command: ["--service", "--port", "8082", "kubernetes", "7.3.1"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-k8s.yml
+++ b/templates/gitlab-ci-k8s.yml
@@ -444,9 +444,82 @@ stages:
    echo "$1" | tr '[:lower:]' '[:upper:]' | tr '[:punct:]' '_'
  }

-  function awkenvsubst() {
-    # performs variables escaping: '&' for gsub + JSON chars ('\' and '"')
-    awk '!/# *nosubst/{while(match($0,"[$%]{[^}]*}")) {var=substr($0,RSTART+2,RLENGTH-3);val=ENVIRON[var];gsub(/["\\&]/,"\\\\&",val);gsub("[$%]{"var"}",val)}}1'
+  function tbc_envsubst() {
+    awk '
+      BEGIN {
+        count_replaced_lines = 0
+        # ASCII codes
+        for (i=0; i<=255; i++)
+          char2code[sprintf("%c", i)] = i
+      }
+      # determine encoding (from env or from file extension)
+      function encoding() {
+        enc = ENVIRON["TBC_ENVSUBST_ENCODING"]
+        if (enc != "")
+          return enc
+        if (match(FILENAME, /\.(json|yaml|yml)$/))
+          return "jsonstr"
+        return "raw"
+      }
+      # see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
+      function uriencode(str) {
+        len = length(str)
+        enc = ""
+        for (i=1; i<=len; i++) {
+          c = substr(str, i, 1);
+          if (index("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.!~*'\''()", c))
+            enc = enc c
+          else
+            enc = enc "%" sprintf("%02X", char2code[c])
+        }
+        return enc
+      }
+      /# *nosubst/ {
+        print $0
+        next
+      }
+      {
+        orig_line = $0
+        line = $0
+        count_repl_in_line = 0
+        # /!\ 3rd arg (match) not supported in BusyBox awk
+        while (match(line, /[$%]\{([[:alnum:]_]+)\}/)) {
+          expr_start = RSTART
+          expr_len = RLENGTH
+          # get var name
+          var = substr(line, expr_start+2, expr_len-3)
+          # get var value (from env)
+          val = ENVIRON[var]
+          # check variable is set
+          if (val == "") {
+            printf("[\033[1;93mWARN\033[0m] Environment variable \033[33;1m%s\033[0m is not set or empty\n", var) > "/dev/stderr"
+          } else {
+            enc = encoding()
+            if (enc == "jsonstr") {
+              gsub(/["\\]/, "\\\\&", val)
+              gsub("\n", "\\n", val)
+              gsub("\r", "\\r", val)
+              gsub("\t", "\\t", val)
+            } else if (enc == "uricomp") {
+              val = uriencode(val)
+            } else if (enc == "raw") {
+            } else {
+              printf("[\033[1;93mWARN\033[0m] Unsupported encoding \033[33;1m%s\033[0m: ignored\n", enc) > "/dev/stderr"
+            }
+          }
+          # replace expression in line
+          line = substr(line, 1, expr_start - 1) val substr(line, expr_start + expr_len)
+          count_repl_in_line++
+        }
+        if (count_repl_in_line) {
+          if (count_replaced_lines == 0)
+            printf("[\033[1;94mINFO\033[0m] Variable expansion occurred in file \033[33;1m%s\033[0m:\n", FILENAME) > "/dev/stderr"
+          count_replaced_lines++
+          printf("> line %s: %s\n", NR, orig_line) > "/dev/stderr"
+        }
+        print line
+      }
+    ' "$@"
  }

  function exec_hook() {
@@ -549,10 +622,16 @@ stages:
      fi
      deploymentdir=$(dirname "$kustofile")

+      # variables substitution
+      tbc_envsubst "$kustofile" > generated-kustomization.yml
+      # overwrite kustomization file with substitued variables
+      mv generated-kustomization.yml "$kustofile"
+
      # apply/delete deployment descriptor
      log_info "--- \\e[32mkustomize\\e[0m"
      # shellcheck disable=SC2086
-      kubectl kustomize "$deploymentdir" ${K8S_KUSTOMIZE_ARGS}  > ./generated-deployment.yml
+      kubectl kustomize "$deploymentdir" ${K8S_KUSTOMIZE_ARGS}  > generated-deployment.yml
+
      log_info "--- \\e[32mkubectl $action\\e[0m"
      kubectl ${TRACE+-v=5} "$action" -f ./generated-deployment.yml
    else
@@ -564,8 +643,8 @@ stages:
        exit 1
      fi

