Update talos v1.8.1 (#448)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

- **New Features**
- Updated various container images to newer versions, enhancing
performance and security.

- **Bug Fixes**
- Resolved issues by updating image tags and digests for several
components, ensuring consistency and stability.

- **Documentation**
- Incremented version numbers in configuration files for clarity and
tracking.

- **Chores**
- Updated image tags and digests across multiple services to maintain
up-to-date deployments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ repos:
     - id: mixed-line-ending
       args: [--fix=lf]
     - id: check-yaml
-      exclude: packages/apps/postgres/templates/init-script.yaml
+      exclude: '^.*templates/.*\.yaml$'
       args: [--unsafe]
 - repo: https://github.com/igorshubovych/markdownlint-cli
   rev: v0.41.0

hack/e2e.sh

@@ -114,7 +114,7 @@ machine:
     - name: zfs
     - name: spl
   install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.8.0
+    image: ghcr.io/aenix-io/cozystack/talos:v1.8.1
   files:
   - content: |
       [plugins]

hack/pre-checks.sh

@@ -5,7 +5,7 @@ RED='\033[31m'
 RESET='\033[0m'
 
 check-yq-version() {
-    current_version=$(yq -V | grep -oP 'v[0-9]+\.[0-9]+\.[0-9]+')
+    current_version=$(yq -V | awk '$(NF-1) == "version" {print $NF}')
     if [ -z "$current_version" ]; then
         echo "yq is not installed or version cannot be determined."
         exit 1

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.16.5"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.17.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.16.5"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.17.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "24.3.0"
+appVersion: "24.9.2"

packages/apps/clickhouse/README.md

@@ -19,12 +19,14 @@ more details:
 
 ### Common parameters
 
-| Name           | Description                         | Value  |
-| -------------- | ----------------------------------- | ------ |
-| `size`         | Persistent Volume size              | `10Gi` |
-| `shards`       | Number of Clickhouse replicas       | `1`    |
-| `replicas`     | Number of Clickhouse shards         | `2`    |
-| `storageClass` | StorageClass used to store the data | `""`   |
+| Name             | Description                         | Value  |
+| ---------------- | ----------------------------------- | ------ |
+| `size`           | Persistent Volume size              | `10Gi` |
+| `logStorageSize` | Persistent Volume for logs size     | `2Gi`  |
+| `shards`         | Number of Clickhouse replicas       | `1`    |
+| `replicas`       | Number of Clickhouse shards         | `2`    |
+| `storageClass`   | StorageClass used to store the data | `""`   |
+| `logTTL`         | for query_log and query_thread_log  | `15`   |
 
 ### Configuration parameters
 

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.5.0@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.0@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -32,11 +32,12 @@ kind: "ClickHouseInstallation"
 metadata:
   name: "{{ .Release.Name }}"
 spec:
-  {{- with .Values.size }}
+  namespaceDomainPattern:  "%s.svc.cozy.local"
   defaults:
     templates:
       dataVolumeClaimTemplate: data-volume-template
-  {{- end }}
+      podTemplate: clickhouse-per-host
+      serviceTemplate: svc-template
   configuration:
     {{- with $users }}
     users:
@@ -46,6 +47,41 @@ spec:
       {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
     {{- end }}
+    files:
+      config.d/z_log_disable.xml: |
+        <clickhouse>
+            <asynchronous_metric_log remove="1"/>
+            <metric_log remove="1"/>
+            <query_views_log remove="1" />
+            <part_log remove="1"/>
+            <session_log remove="1"/>
+            <text_log remove="1" />
+            <trace_log remove="1"/>
+            <crash_log remove="1"/>
+            <opentelemetry_span_log remove="1"/>
+            <processors_profile_log remove="1"/>
+        </clickhouse>
+      config.d/query_log_ttl.xml: |
+        <clickhouse>
+            <query_log replace="1">
+                <database>system</database>
+                <table>query_log</table>
+                <engine>ENGINE = MergeTree PARTITION BY (event_date)
+                        ORDER BY (event_time)
+                        TTL event_date + INTERVAL {{ .Values.logTTL }} DAY DELETE
+                </engine>
+                <flush_interval_milliseconds>7500</flush_interval_milliseconds>
+            </query_log>
+            <query_thread_log replace="1">
+                <database>system</database>
+                <table>query_thread_log</table>
+                <engine>ENGINE = MergeTree PARTITION BY (event_date)
+                        ORDER BY (event_time)
+                        TTL event_date + INTERVAL {{ .Values.logTTL }} DAY DELETE
+                </engine>
+                <flush_interval_milliseconds>7500</flush_interval_milliseconds>
+            </query_thread_log>
+        </clickhouse>
     profiles:
       readonly/readonly: "1"
     clusters:
@@ -53,17 +89,49 @@ spec:
         layout:
           shardsCount: {{ .Values.shards }}
           replicasCount: {{ .Values.replicas }}
-  {{- with .Values.size }}
   templates:
     volumeClaimTemplates:
       - name: data-volume-template
         spec:
           accessModes:
             - ReadWriteOnce
-          {{- with $.Values.storageClass }}
-          storageClassName: {{ . }}
-          {{- end }}
           resources:
             requests:
-              storage: {{ . }}
-  {{- end }}
+              storage: {{ .Values.size }}
+      - name: log-volume-template
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: {{ .Values.logStorageSize }}
+    podTemplates:
+      - name: clickhouse-per-host
+        spec:
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: "clickhouse.altinity.com/chi"
+                        operator: In
+                        values:
+                          - "{{ .Release.Name }}"
+                  topologyKey: "kubernetes.io/hostname"
+          containers:
+            - name: clickhouse
+              image: clickhouse/clickhouse-server:24.9.2.42
+              volumeMounts:
+                - name: data-volume-template
+                  mountPath: /var/lib/clickhouse
+                - name: log-volume-template
+                  mountPath: /var/log/clickhouse-server
+    serviceTemplates:
+      - name: svc-template
+        generateName: chendpoint-{chi}
+        spec:
+          ports:
+            - name: http
+              port: 8123
+            - name: tcp
+              port: 9000

packages/apps/clickhouse/values.schema.json

@@ -7,6 +7,11 @@
             "description": "Persistent Volume size",
             "default": "10Gi"
         },
+        "logStorageSize": {
+            "type": "string",
+            "description": "Persistent Volume for logs size",
+            "default": "2Gi"
+        },
         "shards": {
             "type": "number",
             "description": "Number of Clickhouse replicas",
@@ -22,6 +27,11 @@
             "description": "StorageClass used to store the data",
             "default": ""
         },
+        "logTTL": {
+            "type": "number",
+            "description": "for query_log and query_thread_log",
+            "default": 15
+        },
         "backup": {
             "type": "object",
             "properties": {

packages/apps/clickhouse/values.yaml

@@ -1,14 +1,18 @@
 ## @section Common parameters
 
 ## @param size Persistent Volume size
+## @param logStorageSize Persistent Volume for logs size
 ## @param shards Number of Clickhouse replicas
 ## @param replicas Number of Clickhouse shards
 ## @param storageClass StorageClass used to store the data
+## @param logTTL for query_log and query_thread_log
 ##
 size: 10Gi
+logStorageSize: 2Gi
 shards: 1
 replicas: 2
 storageClass: ""
+logTTL: 15
 
 ## @section Configuration parameters
 

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.0@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/ferretdb/templates/init-script.yaml

@@ -34,6 +34,9 @@ stringData:
   init.sh: |
     #!/bin/bash
     set -e
+
+    until pg_isready ; do sleep 5; done
+
     echo "== create users"
     {{- if .Values.users }}
     psql -v ON_ERROR_STOP=1 <<\EOT

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:cd744b2d1d50191f4908f2db83079b32973d1c009fe9468627be72efbfa0a107
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:7aed2ce1909a4f8faf1de93c4c17fec76ce7a593632ef5ab9ed1b66c3e83bf58

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.1
+version: 0.13.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/README.md

