add example2

TODO

@@ -23,3 +23,4 @@ docs: system charts must be accessible via helm install & flux
 docs: how to get first token to access cluster
 docs: where to store talosconfig
 how to version helm charts
+autombump chart versions for system charts

packages/Makefile

@@ -1,2 +0,0 @@
-repo:
-	make -C system $@

packages/apps/Makefile

@@ -0,0 +1,10 @@
+REPO=apps
+
+repo:
+	rm -rf ../repos/$(REPO)
+	mkdir -p ../repos/$(REPO)
+	cd ../repos/$(REPO) && helm package $$(find ../../$(REPO) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")')
+	cd ../repos/$(REPO) && helm repo index .
+
+fix-chartnames:
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done

packages/apps/http-balancer/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: http-balancert
+name: http-balancer
 description: Layer7 load balacner and caching service
 icon: https://www.svgrepo.com/show/373924/nginx.svg
 

packages/apps/kube-vip/Chart.yaml

@@ -1,2 +0,0 @@
-name: app
-version: 0.0.0

packages/apps/kube-vip/Makefile

@@ -1,8 +0,0 @@
-include ../../hack/app-helm.mk
-
-update:
-	rm -rf charts
-	helm repo add kube-vip https://kube-vip.github.io/helm-charts
-	helm repo update kube-vip
-	helm pull kube-vip/kube-vip-cloud-provider --untar --untardir charts
-	helm pull kube-vip/kube-vip --untar --untardir charts

packages/apps/kube-vip/charts/kube-vip-cloud-provider/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

packages/apps/kube-vip/charts/kube-vip-cloud-provider/Chart.yaml

@@ -1,9 +0,0 @@
-apiVersion: v2
-appVersion: v0.0.4
-description: A Helm chart for kube-vip cloud provider
-icon: https://github.com/kube-vip/kube-vip/raw/main/kube-vip.png
-maintainers:
-- name: kube-vip
-name: kube-vip-cloud-provider
-type: application
-version: 0.2.2

packages/apps/kube-vip/charts/kube-vip-cloud-provider/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "kube-vip-cloud-provider.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "kube-vip-cloud-provider.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "kube-vip-cloud-provider.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "kube-vip-cloud-provider.labels" -}}
-helm.sh/chart: {{ include "kube-vip-cloud-provider.chart" . }}
-{{ include "kube-vip-cloud-provider.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "kube-vip-cloud-provider.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "kube-vip-cloud-provider.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "kube-vip-cloud-provider.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "kube-vip-cloud-provider.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

packages/apps/kube-vip/charts/kube-vip-cloud-provider/templates/deployment.yaml

@@ -1,29 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "kube-vip-cloud-provider.name" . }}
-  namespace: {{ .Release.Namespace | default "kube-system" }}
-spec:
-  replicas: {{ .Values.replicasCount }}
-  selector:
-    matchLabels:
-      {{- include "kube-vip-cloud-provider.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "kube-vip-cloud-provider.selectorLabels" . | nindent 8 }}
-    spec:
-      containers:
-        - command:
-            - /kube-vip-cloud-provider
-            - --leader-elect-resource-name=kube-vip-cloud-controller
-          image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
-          name: {{ include "kube-vip-cloud-provider.name" . }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      serviceAccountName: {{ include "kube-vip-cloud-provider.name" . }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

packages/apps/kube-vip/charts/kube-vip-cloud-provider/templates/rbac.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "kube-vip-cloud-provider.name" . }}
-  namespace: {{ .Release.Namespace | default "kube-system" }}
-  labels:
-  {{- include "kube-vip-cloud-provider.labels" . | nindent 4 }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "kube-vip-cloud-provider.name" . }}
-rules:
-  - apiGroups: [ "coordination.k8s.io" ]
-    resources: [ "leases" ]
-    verbs: [ "get", "create", "update", "list", "put" ]
-  - apiGroups: [ "" ]
-    resources: [ "configmaps", "endpoints","events","services/status", "leases" ]
-    verbs: [ "*" ]
-  - apiGroups: [ "" ]
-    resources: [ "nodes", "services" ]
-    verbs: [ "list","get","watch","update" ]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "kube-vip-cloud-provider.name" . }}
-  labels:
-  {{- include "kube-vip-cloud-provider.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "kube-vip-cloud-provider.name" . }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "kube-vip-cloud-provider.name" . }}
-    namespace: {{ .Release.Namespace }}

