## What this PR does
This patch grants "admin" permissions to super-admins, "use" permissions
to admins and super-admins, "view" permissions to "use"-privileged
users, admins, and super-admins. Previously lower-privileged roles were
not assigned to higher-privileged users, so a viewer could excercise
their basic read-only permissions which were not available to
high-privilege users. This patch corrects the template function used to
generate subjects in rolebindings, fixing the issue.
### Release note
```release-note
[rbac] Fix issue of privileged users not having low-privilege read-only
permissions.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
When enabling OIDC, the Tenant applications may try to deploy
KeycloakRealmGroups before the Keycloak operator is live. This may
lead to a race where neither HelmRelease is able to progress. This patch
addresses this.
```release-note
[oidc] Do not deploy KeycloakRealmGroup resources as part of the Tenant
application if the v1.edp.epam.com API is not yet available.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
[cozystack-controller] Introduce new dashboard-controller
[dashboard] Introduce new dashboard based on openapi-ui
Co-authored-by: kklinch0 <kklinch0@gmail.com>
Signed-off-by: kklinch0 <kklinch0@gmail.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Some k8s secrets created when deploying managed applications are
unhelpful to the end user or are outright not meant to be shown, because
they contain internal credentials not meant to be presented to the user.
This patch adds an `apps.cozystack.io/tenantresource=false` label to
such resources which will be later used to filter out such secrets in
the web UI.
```release-note
[platform] Mark non-user-facing secrets as such to avoid clutter in the
dashboard and leaking internal credentials.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
fix race conditions for seaweedfs and fix tests preparing
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* Chores
* Increased deployment timeouts to 10 minutes and set install/upgrade
remediation to unlimited retries for SeaweedFS, ingress, and monitoring
components to improve deployment resilience.
* Tests
* Extended end-to-end readiness waits for alerting components from 5 to
15 minutes for more stable test runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* All application parameter documentation was enhanced with explicit
type annotations and structured field descriptions for improved clarity.
* README files now include detailed parameter tables with type columns
and refined default values.
* Helm values.yaml files feature consistent type annotations and
hierarchical field documentation.
* **Schema Enhancements**
* JSON schemas for Postgres, Tenant, Virtual Machine, and Monitoring
apps were comprehensively restructured with explicit types, defaults,
validation patterns, and richer nested configuration options.
* **Chores**
* Switched documentation and schema generation tools to a unified
command (`cozyvalues-gen`) across all relevant Makefiles and CI
workflows for consistency and simplification.
* **Bug Fixes**
* Updated resource specifications in virtual machine tests for improved
accuracy.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR fixes an issue with accessing external IPs of cluster from
cluster itself
```
Policy verdict log: flow 0x6c9bf32e local EP ID 1155, remote ID remote-node, proto 6, ingress, action deny, auth: disabled, match none, 172.27.88.13:46124 -> 10.244.4.174:30274 tcp SYN
xx drop (Policy denied) flow 0x6c9bf32e to endpoint 1155, ifindex 247, file bpf_lxc.c:2181, , identity remote-node->56986: 172.27.88.13:46124 -> 10.244.4.174:30274 tcp SYN
```
related doc:
https://docs.cilium.io/en/stable/security/policy/language/#entities-based
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Expanded network access for the tenant application to allow
connections from both external sources and within the cluster.
- **Chores**
- Updated the tenant application to version 1.9.2.
- Adjusted version mappings to reflect the latest release.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Every tenant now creates a configmap in its __tenant__ namespace with a
sha256 of its values. Tenants (and eventually all other apps), watch the
configmap in their __release__ namespace, by referencing it in the
valuesFrom part of the HelmRelease. `tenant-root` is an exception, since
it is the only tenant where the release namespace is the same as the
tenant namespace. It references a different configmap in its valesFrom,
created and reconciled by the cozystack installer script. Part of #802.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new configurable parameter for tenant resource quotas,
enabling flexible CPU and memory management.
- Added a new YAML template for Kubernetes ResourceQuota configuration.
- Updated application version to 1.8.0.
- **Documentation**
- Added documentation for the new `resourceQuotas` parameter in tenant
configuration.
- **Chores**
- Updated versioning entries for the tenant application.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **Chores**
- Updated tenant application version from 1.6.6 to 1.6.7
- Updated version tracking in package management system
- Minor configuration adjustments in kubeconfig template
- Enhanced logic for determining API server endpoint based on kubeconfig
presence
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
- **Version Updates**
- Tenant application version bumped from 1.6.5 to 1.6.6
- Monitoring application version updated from 1.5.3 to 1.5.4
- **Monitoring Configuration**
- Adjusted metrics storage deduplication interval: shortterm from 5
minutes to 15 seconds, longterm from 15 seconds to 5 minutes
- Updated resource configurations for VM components, including new
resource specifications for vminsert, vmselect, and vmstorage
- Increased memory limits and requests for VMAgent from 500Mi to 1024Mi
and from 200Mi to 768Mi, respectively
- **Performance Improvements**
- Enhanced resource allocation for monitoring services
- More flexible configuration options for metrics storage
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="1675" alt="Screenshot 2024-12-23 at 13 40 30"
src="https://github.com/user-attachments/assets/cc123697-4efd-4a4f-909c-793cec8d91bd"
/>
<img width="1673" alt="Screenshot 2024-12-23 at 13 40 45"
src="https://github.com/user-attachments/assets/3be63e8d-9ee6-487d-90d0-3583dc968dfc"
/>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new `pluginConfig` section in the Kubeapps dashboard
configuration for managing a broader range of applications.
- **Bug Fixes**
- Enhanced URL generation logic to ensure proper encoding of package
identifiers.
- **Chores**
- Updated image digests in the configuration for both the dashboard and
kubeappsapis sections.
- Removed unnecessary patch application steps from the build process.
- Upgraded the Go version used for building the application.
- Updated the application version for the tenant package from `1.6.3` to
`1.6.4`.
- Added a new version `1.6.4 HEAD` for the tenant package.
- Adjusted RBAC configuration to streamline permissions and enhance
group-based access management.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Co-authored-by: klinch0 <68821526+klinch0@users.noreply.github.com>