@@ -27,26 +27,181 @@ How to access to deployed cluster:
 kubectl get secret -n <namespace> kubernetes-<clusterName>-admin-kubeconfig -o go-template='{{ printf "%s\n" (index .data "super-admin.conf" | base64decode) }}' > test
 ```
 
-## Parameters
+# Series
 
-### Common parameters
+<!-- source: https://github.com/kubevirt/common-instancetypes/blob/main/README.md -->
 
-| Name                    | Description                                                                                                                            | Value        |
-| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components                                                                             | `2`          |
-| `storageClass`          | StorageClass used to store user data                                                                                                   | `replicated` |
-| `nodeGroups`            | nodeGroups configuration                                                                                                               | `{}`         |
+.                           |  U  |  O  |  CX  |  M  |  RT
+----------------------------|-----|-----|------|-----|------
+*Has GPUs*                  |     |     |      |     |
+*Hugepages*                 |     |     |  ✓   |  ✓  |  ✓
+*Overcommitted Memory*      |     |  ✓  |      |     |
+*Dedicated CPU*             |     |     |  ✓   |     |  ✓
+*Burstable CPU performance* |  ✓  |  ✓  |      |  ✓  |
+*Isolated emulator threads* |     |     |  ✓   |     |  ✓
+*vNUMA*                     |     |     |  ✓   |     |  ✓
+*vCPU-To-Memory Ratio*      | 1:4 | 1:4 |  1:2 | 1:8 | 1:4
 
-### Cluster Addons
 
-| Name                                 | Description                                                                        | Value   |
-| ------------------------------------ | ---------------------------------------------------------------------------------- | ------- |
-| `addons.certManager.enabled`         | Enables the cert-manager                                                           | `false` |
-| `addons.certManager.valuesOverride`  | Custom values to override                                                          | `{}`    |
-| `addons.ingressNginx.enabled`        | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)           | `false` |
-| `addons.ingressNginx.valuesOverride` | Custom values to override                                                          | `{}`    |
-| `addons.ingressNginx.hosts`          | List of domain names that should be passed through to the cluster by upper cluster | `[]`    |
-| `addons.fluxcd.enabled`              | Enables Flux CD                                                                    | `false` |
-| `addons.fluxcd.valuesOverride`       | Custom values to override                                                          | `{}`    |
+## U Series
 
+The U Series is quite neutral and provides resources for
+general purpose applications.
+
+*U* is the abbreviation for "Universal", hinting at the universal
+attitude towards workloads.
+
+VMs of instance types will share physical CPU cores on a
+time-slice basis with other VMs.
+
+### U Series Characteristics
+
+Specific characteristics of this series are:
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4, for less
+  noise per node.
+
+## O Series
+
+The O Series is based on the U Series, with the only difference
+being that memory is overcommitted.
+
+*O* is the abbreviation for "Overcommitted".
+
+### UO Series Characteristics
+
+Specific characteristics of this series are:
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *Overcommitted Memory* - Memory is over-committed in order to achieve
+  a higher workload density.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4, for less
+  noise per node.
+
+## CX Series
+
+The CX Series provides exclusive compute resources for compute
+intensive applications.
+
+*CX* is the abbreviation of "Compute Exclusive".
+
+The exclusive resources are given to the compute threads of the
+VM. In order to ensure this, some additional cores (depending
+on the number of disks and NICs) will be requested to offload
+the IO threading from cores dedicated to the workload.
+In addition, in this series, the NUMA topology of the used
+cores is provided to the VM.
+
+### CX Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Dedicated CPU* - Physical cores are exclusively assigned to every
+  vCPU in order to provide fixed and high compute guarantees to the
+  workload.
+- *Isolated emulator threads* - Hypervisor emulator threads are isolated
+  from the vCPUs in order to reduce emaulation related impact on the
+  workload.
+- *vNUMA* - Physical NUMA topology is reflected in the guest in order to
+  optimize guest sided cache utilization.
+- *vCPU-To-Memory Ratio (1:2)* - A vCPU-to-Memory ratio of 1:2.
+
+## M Series
+
+The M Series provides resources for memory intensive
+applications.
+
+*M* is the abbreviation of "Memory".
+
+### M Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *vCPU-To-Memory Ratio (1:8)* - A vCPU-to-Memory ratio of 1:8, for much
+  less noise per node.
+
+## RT Series
+
+The RT Series provides resources for realtime applications, like Oslat.
+
+*RT* is the abbreviation for "realtime".
+
+This series of instance types requires nodes capable of running
+realtime applications.
+
+### RT Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Dedicated CPU* - Physical cores are exclusively assigned to every
+  vCPU in order to provide fixed and high compute guarantees to the
+  workload.
+- *Isolated emulator threads* - Hypervisor emulator threads are isolated
+  from the vCPUs in order to reduce emaulation related impact on the
+  workload.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4 starting from
+  the medium size.
+
+## Resources
+
+The following instancetype resources are provided by Cozystack:
+
+Name | vCPUs | Memory
+-----|-------|-------
+cx1.2xlarge  |  8  |  16Gi
+cx1.4xlarge  |  16  |  32Gi
+cx1.8xlarge  |  32  |  64Gi
+cx1.large  |  2  |  4Gi
+cx1.medium  |  1  |  2Gi
+cx1.xlarge  |  4  |  8Gi
+gn1.2xlarge  |  8  |  32Gi
+gn1.4xlarge  |  16  |  64Gi
+gn1.8xlarge  |  32  |  128Gi
+gn1.xlarge  |  4  |  16Gi
+m1.2xlarge  |  8  |  64Gi
+m1.4xlarge  |  16  |  128Gi
+m1.8xlarge  |  32  |  256Gi
+m1.large  |  2  |  16Gi
+m1.xlarge  |  4  |  32Gi
+n1.2xlarge  |  16  |  32Gi
+n1.4xlarge  |  32  |  64Gi
+n1.8xlarge  |  64  |  128Gi
+n1.large  |  4  |  8Gi
+n1.medium  |  4  |  4Gi
+n1.xlarge  |  8  |  16Gi
+o1.2xlarge  |  8  |  32Gi
+o1.4xlarge  |  16  |  64Gi
+o1.8xlarge  |  32  |  128Gi
+o1.large  |  2  |  8Gi
+o1.medium  |  1  |  4Gi
+o1.micro  |  1  |  1Gi
+o1.nano  |  1  |  512Mi
+o1.small  |  1  |  2Gi
+o1.xlarge  |  4  |  16Gi
+rt1.2xlarge  |  8  |  32Gi
+rt1.4xlarge  |  16  |  64Gi
+rt1.8xlarge  |  32  |  128Gi
+rt1.large  |  2  |  8Gi
+rt1.medium  |  1  |  4Gi
+rt1.micro  |  1  |  1Gi
+rt1.small  |  1  |  2Gi
+rt1.xlarge  |  4  |  16Gi
+u1.2xlarge  |  8  |  32Gi
+u1.2xmedium  |  2  |  4Gi
+u1.4xlarge  |  16  |  64Gi
+u1.8xlarge  |  32  |  128Gi
+u1.large  |  2  |  8Gi
+u1.medium  |  1  |  4Gi
+u1.micro  |  1  |  1Gi
+u1.nano  |  1  |  512Mi
+u1.small  |  1  |  2Gi
+u1.xlarge  |  4  |  16Gi

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.12.1@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.13.0@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.12.1@sha256:ca606d6039ed43a48d4dfd98a91fd3cec120f08c1e221cd4e99ea94239389742
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.13.0@sha256:be18ed8370a390d64a830b7829ff06e98544716e03b956b26537baf1198e0c8d

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.12.1@sha256:86029548078960feecca116087b2135230d676b83c503f292eb50e1199be2790
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.13.0@sha256:1c96280e10becb858cb5f781a278f383319514f803c8e5fe401e0ef291f65821

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:1f249fbe52821a62f706c6038b13401234e1b758ac498e53395b8f9a642b015f
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:0537035f0ed4a0f7452bcdede483584dd13e622f4de4725f5687699ade97848a

packages/apps/kubernetes/templates/cluster.yaml

@@ -15,6 +15,11 @@ spec:
         node-role.kubernetes.io/{{ . }}: ""
         {{- end }}
     spec:
+      {{- with .group.instanceType }}
+      instancetype:
+        kind: VirtualMachineClusterInstancetype
+        name: {{ . }}
+      {{- end }}
       runStrategy: Always
       template:
         metadata:
@@ -26,10 +31,12 @@ spec:
             {{- end }}
         spec:
           domain:
+            {{- if and .group.resources .group.resources.cpu }}
             cpu:
               threads: 1
               cores: {{ .group.resources.cpu }}
               sockets: 1
+            {{- end }}
             devices:
               disks:
               - name: system
@@ -43,8 +50,10 @@ spec:
               interfaces:
               - name: default
                 bridge: {}
+            {{- if and .group.resources .group.resources.memory }}
             memory:
               guest: {{ .group.resources.memory }}
+            {{- end }}
           evictionStrategy: External
           volumes:
           - name: system
@@ -176,6 +185,14 @@ spec:
   template:
     {{- $kubevirtmachinetemplate | nindent 4 }}
 ---
+{{- $instanceType := dict }}
+{{- if $group.instanceType }}
+{{-   $instanceType = (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterInstancetype" "" $group.instanceType) }}
+{{-   if not $instanceType }}
+{{-     fail (printf "Specified instancetype not exists in cluster: %s" $group.instanceType) }}
+{{-   end }}
+{{- end }}
+
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
 metadata:
@@ -184,8 +201,16 @@ metadata:
   annotations:
     cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "{{ $group.minReplicas }}"
     cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "{{ $group.maxReplicas }}"
+    {{- if and $group.resources $group.resources.memory }}
     capacity.cluster-autoscaler.kubernetes.io/memory: "{{ $group.resources.memory }}"
+    {{- else }}
+    capacity.cluster-autoscaler.kubernetes.io/memory: "{{ $instanceType.spec.memory.guest }}"
+    {{- end }}
+    {{- if and $group.resources $group.resources.cpu }}
     capacity.cluster-autoscaler.kubernetes.io/cpu: "{{ $group.resources.cpu }}"
+    {{- else }}
+    capacity.cluster-autoscaler.kubernetes.io/cpu: "{{ $instanceType.spec.cpu.guest }}"
+    {{- end }}
 spec:
   clusterName: {{ $.Release.Name }}
   template:

packages/apps/kubernetes/values.yaml

@@ -15,13 +15,15 @@ nodeGroups:
   md0:
     minReplicas: 0
     maxReplicas: 10
-    resources:
-      cpu: 2
-      memory: 1024Mi
+    instanceType: "u1.medium"
     ephemeralStorage: 20Gi
     roles:
     - ingress-nginx
 
+    resources:
+      cpu: ""
+      memory: ""
+
 ## @section Cluster Addons
 ##
 addons:

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.1
+version: 0.5.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:793edb25a29cbc00781e40af883815ca36937e736e2b0d202ea9c9619fb6ca11
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:793edb25a29cbc00781e40af883815ca36937e736e2b0d202ea9c9619fb6ca11

packages/apps/mysql/templates/mariadb.yaml

@@ -13,6 +13,7 @@ spec:
   port: 3306
 
   replicas: {{ .Values.replicas }}
+  replicasAllowEvenNumber: true
   affinity:
     podAntiAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:

packages/apps/mysql/templates/secret.yaml

@@ -8,7 +8,7 @@
 {{- end }}
 
 {{- $usersWithRoot := .Values.users }}
-{{- if (and .Values.users.root .Values.users.root.password) }}
+{{- if not (and .Values.users.root .Values.users.root.password) }}
   {{- $_ := set $usersWithRoot "root" dict }}
 {{- end }}
 

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.0@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/rabbitmq/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.4.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -18,6 +18,7 @@ spec:
         template:
           spec:
             enableServiceLinks: false
+            containers: []
           metadata:
             labels:
               policy.cozystack.io/allow-to-apiserver: "true"

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.4.0
+version: 1.5.0

packages/apps/tenant/templates/networkpolicy.yaml

@@ -159,6 +159,18 @@ spec:
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-cdi-upload-proxy
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": cozy-kubevirt-cdi
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
   name: allow-to-ingress
   namespace: {{ include "tenant.name" . }}

packages/apps/versions_map

@@ -4,12 +4,14 @@ clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 5ca8823
 clickhouse 0.3.0 b00621e
 clickhouse 0.4.0 320fc32
-clickhouse 0.5.0 HEAD
+clickhouse 0.5.0 2a4768a5
+clickhouse 0.6.0 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
 ferretdb 0.2.0 adaf603
 ferretdb 0.3.0 aa2f553
-ferretdb 0.4.0 HEAD
+ferretdb 0.4.0 def2eb0f
+ferretdb 0.4.1 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
 http-cache 0.3.0 fab5940
@@ -35,13 +37,15 @@ kubernetes 0.10.0 ac5c38b
 kubernetes 0.11.0 4eaca42
 kubernetes 0.11.1 4f430a90
 kubernetes 0.12.0 74649f8
-kubernetes 0.12.1 HEAD
+kubernetes 0.12.1 28fca4e
+kubernetes 0.13.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
 mysql 0.4.0 93018c4
 mysql 0.5.0 4b84798
-mysql 0.5.1 HEAD
+mysql 0.5.1 fab5940b
+mysql 0.5.2 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 HEAD
 postgres 0.1.0 f642698
@@ -60,7 +64,8 @@ rabbitmq 0.2.0 5ca8823
 rabbitmq 0.3.0 9e33dc0
 rabbitmq 0.4.0 36d8855
 rabbitmq 0.4.1 35536bb
-rabbitmq 0.4.2 HEAD
+rabbitmq 0.4.2 00b2834e
+rabbitmq 0.4.3 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD
@@ -74,12 +79,17 @@ tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
 tenant 1.3.0 ceefae03
 tenant 1.3.1 c56e5769
-tenant 1.4.0 HEAD
+tenant 1.4.0 94c688f7
+tenant 1.5.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
 virtual-machine 0.3.0 b908400
-virtual-machine 0.4.0 HEAD
+virtual-machine 0.4.0 4746d51
+virtual-machine 0.5.0 HEAD
+vm-disk 0.1.0 HEAD
+vm-instance 0.1.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
-vpn 0.3.0 HEAD
+vpn 0.3.0 a2bcf100
+vpn 0.3.1 HEAD

packages/apps/virtual-machine/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 #name: Virtual Machine
 name: virtual-machine
-description: Virtual machine instance
+description: Virtual Machine (simple)
 icon: /logos/vm.svg
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/Makefile

@@ -1,10 +1,10 @@
 include ../../../scripts/package.mk
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
-	cat values.schema.json.tmp | \
-		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' | \
-		jq '.properties.resources.properties.memory["x-display"] = "slider"' | \
-		jq '.properties.externalPorts.items.type = "integer"' \
-		> values.schema.json
-	rm -f values.schema.json.tmp
+	readme-generator -v values.yaml -s values.schema.json -r README.md
+	INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
+	  && yq -i -o json ".properties.instanceType.optional=true | .properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
+	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \
+	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
+	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
+	yq -i -o json '.properties.systemDisk.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' values.schema.json

packages/apps/virtual-machine/README.md

@@ -1,4 +1,4 @@
-# Virtual Machine
+# Virtual Machine (simple)
 
 A Virtual Machine (VM) simulates computer hardware, enabling various operating systems and applications to run in an isolated environment.
 
@@ -36,40 +36,233 @@ virtctl ssh <user>@<vm>
 
 ### Common parameters
 
-| Name               | Description                                                                                                | Value            |
-| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- |
-| `external`         | Enable external access from outside the cluster                                                            | `false`          |
-| `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`             |
-| `running`          | Determines if the virtual machine should be running                                                        | `true`           |
-| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos` | `ubuntu`         |
-| `storageClass`     | StorageClass used to store the data                                                                        | `replicated`     |
-| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                                   | `1`              |
-| `resources.memory` | The amount of memory allocated to the virtual machine                                                      | `1024M`          |
-| `resources.disk`   | The size of the disk allocated for the virtual machine                                                     | `5Gi`            |
-| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
-| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
+| Name                      | Description                                                                                                | Value            |
+| ------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------- |
+| `external`                | Enable external access from outside the cluster                                                            | `false`          |
+| `externalPorts`           | Specify ports to forward from outside the cluster                                                          | `[]`             |
+| `running`                 | Determines if the virtual machine should be running                                                        | `true`           |
+| `instanceType`            | Virtual Machine instance type                                                                              | `u1.medium`      |
+| `instanceProfile`         | Virtual Machine prefferences profile                                                                       | `ubuntu`         |
+| `systemDisk.image`        | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos` | `ubuntu`         |
+| `systemDisk.storage`      | The size of the disk allocated for the virtual machine                                                     | `5Gi`            |
+| `systemDisk.storageClass` | StorageClass used to store the data                                                                        | `replicated`     |
+| `resources.cpu`           | The number of CPU cores allocated to the virtual machine                                                   | `""`             |
+| `resources.memory`        | The amount of memory allocated to the virtual machine                                                      | `""`             |
+| `sshKeys`                 | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
+| `cloudInit`               | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
 ` |
 
-You can customize the exposed ports by specifying them under `service.ports` in the `values.yaml` file.
+## U Series
 
-## Example virtual machine:
+The U Series is quite neutral and provides resources for
+general purpose applications.
 
-```yaml
-running: true
-image: fedora
-storageClass: replicated
-resources:
-  cpu: 1
-  memory: 1024M
-  disk: 10Gi
+*U* is the abbreviation for "Universal", hinting at the universal
+attitude towards workloads.
 
-sshKeys:
-- ssh-rsa ...
+VMs of instance types will share physical CPU cores on a
+time-slice basis with other VMs.
 