packages/apps/kube-vip/charts/kube-vip-cloud-provider/values.yaml

@@ -1,39 +0,0 @@
-# Default values for kube-vip-cloud-provider.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicasCount: 1
-
-image:
-  repository: kubevip/kube-vip-cloud-provider
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "v0.0.4"
-
-resources:
-  requests:
-    cpu: 50m
-    memory: 64Mi
-  limits:
-    cpu: 100m
-    memory: 128Mi
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-
-affinity:
-  nodeAffinity:
-    preferredDuringSchedulingIgnoredDuringExecution:
-      - weight: 10
-        preference:
-          matchExpressions:
-            - key: node-role.kubernetes.io/control-plane
-              operator: Exists
-      - weight: 10
-        preference:
-          matchExpressions:
-            - key: node-role.kubernetes.io/master
-              operator: Exists

packages/apps/kube-vip/charts/kube-vip/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

packages/apps/kube-vip/charts/kube-vip/Chart.yaml

@@ -1,9 +0,0 @@
-apiVersion: v2
-appVersion: v0.4.1
-description: A Helm chart for kube-vip
-icon: https://github.com/kube-vip/kube-vip/raw/main/kube-vip.png
-maintainers:
-- name: kube-vip
-name: kube-vip
-type: application
-version: 0.4.4

packages/apps/kube-vip/charts/kube-vip/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "kube-vip.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "kube-vip.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "kube-vip.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "kube-vip.labels" -}}
-helm.sh/chart: {{ include "kube-vip.chart" . }}
-{{ include "kube-vip.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "kube-vip.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "kube-vip.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "kube-vip.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "kube-vip.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

packages/apps/kube-vip/charts/kube-vip/templates/daemonset.yaml

@@ -1,64 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: {{ include "kube-vip.name" . }}
-  namespace: {{ .Release.Namespace | default "kube-system" }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "kube-vip.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "kube-vip.selectorLabels" . | nindent 8 }}
-    spec:
-      containers:
-      - args:
-          - manager
-        env:
-          {{- if eq .Values.env.cp_enable "true" }}
-          - name: vip_address
-            value: {{ required "A valid config.address required!" .Values.config.address}}
-          {{- end }}
-        {{- with .Values.env }}
-          {{- range $k, $v := . }}
-            {{- $name := $k }}
-            {{- $value := $v }}
-          - name: {{ quote $name }}
-            value: {{ quote $value }}
-          {{- end }}
-        {{- end }}
-        {{- with .Values.envValueFrom }}
-          {{- range $k, $v := . }}
-            {{- $name := $k }}
-            {{- $value := $v }}
-          - name: {{ quote $name }}
-            valueFrom:
-              {{- toYaml $value | nindent 14 }}
-          {{- end }}
-        {{- end }}
-      {{- with .Values.envFrom }}
-        envFrom:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-        image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: kube-vip
-        resources:
-          {{- toYaml .Values.resources | nindent 10 }}
-        securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
-      hostNetwork: true
-      serviceAccountName: {{ include "kube-vip.name" . }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

packages/apps/kube-vip/charts/kube-vip/templates/rbac.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "kube-vip.name" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-  {{- include "kube-vip.labels" . | nindent 4 }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  name: {{ include "kube-vip.name" . }}
-rules:
-  - apiGroups: [""]
-    resources: ["services", "services/status", "nodes"]
-    verbs: ["list","get","watch", "update"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["list", "get", "watch", "update", "create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "kube-vip.name" . }}
-  labels:
-  {{- include "kube-vip.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "kube-vip.name" . }}
-subjects:
-- kind: ServiceAccount
-  name: {{ include "kube-vip.name" . }}
-  namespace: {{ .Release.Namespace }}