-      # replace variables (alternative for envsubst which is not present in image)
-      awkenvsubst < "$deploymentfile" > generated-deployment.yml
+      # variables substitution
+      tbc_envsubst "$deploymentfile" > generated-deployment.yml

      log_info "--- \\e[32mkubectl $action\\e[0m"
      kubectl ${TRACE+-v=5} "$action" -f ./generated-deployment.yml
@@ -587,7 +666,7 @@ stages:
    export appname_ssc=$environment_name_ssc

    # variables expansion in $environment_url
-    environment_url=$(echo "$environment_url" | awkenvsubst)
+    environment_url=$(echo "$environment_url" | TBC_ENVSUBST_ENCODING=uricomp tbc_envsubst)
    export environment_url
    # extract hostname from $environment_url
    hostname=$(echo "$environment_url" | awk -F[/:] '{print $4}')
@@ -669,7 +748,7 @@ stages:
    export appname_ssc=$environment_name_ssc

    # variables expansion in $environment_url
-    environment_url=$(echo "$environment_url" | awkenvsubst)
+    environment_url=$(echo "$environment_url" | TBC_ENVSUBST_ENCODING=uricomp tbc_envsubst)
    export environment_url
    # extract hostname from $environment_url
    hostname=$(echo "$environment_url" | awk -F[/:] '{print $4}')
@@ -741,7 +820,7 @@ stages:
        log_info "--- \\e[32mpre-cleanup hook\\e[0m (\\e[33;1m${prescript}\\e[0m) not found: skip"
      fi

-      # has to be valuated for envsubst
+      # has to be valuated for tbc_envsubst
      export hostname=hostname

      do_kubectl delete
@@ -769,8 +848,18 @@ stages:
      fi
      deploymentdir=$(dirname "$kustofile")

+      # variables substitution
+      tbc_envsubst "$kustofile" > generated-kustomization.yml
+      # overwrite kustomization file with substitued variables
+      mv generated-kustomization.yml "$kustofile"
+
+      # apply/delete deployment descriptor
+      log_info "--- \\e[32mkustomize\\e[0m"
+      # shellcheck disable=SC2086
+      kustomize build ${K8S_KUSTOMIZE_ARGS} "$deploymentdir" > generated-deployment.yml
+
      # shellcheck disable=SC2086
-      kustomize build ${K8S_KUSTOMIZE_ARGS} "${deploymentdir}" | /usr/bin/kube-score score $K8S_SCORE_EXTRA_OPTS -
+      /usr/bin/kube-score score $K8S_SCORE_EXTRA_OPTS generated-deployment.yml
    else
      # find deployment file
      deploymentfile=$(ls -1 "$K8S_SCRIPTS_DIR/deployment-${environment_type}.yml" 2>/dev/null || ls -1 "$K8S_SCRIPTS_DIR/deployment.yml" 2>/dev/null || echo "")
@@ -780,8 +869,8 @@ stages:
        exit 1
      fi

-      # replace variables (alternative for envsubst which is not present in image)
-      awkenvsubst < "$deploymentfile" > generated-deployment.yml
+      # variables substitution
+      tbc_envsubst "$deploymentfile" > generated-deployment.yml

      # shellcheck disable=SC2086
      /usr/bin/kube-score score $K8S_SCORE_EXTRA_OPTS generated-deployment.yml
@@ -789,7 +878,7 @@ stages:
  }

  # export tool functions (might be used in after_script)
-  export -f log_info log_warn log_error assert_defined rollback awkenvsubst
+  export -f log_info log_warn log_error assert_defined rollback tbc_envsubst

  unscope_variables
  eval_all_secrets
@@ -802,7 +891,7 @@ stages:
    entrypoint: [""]
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "kubernetes", "6.5.0"]
+      command: ["--service", "kubernetes", "7.3.1"]
  before_script:
    - !reference [.k8s-scripts]
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
@@ -876,7 +965,6 @@ k8s-score:
    name: "$ENV_TYPE env url for $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    when: always
    paths:
-      - generated-deployment.yml
      - environment_url.txt
    reports:
      dotenv: kubernetes.env