-cloudInit: |
-  #cloud-config
-  user: fedora
-  password: fedora
-  chpasswd: { expire: False }
-  ssh_pwauth: True
-```
+### U Series Characteristics
+
+Specific characteristics of this series are:
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4, for less
+  noise per node.
+
+## O Series
+
+The O Series is based on the U Series, with the only difference
+being that memory is overcommitted.
+
+*O* is the abbreviation for "Overcommitted".
+
+### UO Series Characteristics
+
+Specific characteristics of this series are:
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *Overcommitted Memory* - Memory is over-committed in order to achieve
+  a higher workload density.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4, for less
+  noise per node.
+
+## CX Series
+
+The CX Series provides exclusive compute resources for compute
+intensive applications.
+
+*CX* is the abbreviation of "Compute Exclusive".
+
+The exclusive resources are given to the compute threads of the
+VM. In order to ensure this, some additional cores (depending
+on the number of disks and NICs) will be requested to offload
+the IO threading from cores dedicated to the workload.
+In addition, in this series, the NUMA topology of the used
+cores is provided to the VM.
+
+### CX Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Dedicated CPU* - Physical cores are exclusively assigned to every
+  vCPU in order to provide fixed and high compute guarantees to the
+  workload.
+- *Isolated emulator threads* - Hypervisor emulator threads are isolated
+  from the vCPUs in order to reduce emaulation related impact on the
+  workload.
+- *vNUMA* - Physical NUMA topology is reflected in the guest in order to
+  optimize guest sided cache utilization.
+- *vCPU-To-Memory Ratio (1:2)* - A vCPU-to-Memory ratio of 1:2.
+
+## M Series
+
+The M Series provides resources for memory intensive
+applications.
+
+*M* is the abbreviation of "Memory".
+
+### M Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *vCPU-To-Memory Ratio (1:8)* - A vCPU-to-Memory ratio of 1:8, for much
+  less noise per node.
+
+## RT Series
+
+The RT Series provides resources for realtime applications, like Oslat.
+
+*RT* is the abbreviation for "realtime".
+
+This series of instance types requires nodes capable of running
+realtime applications.
+
+### RT Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Dedicated CPU* - Physical cores are exclusively assigned to every
+  vCPU in order to provide fixed and high compute guarantees to the
+  workload.
+- *Isolated emulator threads* - Hypervisor emulator threads are isolated
+  from the vCPUs in order to reduce emaulation related impact on the
+  workload.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4 starting from
+  the medium size.
+
+## Development
+
+To get started with customizing or creating your own instancetypes and preferences
+see [DEVELOPMENT.md](./DEVELOPMENT.md).
+
+## Resources
+
+The following instancetype resources are provided by Cozystack:
+
+Name | vCPUs | Memory
+-----|-------|-------
+cx1.2xlarge  |  8  |  16Gi
+cx1.4xlarge  |  16  |  32Gi
+cx1.8xlarge  |  32  |  64Gi
+cx1.large  |  2  |  4Gi
+cx1.medium  |  1  |  2Gi
+cx1.xlarge  |  4  |  8Gi
+gn1.2xlarge  |  8  |  32Gi
+gn1.4xlarge  |  16  |  64Gi
+gn1.8xlarge  |  32  |  128Gi
+gn1.xlarge  |  4  |  16Gi
+m1.2xlarge  |  8  |  64Gi
+m1.4xlarge  |  16  |  128Gi
+m1.8xlarge  |  32  |  256Gi
+m1.large  |  2  |  16Gi
+m1.xlarge  |  4  |  32Gi
+n1.2xlarge  |  16  |  32Gi
+n1.4xlarge  |  32  |  64Gi
+n1.8xlarge  |  64  |  128Gi
+n1.large  |  4  |  8Gi
+n1.medium  |  4  |  4Gi
+n1.xlarge  |  8  |  16Gi
+o1.2xlarge  |  8  |  32Gi
+o1.4xlarge  |  16  |  64Gi
+o1.8xlarge  |  32  |  128Gi
+o1.large  |  2  |  8Gi
+o1.medium  |  1  |  4Gi
+o1.micro  |  1  |  1Gi
+o1.nano  |  1  |  512Mi
+o1.small  |  1  |  2Gi
+o1.xlarge  |  4  |  16Gi
+rt1.2xlarge  |  8  |  32Gi
+rt1.4xlarge  |  16  |  64Gi
+rt1.8xlarge  |  32  |  128Gi
+rt1.large  |  2  |  8Gi
+rt1.medium  |  1  |  4Gi
+rt1.micro  |  1  |  1Gi
+rt1.small  |  1  |  2Gi
+rt1.xlarge  |  4  |  16Gi
+u1.2xlarge  |  8  |  32Gi
+u1.2xmedium  |  2  |  4Gi
+u1.4xlarge  |  16  |  64Gi
+u1.8xlarge  |  32  |  128Gi
+u1.large  |  2  |  8Gi
+u1.medium  |  1  |  4Gi
+u1.micro  |  1  |  1Gi
+u1.nano  |  1  |  512Mi
+u1.small  |  1  |  2Gi
+u1.xlarge  |  4  |  16Gi
+
+The following preference resources are provided by Cozystack:
+
+Name | Guest OS
+-----|---------
+alpine | Alpine
+centos.7 | CentOS 7
+centos.7.desktop | CentOS 7
+centos.stream10 | CentOS Stream 10
+centos.stream10.desktop | CentOS Stream 10
+centos.stream8 | CentOS Stream 8
+centos.stream8.desktop | CentOS Stream 8
+centos.stream8.dpdk | CentOS Stream 8
+centos.stream9 | CentOS Stream 9
+centos.stream9.desktop | CentOS Stream 9
+centos.stream9.dpdk | CentOS Stream 9
+cirros | Cirros
+fedora | Fedora (amd64)
+fedora.arm64 | Fedora (arm64)
+opensuse.leap | OpenSUSE Leap
+opensuse.tumbleweed | OpenSUSE Tumbleweed
+rhel.10 | Red Hat Enterprise Linux 10 Beta (amd64)
+rhel.10.arm64 | Red Hat Enterprise Linux 10 Beta (arm64)
+rhel.7 | Red Hat Enterprise Linux 7
+rhel.7.desktop | Red Hat Enterprise Linux 7
+rhel.8 | Red Hat Enterprise Linux 8
+rhel.8.desktop | Red Hat Enterprise Linux 8
+rhel.8.dpdk | Red Hat Enterprise Linux 8
+rhel.9 | Red Hat Enterprise Linux 9 (amd64)
+rhel.9.arm64 | Red Hat Enterprise Linux 9 (arm64)
+rhel.9.desktop | Red Hat Enterprise Linux 9 Desktop (amd64)
+rhel.9.dpdk | Red Hat Enterprise Linux 9 DPDK (amd64)
+rhel.9.realtime | Red Hat Enterprise Linux 9 Realtime (amd64)
+sles | SUSE Linux Enterprise Server
+ubuntu | Ubuntu
+windows.10 | Microsoft Windows 10
+windows.10.virtio | Microsoft Windows 10 (virtio)
+windows.11 | Microsoft Windows 11
+windows.11.virtio | Microsoft Windows 11 (virtio)
+windows.2k16 | Microsoft Windows Server 2016
+windows.2k16.virtio | Microsoft Windows Server 2016 (virtio)
+windows.2k19 | Microsoft Windows Server 2019
+windows.2k19.virtio | Microsoft Windows Server 2019 (virtio)
+windows.2k22 | Microsoft Windows Server 2022
+windows.2k22.virtio | Microsoft Windows Server 2022 (virtio)
+windows.2k25 | Microsoft Windows Server 2025
+windows.2k25.virtio | Microsoft Windows Server 2025 (virtio)

packages/apps/virtual-machine/hack/update-instance-types.sh

@@ -0,0 +1 @@
+#!/bin/sh

packages/apps/virtual-machine/templates/vm.yaml

@@ -1,3 +1,10 @@
+{{- if and .Values.instanceType (not (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterInstancetype" "" .Values.instanceType)) }}
+{{-   fail (printf "Specified instancetype not exists in cluster: %s" .Values.instanceType) }}
+{{- end }}
+{{- if and .Values.instanceProfile (not (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterPreference" "" .Values.instanceProfile)) }}
+{{-   fail (printf "Specified profile not exists in cluster: %s" .Values.instanceProfile) }}
+{{- end }}
+
 apiVersion: kubevirt.io/v1
 kind: VirtualMachine
 metadata:
@@ -6,6 +13,16 @@ metadata:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
   running: {{ .Values.running | default "true" }}
+  {{- with .Values.instanceType }}
+  instancetype:
+    kind: VirtualMachineClusterInstancetype
+    name: {{ . }}
+  {{- end }}
+  {{- with .Values.instanceProfile }}
+  preference:
+    kind: VirtualMachineClusterPreference
+    name: {{ . }}
+  {{- end }}
   dataVolumeTemplates:
   - metadata:
       name: {{ include "virtual-machine.fullname" . }}
@@ -16,23 +33,24 @@ spec:
         - ReadWriteMany
         resources:
           requests:
-            storage: {{ .Values.resources.disk | quote }}
-        {{- with $.Values.storageClass }}
+            storage: {{ .Values.systemDisk.storage | quote }}
+        {{- with .Values.systemDisk.storageClass }}
         storageClassName: {{ . }}
         {{- end }}
       source:
         http:
-          {{- if eq .Values.image "cirros" }}
+          {{- if eq .Values.systemDisk.image "cirros" }}
           url: https://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img
-          {{- else if eq .Values.image "ubuntu" }}
+          {{- else if eq .Values.systemDisk.image "ubuntu" }}
           url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
-          {{- else if eq .Values.image "fedora" }}
+          {{- else if eq .Values.systemDisk.image "fedora" }}
           url: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
-          {{- else if eq .Values.image "alpine" }}
+          {{- else if eq .Values.systemDisk.image "alpine" }}
           url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
-          {{- else if eq .Values.image "talos" }}
+          {{- else if eq .Values.systemDisk.image "talos" }}
           url: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
           {{- end }}
+
   template:
     metadata:
       annotations:
@@ -41,8 +59,15 @@ spec:
         {{- include "virtual-machine.labels" . | nindent 8 }}
     spec:
       domain:
+        {{- if and .Values.resources .Values.resources.cpu }}
         cpu:
           cores: {{ .Values.resources.cpu }}
+        {{- end }}
+        {{- if and .Values.resources .Values.resources.memory }}
+        resources:
+          requests:
+            memory: {{ .Values.resources.memory | quote }}
+        {{- end }}
         devices:
           disks:
           - disk:
@@ -58,9 +83,6 @@ spec:
             bridge: {}
         machine:
           type: ""
-        resources:
-          requests:
-            memory: {{ .Values.resources.memory | quote }}
       {{- with .Values.sshKeys }}
       accessCredentials:
       - sshPublicKey:

packages/apps/virtual-machine/values.schema.json

@@ -20,41 +20,153 @@
       "description": "Determines if the virtual machine should be running",
       "default": true
     },
-    "image": {
+    "instanceType": {
       "type": "string",
-      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