packages/apps/kube-vip/charts/kube-vip/values.yaml

@@ -1,98 +0,0 @@
-# Default values for kube-vip.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-image:
-  repository: ghcr.io/kube-vip/kube-vip
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "v0.5.11"
-
-config:
-  address: ""
-
-env:
-  vip_interface: ""
-  vip_arp: "true"
-  lb_enable: "true"
-  lb_port: "6443"
-  vip_cidr: "32"
-  cp_enable: "false"
-  svc_enable: "true"
-  svc_election: "true"
-  vip_leaderelection: "false"
-
-envValueFrom: {}
-  # Specify environment variables using valueFrom references (EnvVarSource)
-  # For example we can use the IP address of the pod itself as a unique value for the routerID
-#bgp_routerid:
-#  fieldRef:
-#    fieldPath: status.podIP
-
-envFrom: []
-  # Specify an externally created Secret(s) or ConfigMap(s) to inject environment variables
-  # For example an externally provisioned secret could contain the password for your upstream BGP router, such as
-  #
-  # apiVersion: v1
-  # data:
-  #   bgp_peers: "<address:AS:password:multihop>"
-  # kind: Secret
-  #   name: kube-vip
-  #   namespace: kube-system
-  # type: Opaque
-  #
-#- secretKeyRef:
-#    name: kube-vip
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
-# fsGroup: 2000
-
-securityContext:
-  capabilities:
-    add:
-      - NET_ADMIN
-      - NET_RAW
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-# limits:
-#   cpu: 100m
-#   memory: 128Mi
-# requests:
-#   cpu: 100m
-#   memory: 128Mi
-
-nodeSelector: {}
-
-tolerations:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/control-plane
-    operator: Exists
-affinity: {}
-  # nodeAffinity:
-  #   requiredDuringSchedulingIgnoredDuringExecution:
-  #     nodeSelectorTerms:
-  #     - matchExpressions:
-  #       - key: node-role.kubernetes.io/master
-  #         operator: Exists
-  #     - matchExpressions:
-  #       - key: node-role.kubernetes.io/control-plane
-  #         operator: Exists

packages/apps/kube-vip/values.yaml

@@ -1,5 +0,0 @@
-_helm:
-  name: kube-vip
-  namespace: kube-vip
-  createNamespace: true
-  crds: CreateReplace

packages/apps/monitoring-hub/Chart.yaml

@@ -1,2 +1,2 @@
-name: cozystack
+name: monitoring-hub
 version: 0.0.0

packages/apps/virtual-machine/Chart.yaml

@@ -23,4 +23,4 @@ version: 0.1.3
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.16.1"

packages/apps/virtual-machine/templates/vm.yaml

@@ -5,6 +5,8 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
+  annotations:
+    a: b
 spec:
   running: true
   template:

packages/core/installer/images/installer/Dockerfile

@@ -5,6 +5,7 @@ RUN apk add helm kubectl --repository=https://dl-cdn.alpinelinux.org/alpine/edge
 
 COPY packages /cozystack/packages
 RUN make -C /cozystack/packages/system repo
+RUN make -C /cozystack/packages/apps repo
 
 RUN ln -s /cozystack/packages/core/installer/images/installer/scripts /scripts
 

packages/core/platform/templates/helmrepos.yaml

@@ -7,3 +7,12 @@ metadata:
 spec:
   interval: 5m0s
   url: http://cozystack.cozy-system.svc/system
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cozystack-apps
+  namespace: cozy-public
+spec:
+  interval: 5m0s
+  url: http://cozystack.cozy-system.svc/apps

packages/core/platform/values.yaml

@@ -1,4 +1,5 @@
 namespaces:
+- name: cozy-public
 - name: cozy-system
   privileged: true
 - name: cozy-cert-manager

packages/system/kubeapps/2.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tenant-client1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: client1
+  namespace: tenant-client1
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: client1-token
+  namespace: tenant-client1
+  annotations:
+    kubernetes.io/service-account.name: client1
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-admin
+  namespace: tenant-client1
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources: ["helmreleases"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tenant-admin-binding
+  namespace: tenant-client1
+subjects:
+- kind: ServiceAccount
+  name: client1
+  namespace: tenant-client1
+roleRef:
+  kind: Role
+  name: tenant-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: list-apps
+  namespace: cozy-public
+rules:
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helmrepositories"]
+  verbs: ["get", "list"]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helmcharts"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tenant-admin-binding
+  namespace: cozy-public
+subjects:
+- kind: ServiceAccount
+  name: client1
+  namespace: tenant-client1
+roleRef:
+  kind: Role
+  name: list-apps
+  apiGroup: rbac.authorization.k8s.io