-      "default": "ubuntu",
+      "description": "Virtual Machine instance type",
+      "default": "u1.medium",
+      "optional": true,
       "enum": [
-        "ubuntu",
-        "cirros",
-        "alpine",
-        "fedora",
-        "talos"
+        "cx1.2xlarge",
+        "cx1.4xlarge",
+        "cx1.8xlarge",
+        "cx1.large",
+        "cx1.medium",
+        "cx1.xlarge",
+        "gn1.2xlarge",
+        "gn1.4xlarge",
+        "gn1.8xlarge",
+        "gn1.xlarge",
+        "m1.2xlarge",
+        "m1.4xlarge",
+        "m1.8xlarge",
+        "m1.large",
+        "m1.xlarge",
+        "n1.2xlarge",
+        "n1.4xlarge",
+        "n1.8xlarge",
+        "n1.large",
+        "n1.medium",
+        "n1.xlarge",
+        "o1.2xlarge",
+        "o1.4xlarge",
+        "o1.8xlarge",
+        "o1.large",
+        "o1.medium",
+        "o1.micro",
+        "o1.nano",
+        "o1.small",
+        "o1.xlarge",
+        "rt1.2xlarge",
+        "rt1.4xlarge",
+        "rt1.8xlarge",
+        "rt1.large",
+        "rt1.medium",
+        "rt1.micro",
+        "rt1.small",
+        "rt1.xlarge",
+        "u1.2xlarge",
+        "u1.2xmedium",
+        "u1.4xlarge",
+        "u1.8xlarge",
+        "u1.large",
+        "u1.medium",
+        "u1.micro",
+        "u1.nano",
+        "u1.small",
+        "u1.xlarge",
+        ""
       ]
     },
-    "storageClass": {
+    "instanceProfile": {
       "type": "string",
-      "description": "StorageClass used to store the data",
-      "default": "replicated"
+      "description": "Virtual Machine prefferences profile",
+      "default": "ubuntu",
+      "optional": true,
+      "enum": [
+        "alpine",
+        "centos.7",
+        "centos.7.desktop",
+        "centos.stream10",
+        "centos.stream10.desktop",
+        "centos.stream8",
+        "centos.stream8.desktop",
+        "centos.stream8.dpdk",
+        "centos.stream9",
+        "centos.stream9.desktop",
+        "centos.stream9.dpdk",
+        "cirros",
+        "fedora",
+        "fedora.arm64",
+        "opensuse.leap",
+        "opensuse.tumbleweed",
+        "rhel.10",
+        "rhel.10.arm64",
+        "rhel.7",
+        "rhel.7.desktop",
+        "rhel.8",
+        "rhel.8.desktop",
+        "rhel.8.dpdk",
+        "rhel.9",
+        "rhel.9.arm64",
+        "rhel.9.desktop",
+        "rhel.9.dpdk",
+        "rhel.9.realtime",
+        "sles",
+        "ubuntu",
+        "windows.10",
+        "windows.10.virtio",
+        "windows.11",
+        "windows.11.virtio",
+        "windows.2k16",
+        "windows.2k16.virtio",
+        "windows.2k19",
+        "windows.2k19.virtio",
+        "windows.2k22",
+        "windows.2k22.virtio",
+        "windows.2k25",
+        "windows.2k25.virtio",
+        ""
+      ]
+    },
+    "systemDisk": {
+      "type": "object",
+      "properties": {
+        "image": {
+          "type": "string",
+          "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
+          "default": "ubuntu",
+          "enum": [
+            "ubuntu",
+            "cirros",
+            "alpine",
+            "fedora",
+            "talos"
+          ]
+        },
+        "storage": {
+          "type": "string",
+          "description": "The size of the disk allocated for the virtual machine",
+          "default": "5Gi"
+        },
+        "storageClass": {
+          "type": "string",
+          "description": "StorageClass used to store the data",
+          "default": "replicated"
+        }
+      }
     },
     "resources": {
       "type": "object",
       "properties": {
         "cpu": {
-          "type": "number",
+          "type": "string",
           "description": "The number of CPU cores allocated to the virtual machine",
-          "default": 1
+          "default": ""
         },
         "memory": {
           "type": "string",
           "description": "The amount of memory allocated to the virtual machine",
-          "default": "1024M",
-          "x-display": "slider"
-        },
-        "disk": {
-          "type": "string",
-          "description": "The size of the disk allocated for the virtual machine",
-          "default": "5Gi"
+          "default": ""
         }
       }
     },

packages/apps/virtual-machine/values.yaml

@@ -2,24 +2,33 @@
 
 ## @param external Enable external access from outside the cluster
 ## @param externalPorts [array] Specify ports to forward from outside the cluster
-## @param running Determines if the virtual machine should be running
-## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`
-## @param storageClass StorageClass used to store the data
-## @param resources.cpu The number of CPU cores allocated to the virtual machine
-## @param resources.memory The amount of memory allocated to the virtual machine
-## @param resources.disk The size of the disk allocated for the virtual machine
-
 external: false
 externalPorts:
 - 22
 
+## @param running Determines if the virtual machine should be running
 running: true
-image: ubuntu
-storageClass: replicated
+
+## @param instanceType Virtual Machine instance type
+## @param instanceProfile Virtual Machine prefferences profile
+##
+instanceType: "u1.medium"
+instanceProfile: ubuntu
+
+## @param systemDisk.image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`
+## @param systemDisk.storage The size of the disk allocated for the virtual machine
+## @param systemDisk.storageClass StorageClass used to store the data
+## 
+systemDisk:
+  image: ubuntu
+  storage: 5Gi
+  storageClass: replicated
+
+## @param resources.cpu The number of CPU cores allocated to the virtual machine
+## @param resources.memory The amount of memory allocated to the virtual machine
 resources:
-  cpu: 1
-  memory: 1024M
-  disk: 5Gi
+  cpu: ""
+  memory: ""
 
 ## @param sshKeys [array] List of SSH public keys for authentication. Can be a single key or a list of keys.
 ## Example:
@@ -40,4 +49,3 @@ sshKeys: []
 ##
 cloudInit: |
   #cloud-config
-

packages/apps/vm-disk/.helmignore

@@ -0,0 +1,3 @@
+.helmignore
+/logos
+/Makefile

packages/apps/vm-disk/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: vm-disk
+description: Virtual Machine disk
+icon: /logos/disk.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: 0.1.0

packages/apps/vm-disk/Makefile

@@ -0,0 +1,4 @@
+include ../../../scripts/package.mk
+
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/apps/vm-disk/README.md

@@ -0,0 +1,14 @@
+# Virtual Machine Disk
+
+A Virtual Machine Disk
+
+## Parameters
+
+### Common parameters
+
+| Name           | Description                                            | Value        |
+| -------------- | ------------------------------------------------------ | ------------ |
+| `source`       | The source image location used to create a disk        | `{}`         |
+| `optical`      | Defines is disk should be considered as optical        | `false`      |
+| `storage`      | The size of the disk allocated for the virtual machine | `5Gi`        |
+| `storageClass` | StorageClass used to store the data                    | `replicated` |

packages/apps/vm-disk/templates/NOTES.txt

@@ -0,0 +1,5 @@
+{{- if and .Values.source (hasKey .Values.source "upload") }}
+To upload your disk run:
+
+virtctl image-upload dv -n {{ .Release.Namespace }} {{ .Release.Name }} --image-path <path_to_image>
+{{- end }}

packages/apps/vm-disk/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - cdi.kubevirt.io
+  resources:
+  - datavolumes
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/vm-disk/templates/dv.yaml

@@ -0,0 +1,36 @@
+{{- $existingDV := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" .Release.Namespace .Release.Name }}
+apiVersion: cdi.kubevirt.io/v1beta1
+kind: DataVolume
+metadata:
+  annotations:
+    cdi.kubevirt.io/storage.bind.immediate.requested: ""
+    vm-disk.cozystack.io/optical: "{{ .Values.optical }}"
+  name: {{ .Release.Name }}
+spec:
+  {{- if $existingDV }}
+    {{- toYaml $existingDV.spec | nindent 2 }}
+  {{- else }} 
+  contentType: kubevirt
+  {{- if .Values.source }}
+  {{- if gt (len .Values.source) 1 }}
+    {{- fail "Exactly one type of source is expected!" }}
+  {{- end }}
+  source:
+    {{- if hasKey .Values.source "http" }}
+    http:
+      url: {{ required "A valid .Values.source.http.url entry required!" .Values.source.http.url }}
+    {{- else if hasKey .Values.source "upload" }}
+    upload: {}
+    {{- end }}
+  {{- else }}
+  source:
+    blank: {}
+  {{- end }}
+  storage:
+    resources:
+      requests:
+        storage: {{ .Values.storage }}
+    {{- with .Values.storageClass }}
+    storageClassName: {{ . }}
+    {{- end }}
+  {{- end }}

packages/apps/vm-disk/templates/pvc-resize-hook.yaml

@@ -0,0 +1,68 @@
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" .Release.Namespace .Release.Name }}
+{{- if and $existingPVC (ne ($existingPVC.spec.resources.requests.storage | toString) .Values.storage) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-volume-resize-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ .Release.Name }}-volume-resize-hook
+      restartPolicy: Never
+      backoffLimit: 1
+      containers:
+        - name: resize
+          image: bitnami/kubectl
+          command: ["sh", "-xec"]
+          args:
+            - |
+              kubectl patch pvc {{ .Release.Name }} -p '{"spec":{"resources":{"requests":{"storage":"{{ .Values.storage }}"}}}}'
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-volume-resize-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-volume-resize-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    verbs: ["delete", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-volume-resize-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-volume-resize-hook
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-volume-resize-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-disk/values.schema.json

@@ -0,0 +1,26 @@
+{
+    "title": "Chart Values",
+    "type": "object",
+    "properties": {
+        "source": {
+            "type": "object",
+            "description": "The source image location used to create a disk",
+            "default": {}
+        },
+        "optical": {
+            "type": "boolean",
+            "description": "Defines is disk should be considered as optical",
+            "default": false
+        },
+        "storage": {
+            "type": "string",
+            "description": "The size of the disk allocated for the virtual machine",
+            "default": "5Gi"
+        },
+        "storageClass": {
+            "type": "string",
+            "description": "StorageClass used to store the data",
+            "default": "replicated"
+        }
+    }
+}

packages/apps/vm-disk/values.yaml

@@ -0,0 +1,28 @@
+## @section Common parameters
+
+## @param source The source image location used to create a disk
+## Example upload local image:
+## source:
+##   upload: {}
+##
+## Example download image from http source:
+## source:
+##   http:
+##     url: "https://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img"
+##
+## Well known public images:
+## ubuntu: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
+## fedora: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
+## cirros: https://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img
+## alpine: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
+## talos: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
+
+source: {}
+
+## @param optical Defines is disk should be considered as optical
+optical: false
+
+## @param storage The size of the disk allocated for the virtual machine
+## @param storageClass StorageClass used to store the data
+storage: 5Gi
+storageClass: replicated

packages/apps/vm-instance/.helmignore

@@ -0,0 +1,3 @@
+.helmignore
+/logos
+/Makefile

packages/apps/vm-instance/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+#name: Virtual Machine
+name: vm-instance
+description: Virtual machine instance
+icon: /logos/vm.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

packages/apps/vm-instance/Makefile

@@ -0,0 +1,10 @@
+include ../../../scripts/package.mk
+
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -o json -i '.properties.disks.items.type = "object" | .properties.disks.default = []' values.schema.json
+	INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
+	  && yq -i -o json ".properties.instanceType.optional=true | .properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
+	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \
+	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
+	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json

packages/apps/vm-instance/README.md

@@ -0,0 +1,266 @@
+# Virtual Machine
+
+A Virtual Machine (VM) simulates computer hardware, enabling various operating systems and applications to run in an isolated environment.
+
+## Deployment Details
+
+The virtual machine is managed and hosted through KubeVirt, allowing you to harness the benefits of virtualization within your Kubernetes ecosystem.
+
+- Docs: [KubeVirt User Guide](https://kubevirt.io/user-guide/)
+- GitHub: [KubeVirt Repository](https://github.com/kubevirt/kubevirt)
+
+## Accessing virtual machine
+
+You can access the virtual machine using the virtctl tool:
+- [KubeVirt User Guide - Virtctl Client Tool](https://kubevirt.io/user-guide/user_workloads/virtctl_client_tool/)
+
+To access the serial console:
+
+```
+virtctl console <vm>
+```
+
+To access the VM using VNC:
+
+```
+virtctl vnc <vm>
+```
+
+To SSH into the VM:
+
+```
+virtctl ssh <user>@<vm>
+```
+
+## Parameters
+
+### Common parameters
+
+| Name               | Description                                                                        | Value            |
+| ------------------ | ---------------------------------------------------------------------------------- | ---------------- |
+| `external`         | Enable external access from outside the cluster                                    | `false`          |
+| `externalPorts`    | Specify ports to forward from outside the cluster                                  | `[]`             |
+| `running`          | Determines if the virtual machine should be running                                | `true`           |
+| `instanceType`     | Virtual Machine instance type                                                      | `u1.medium`      |
+| `instanceProfile`  | Virtual Machine prefferences profile                                               | `ubuntu`         |
+| `disks`            | List of disks to attach                                                            | `[]`             |
+| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                           | `""`             |
+| `resources.memory` | The amount of memory allocated to the virtual machine                              | `""`             |
+| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys. | `[]`             |
+| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.        | `#cloud-config
+` |
+
+## U Series
+
+The U Series is quite neutral and provides resources for
+general purpose applications.
+
+*U* is the abbreviation for "Universal", hinting at the universal
+attitude towards workloads.
+
+VMs of instance types will share physical CPU cores on a
+time-slice basis with other VMs.
+
+### U Series Characteristics
+
+Specific characteristics of this series are:
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4, for less
+  noise per node.
+
+## O Series
+
+The O Series is based on the U Series, with the only difference
+being that memory is overcommitted.
+
+*O* is the abbreviation for "Overcommitted".
+
+### UO Series Characteristics
+
+Specific characteristics of this series are:
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *Overcommitted Memory* - Memory is over-committed in order to achieve
+  a higher workload density.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4, for less
+  noise per node.
+
+## CX Series
+
+The CX Series provides exclusive compute resources for compute
+intensive applications.
+
+*CX* is the abbreviation of "Compute Exclusive".
+
+The exclusive resources are given to the compute threads of the
+VM. In order to ensure this, some additional cores (depending
+on the number of disks and NICs) will be requested to offload
+the IO threading from cores dedicated to the workload.
+In addition, in this series, the NUMA topology of the used
+cores is provided to the VM.
+
+### CX Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Dedicated CPU* - Physical cores are exclusively assigned to every
+  vCPU in order to provide fixed and high compute guarantees to the
+  workload.
+- *Isolated emulator threads* - Hypervisor emulator threads are isolated
+  from the vCPUs in order to reduce emaulation related impact on the
+  workload.
+- *vNUMA* - Physical NUMA topology is reflected in the guest in order to
+  optimize guest sided cache utilization.
+- *vCPU-To-Memory Ratio (1:2)* - A vCPU-to-Memory ratio of 1:2.
+
+## M Series
+
+The M Series provides resources for memory intensive
+applications.
+
+*M* is the abbreviation of "Memory".
+
+### M Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Burstable CPU performance* - The workload has a baseline compute
+  performance but is permitted to burst beyond this baseline, if
+  excess compute resources are available.
+- *vCPU-To-Memory Ratio (1:8)* - A vCPU-to-Memory ratio of 1:8, for much
+  less noise per node.
+
+## RT Series
+
+The RT Series provides resources for realtime applications, like Oslat.
+
+*RT* is the abbreviation for "realtime".
+
+This series of instance types requires nodes capable of running
+realtime applications.
+
+### RT Series Characteristics
+
+Specific characteristics of this series are:
+- *Hugepages* - Hugepages are used in order to improve memory
+  performance.
+- *Dedicated CPU* - Physical cores are exclusively assigned to every
+  vCPU in order to provide fixed and high compute guarantees to the
+  workload.
+- *Isolated emulator threads* - Hypervisor emulator threads are isolated
+  from the vCPUs in order to reduce emaulation related impact on the
+  workload.
+- *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4 starting from
+  the medium size.
+
+## Development
+
+To get started with customizing or creating your own instancetypes and preferences
+see [DEVELOPMENT.md](./DEVELOPMENT.md).
+
+## Resources
+
+The following instancetype resources are provided by Cozystack:
+
+Name | vCPUs | Memory
+-----|-------|-------
+cx1.2xlarge  |  8  |  16Gi
+cx1.4xlarge  |  16  |  32Gi
+cx1.8xlarge  |  32  |  64Gi
+cx1.large  |  2  |  4Gi
+cx1.medium  |  1  |  2Gi
+cx1.xlarge  |  4  |  8Gi
+gn1.2xlarge  |  8  |  32Gi
+gn1.4xlarge  |  16  |  64Gi
+gn1.8xlarge  |  32  |  128Gi
+gn1.xlarge  |  4  |  16Gi
+m1.2xlarge  |  8  |  64Gi
+m1.4xlarge  |  16  |  128Gi
+m1.8xlarge  |  32  |  256Gi
+m1.large  |  2  |  16Gi
+m1.xlarge  |  4  |  32Gi
+n1.2xlarge  |  16  |  32Gi
+n1.4xlarge  |  32  |  64Gi
+n1.8xlarge  |  64  |  128Gi
+n1.large  |  4  |  8Gi
+n1.medium  |  4  |  4Gi
+n1.xlarge  |  8  |  16Gi
+o1.2xlarge  |  8  |  32Gi
+o1.4xlarge  |  16  |  64Gi
+o1.8xlarge  |  32  |  128Gi
+o1.large  |  2  |  8Gi
+o1.medium  |  1  |  4Gi
+o1.micro  |  1  |  1Gi
+o1.nano  |  1  |  512Mi
+o1.small  |  1  |  2Gi
+o1.xlarge  |  4  |  16Gi
+rt1.2xlarge  |  8  |  32Gi
+rt1.4xlarge  |  16  |  64Gi
+rt1.8xlarge  |  32  |  128Gi
+rt1.large  |  2  |  8Gi
+rt1.medium  |  1  |  4Gi
+rt1.micro  |  1  |  1Gi
+rt1.small  |  1  |  2Gi
+rt1.xlarge  |  4  |  16Gi
+u1.2xlarge  |  8  |  32Gi
+u1.2xmedium  |  2  |  4Gi
+u1.4xlarge  |  16  |  64Gi
+u1.8xlarge  |  32  |  128Gi
+u1.large  |  2  |  8Gi
+u1.medium  |  1  |  4Gi
+u1.micro  |  1  |  1Gi
+u1.nano  |  1  |  512Mi
+u1.small  |  1  |  2Gi
+u1.xlarge  |  4  |  16Gi
+
+The following preference resources are provided by Cozystack:
+
+Name | Guest OS
+-----|---------
+alpine | Alpine
+centos.7 | CentOS 7
+centos.7.desktop | CentOS 7
+centos.stream10 | CentOS Stream 10
+centos.stream10.desktop | CentOS Stream 10
+centos.stream8 | CentOS Stream 8
+centos.stream8.desktop | CentOS Stream 8
+centos.stream8.dpdk | CentOS Stream 8
+centos.stream9 | CentOS Stream 9
+centos.stream9.desktop | CentOS Stream 9
+centos.stream9.dpdk | CentOS Stream 9
+cirros | Cirros
+fedora | Fedora (amd64)
+fedora.arm64 | Fedora (arm64)
+opensuse.leap | OpenSUSE Leap
+opensuse.tumbleweed | OpenSUSE Tumbleweed
+rhel.10 | Red Hat Enterprise Linux 10 Beta (amd64)
+rhel.10.arm64 | Red Hat Enterprise Linux 10 Beta (arm64)
+rhel.7 | Red Hat Enterprise Linux 7
+rhel.7.desktop | Red Hat Enterprise Linux 7
+rhel.8 | Red Hat Enterprise Linux 8
+rhel.8.desktop | Red Hat Enterprise Linux 8
+rhel.8.dpdk | Red Hat Enterprise Linux 8
+rhel.9 | Red Hat Enterprise Linux 9 (amd64)
+rhel.9.arm64 | Red Hat Enterprise Linux 9 (arm64)
+rhel.9.desktop | Red Hat Enterprise Linux 9 Desktop (amd64)
+rhel.9.dpdk | Red Hat Enterprise Linux 9 DPDK (amd64)
+rhel.9.realtime | Red Hat Enterprise Linux 9 Realtime (amd64)
+sles | SUSE Linux Enterprise Server
+ubuntu | Ubuntu
+windows.10 | Microsoft Windows 10
+windows.10.virtio | Microsoft Windows 10 (virtio)
+windows.11 | Microsoft Windows 11
+windows.11.virtio | Microsoft Windows 11 (virtio)
+windows.2k16 | Microsoft Windows Server 2016
+windows.2k16.virtio | Microsoft Windows Server 2016 (virtio)
+windows.2k19 | Microsoft Windows Server 2019
+windows.2k19.virtio | Microsoft Windows Server 2019 (virtio)
+windows.2k22 | Microsoft Windows Server 2022
+windows.2k22.virtio | Microsoft Windows Server 2022 (virtio)
+windows.2k25 | Microsoft Windows Server 2025
+windows.2k25.virtio | Microsoft Windows Server 2025 (virtio)

packages/apps/vm-instance/hack/update-instance-types.sh

@@ -0,0 +1 @@
+#!/bin/sh

packages/apps/vm-instance/logos/vm.svg

@@ -0,0 +1,21 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_687_3454)"/>
+<g clip-path="url(#clip0_687_3454)">
+<path d="M89.5039 111.707H54.497C54.1727 111.707 54.0108 111.221 54.3349 111.059L57.2522 108.952C60.3314 106.683 61.9522 102.631 60.9797 98.7412H83.021C82.0485 102.631 83.6693 106.683 86.7485 108.952L89.6658 111.059C89.99 111.221 89.8279 111.707 89.5039 111.707Z" fill="#B0B6BB"/>
+<path d="M113.328 98.741H30.6725C27.5931 98.741 25 96.148 25 93.0687V33.1032C25 30.0239 27.5931 27.4307 30.6725 27.4307H113.328C116.407 27.4307 119 30.0237 119 33.1032V93.0687C119 96.148 116.407 98.741 113.328 98.741Z" fill="#E8EDEE"/>
+<path d="M119 84.1549H25V33.1032C25 30.0239 27.5931 27.4307 30.6725 27.4307H113.328C116.407 27.4307 119 30.0237 119 33.1032L119 84.1549Z" fill="#00B3FF"/>
+<path d="M90.6374 116.569H53.3616C52.0651 116.569 50.9307 115.435 50.9307 114.138C50.9307 112.841 52.0651 111.707 53.3616 111.707H90.6374C91.9339 111.707 93.0684 112.841 93.0684 114.138C93.0684 115.435 91.9339 116.569 90.6374 116.569Z" fill="#E8EDEE"/>
+</g>
+<path d="M72.5275 53.8367C72.4431 53.8351 72.3605 53.8122 72.2873 53.7701L56.4699 44.7934C56.3983 44.7519 56.3388 44.6923 56.2973 44.6207C56.2559 44.549 56.2338 44.4678 56.2334 44.385C56.2334 44.2169 56.3258 44.0617 56.4699 43.9785L72.1912 35.0609C72.2637 35.021 72.345 35 72.4277 35C72.5105 35 72.5918 35.021 72.6643 35.0609L88.4872 44.0395C88.5591 44.0801 88.6188 44.1392 88.66 44.2107C88.7013 44.2822 88.7227 44.3635 88.7219 44.446C88.7225 44.5285 88.701 44.6097 88.6598 44.6812C88.6185 44.7526 88.5589 44.8118 88.4872 44.8525L72.7714 53.7683C72.6972 53.8114 72.6133 53.8349 72.5275 53.8367" fill="white"/>
+<path opacity="0.7" d="M70.2553 75.6517C70.171 75.6535 70.0878 75.6317 70.0151 75.5888L54.2458 66.6417C54.1715 66.6024 54.1095 66.5436 54.0661 66.4716C54.0228 66.3997 54 66.3173 54 66.2333V48.278C54 48.108 54.0924 47.9546 54.2439 47.8696C54.3172 47.8271 54.4004 47.8047 54.4851 47.8047C54.5697 47.8047 54.6529 47.8271 54.7262 47.8696L70.4937 56.8131C70.5642 56.8565 70.6225 56.917 70.6632 56.9891C70.7039 57.0612 70.7257 57.1424 70.7265 57.2251V75.1805C70.7259 75.2628 70.7042 75.3436 70.6635 75.4151C70.6227 75.4866 70.5642 75.5464 70.4937 75.5888C70.4206 75.6291 70.3387 75.6507 70.2553 75.6517" fill="white"/>
+<path opacity="0.4" d="M74.7198 75.6511C74.6333 75.6512 74.5482 75.6296 74.4722 75.5883C74.4016 75.5461 74.3432 75.4862 74.3027 75.4147C74.2623 75.3431 74.2411 75.2622 74.2412 75.18V57.3373C74.2412 57.171 74.3336 57.0158 74.4722 56.929L90.2397 47.9855C90.3119 47.9438 90.3938 47.9219 90.4771 47.9219C90.5605 47.9219 90.6424 47.9438 90.7146 47.9855C90.7876 48.0255 90.8485 48.0842 90.8911 48.1557C90.9337 48.2272 90.9563 48.3088 90.9566 48.392V66.2328C90.957 66.3164 90.9347 66.3985 90.8921 66.4704C90.8495 66.5424 90.7881 66.6014 90.7146 66.6411L74.9526 75.5883C74.8825 75.6307 74.8018 75.6525 74.7198 75.6511" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_687_3454" x1="161" y1="180" x2="3.59284e-07" y2="4.99998" gradientUnits="userSpaceOnUse">
+<stop/>
+<stop offset="1" stop-color="#595656"/>
+</linearGradient>
+<clipPath id="clip0_687_3454">
+<rect width="94" height="94" fill="white" transform="translate(25 25)"/>
+</clipPath>
+</defs>
+</svg>

packages/apps/vm-instance/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "virtual-machine.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "virtual-machine.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "virtual-machine.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "virtual-machine.labels" -}}
+helm.sh/chart: {{ include "virtual-machine.chart" . }}
+{{ include "virtual-machine.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "virtual-machine.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "virtual-machine.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

packages/apps/vm-instance/templates/secret.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.sshKeys }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+stringData:
+  {{- range $k, $v := .Values.sshKeys }}
+  key{{ $k }}: {{ quote $v }} 
+  {{- end }}
+{{- end }}
+{{- if .Values.cloudInit }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}-cloud-init
+stringData:
+  userdata: |
+    {{- .Values.cloudInit | nindent 4 }}
+{{- end }}

packages/apps/vm-instance/templates/service.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.external }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+  labels:
+    {{- include "virtual-machine.labels" . | nindent 4 }}
+spec:
+  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
+  externalTrafficPolicy: Local
+  allocateLoadBalancerNodePorts: false
+  selector:
+    {{- include "virtual-machine.labels" . | nindent 4 }}
+  ports:
+    {{- range .Values.externalPorts }}
+    - name: port-{{ . }}
+      port: {{ . }}
+      targetPort: {{ . }}
+    {{- end }}
+{{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -0,0 +1,98 @@
+{{- if and .Values.instanceType (not (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterInstancetype" "" .Values.instanceType)) }}
+{{-   fail (printf "Specified instancetype not exists in cluster: %s" .Values.instanceType) }}
+{{- end }}
+{{- if and .Values.instanceProfile (not (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterPreference" "" .Values.instanceProfile)) }}
+{{-   fail (printf "Specified profile not exists in cluster: %s" .Values.instanceProfile) }}
+{{- end }}
+
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+  labels:
+    {{- include "virtual-machine.labels" . | nindent 4 }}
+spec:
+  running: {{ .Values.running | default "true" }}
+  {{- with .Values.instanceType }}
+  instancetype:
+    kind: VirtualMachineClusterInstancetype
+    name: {{ . }}
+    revisionName: null
+  {{- end }}
+  {{- with .Values.instanceProfile }}
+  preference:
+    kind: VirtualMachineClusterPreference
+    name: {{ . }}
+    revisionName: null
+  {{- end }}
+
+  template:
+    metadata:
+      annotations:
+        kubevirt.io/allow-pod-bridge-network-live-migration: "true"
+      labels:
+        {{- include "virtual-machine.labels" . | nindent 8 }}
+    spec:
+      domain:
+        {{- if and .Values.resources .Values.resources.cpu }}
+        cpu:
+          cores: {{ .Values.resources.cpu }}
+        {{- end }}
+        {{- if and .Values.resources .Values.resources.memory }}
+        resources:
+          requests:
+            memory: {{ .Values.resources.memory | quote }}
+        {{- end }}
+        devices:
+          disks:
+          {{- range $i, $disk := .Values.disks }}
+          - name: disk-{{ .name }}
+            {{- $disk := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace .name }}
+            {{- if $disk }}
+            {{- if and (hasKey $disk.metadata.annotations "vm-disk.cozystack.io/optical") (eq (index $disk.metadata.annotations "vm-disk.cozystack.io/optical") "true") }}
+            cdrom: {}
+            {{- else }}
+            disk: {}
+            {{- end }}
+            {{- if eq $i 0 }}
+            bootOrder: 1
+            {{- end }}
+            {{- else }}
+            {{-   fail (printf "Specified disk not exists in cluster: %s" .name) }}
+            {{- end }}
+          {{- end }}
+          {{- if or .Values.sshKeys .Values.cloudInit }}
+          - name: cloudinitdisk
+            disk:
+              bus: virtio
+          {{- end }}
+          interfaces:
+          - name: default
+            bridge: {}
+        machine:
+          type: ""
+      {{- with .Values.sshKeys }}
+      accessCredentials:
+      - sshPublicKey:
+          source:
+            secret:
+              secretName: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+          propagationMethod:
+            noCloud: {}
+      {{- end }}
+      terminationGracePeriodSeconds: 30
+      volumes:
+      {{- range .Values.disks }}
+      - name: disk-{{ .name }}
+        dataVolume:
+          name: {{ .name }}
+      {{- end }}
+      {{- if or .Values.sshKeys .Values.cloudInit }}
+      - name: cloudinitdisk
+        cloudInitNoCloud:
+          secretRef:
+            name: {{ include "virtual-machine.fullname" . }}-cloud-init
+      {{- end }}
+      networks:
+      - name: default
+        pod: {}

packages/apps/vm-instance/values.schema.json

@@ -0,0 +1,168 @@
+{
+  "title": "Chart Values",
+  "type": "object",
+  "properties": {
+    "external": {
+      "type": "boolean",
+      "description": "Enable external access from outside the cluster",
+      "default": false
+    },
+    "externalPorts": {
+      "type": "array",
+      "description": "Specify ports to forward from outside the cluster",
+      "default": "[]",
+      "items": {
+        "type": "integer"
+      }
+    },
+    "running": {
+      "type": "boolean",
+      "description": "Determines if the virtual machine should be running",
+      "default": true
+    },
+    "instanceType": {
+      "type": "string",
+      "description": "Virtual Machine instance type",
+      "default": "u1.medium",
+      "optional": true,
+      "enum": [
+        "cx1.2xlarge",
+        "cx1.4xlarge",
+        "cx1.8xlarge",
+        "cx1.large",
+        "cx1.medium",
+        "cx1.xlarge",
+        "gn1.2xlarge",
+        "gn1.4xlarge",
+        "gn1.8xlarge",
+        "gn1.xlarge",
+        "m1.2xlarge",
+        "m1.4xlarge",
+        "m1.8xlarge",
+        "m1.large",
+        "m1.xlarge",
+        "n1.2xlarge",
+        "n1.4xlarge",
+        "n1.8xlarge",
+        "n1.large",
+        "n1.medium",
+        "n1.xlarge",
+        "o1.2xlarge",
+        "o1.4xlarge",
+        "o1.8xlarge",
+        "o1.large",
+        "o1.medium",
+        "o1.micro",
+        "o1.nano",
+        "o1.small",
+        "o1.xlarge",
+        "rt1.2xlarge",
+        "rt1.4xlarge",
+        "rt1.8xlarge",
+        "rt1.large",
+        "rt1.medium",
+        "rt1.micro",
+        "rt1.small",
+        "rt1.xlarge",
+        "u1.2xlarge",
+        "u1.2xmedium",
+        "u1.4xlarge",
+        "u1.8xlarge",
+        "u1.large",
+        "u1.medium",
+        "u1.micro",
+        "u1.nano",
+        "u1.small",
+        "u1.xlarge",
+        ""
+      ]
+    },
+    "instanceProfile": {
+      "type": "string",
+      "description": "Virtual Machine prefferences profile",
+      "default": "ubuntu",
+      "optional": true,
+      "enum": [
+        "alpine",
+        "centos.7",
+        "centos.7.desktop",
+        "centos.stream10",
+        "centos.stream10.desktop",
+        "centos.stream8",
+        "centos.stream8.desktop",
+        "centos.stream8.dpdk",
+        "centos.stream9",
+        "centos.stream9.desktop",
+        "centos.stream9.dpdk",
+        "cirros",
+        "fedora",
+        "fedora.arm64",
+        "opensuse.leap",
+        "opensuse.tumbleweed",
+        "rhel.10",
+        "rhel.10.arm64",
+        "rhel.7",
+        "rhel.7.desktop",
+        "rhel.8",
+        "rhel.8.desktop",
+        "rhel.8.dpdk",
+        "rhel.9",
+        "rhel.9.arm64",
+        "rhel.9.desktop",
+        "rhel.9.dpdk",
+        "rhel.9.realtime",
+        "sles",
+        "ubuntu",
+        "windows.10",
+        "windows.10.virtio",
+        "windows.11",
+        "windows.11.virtio",
+        "windows.2k16",
+        "windows.2k16.virtio",
+        "windows.2k19",
+        "windows.2k19.virtio",
+        "windows.2k22",
+        "windows.2k22.virtio",
+        "windows.2k25",
+        "windows.2k25.virtio",
+        ""
+      ]
+    },
+    "disks": {
+      "type": "array",
+      "description": "List of disks to attach",
+      "default": [],
+      "items": {
+        "type": "object"
+      }
+    },
+    "resources": {
+      "type": "object",
+      "properties": {
+        "cpu": {
+          "type": "string",
+          "description": "The number of CPU cores allocated to the virtual machine",
+          "default": ""
+        },
+        "memory": {
+          "type": "string",
+          "description": "The amount of memory allocated to the virtual machine",
+          "default": ""
+        }
+      }
+    },
+    "sshKeys": {
+      "type": "array",
+      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
+      "default": "[]",
+      "items": {
+        "type": "string"
+      }
+    },
+    "cloudInit": {
+      "type": "string",
+      "description": "cloud-init user data config. See cloud-init documentation for more details.",
+      "default": "#cloud-config\n"
+    }
+  }
+}

packages/apps/vm-instance/values.yaml

@@ -0,0 +1,49 @@
+## @section Common parameters
+
+## @param external Enable external access from outside the cluster
+## @param externalPorts [array] Specify ports to forward from outside the cluster
+external: false
+externalPorts:
+- 22
+
+## @param running Determines if the virtual machine should be running
+running: true
+
+## @param instanceType Virtual Machine instance type
+## @param instanceProfile Virtual Machine prefferences profile
+##
+instanceType: "u1.medium"
+instanceProfile: ubuntu
+
+## @param disks [array] List of disks to attach
+## Example:
+## disks:
+## - name: vm-disk-example-system
+## - name: vm-disk-example-data
+disks: []
+
+## @param resources.cpu The number of CPU cores allocated to the virtual machine
+## @param resources.memory The amount of memory allocated to the virtual machine
+resources:
+  cpu: ""
+  memory: ""
+
+## @param sshKeys [array] List of SSH public keys for authentication. Can be a single key or a list of keys.
+## Example:
+## sshKeys:
+##   - ssh-rsa ...
+##   - ssh-ed25519 ...
+##
+sshKeys: []
+
+## @param cloudInit cloud-init user data config. See cloud-init documentation for more details.
+## - https://cloudinit.readthedocs.io/en/latest/explanation/format.html
+## - https://cloudinit.readthedocs.io/en/latest/reference/examples.html
+## Example:
+## cloudInit: |
+##   #cloud-config
+##   password: ubuntu
+##   chpasswd: { expire: False }
+##
+cloudInit: |
+  #cloud-config

packages/apps/vpn/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vpn/templates/service.yaml

@@ -13,7 +13,7 @@ spec:
   externalTrafficPolicy: Cluster
   {{- else }}
   type: LoadBalancer
-  externalTrafficPolicy: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
+  externalTrafficPolicy: {{ ternary "Local" "Cluster" .Values.external }}
   {{- end }}
 
   ports:

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.8.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.8.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
     - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.8.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.8.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
     - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.8.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.8.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
     - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.8.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.8.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
     - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.8.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.8.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
     - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.0
+version: v1.8.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.8.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
     - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.16.5@sha256:5bd08ec86b8392d31a1df7cb496d7c861142771c323c302729f7728da9b49ae2
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.17.0@sha256:2ecb6aacdbb8dfeefeedfa42b1fd13c2a8c1e913924c767bdda83b99c00d0f1e

packages/core/platform/bundles/paas-full.yaml

@@ -79,6 +79,12 @@ releases:
   privileged: true
   dependsOn: [cilium,kubeovn,kubevirt-operator]
 
+- name: kubevirt-instancetypes
+  releaseName: kubevirt-instancetypes
+  chart: cozy-kubevirt-instancetypes
+  namespace: cozy-kubevirt
+  dependsOn: [cilium,kubeovn,kubevirt-operator,kubevirt]
+
 - name: kubevirt-cdi-operator
   releaseName: kubevirt-cdi-operator
   chart: cozy-kubevirt-cdi-operator

packages/core/platform/templates/namespaces.yaml

@@ -9,7 +9,7 @@
 {{- range $x := $bundle.releases }}
   {{- if not (hasKey $namespaces $x.namespace) }}
     {{- if not (has $x.name $disabledComponents) }}
-      {{- if and ($x.optional) (has $x.name $enabledComponents) }}
+      {{- if or (not $x.optional) (and ($x.optional) (has $x.name $enabledComponents)) }}
         {{- $_ := set $namespaces $x.namespace false }}
       {{- end }}
     {{- end }}

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.16.5@sha256:25b298d621ec79431d106184d59849bbae634588742583d111628126ad8615c5
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.17.0@sha256:fc18b11bcf5774da56422095666538e89417a9dbc2e39cc6b9e9014ef60a55d7

packages/extra/ingress/Chart.yaml

@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.2.0
+version: 1.3.0

packages/extra/ingress/README.md

@@ -11,4 +11,5 @@
 | `whitelist`      | List of client networks                                           | `[]`    |
 | `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
 | `dashboard`      | Should ingress serve Cozystack service dashboard                  | `false` |
+| `cdiUploadProxy` | Should ingress serve CDI upload proxy                             | `false` |
 

packages/extra/ingress/templates/cdi-uploadproxy.yaml

@@ -0,0 +1,37 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+
+{{- if .Values.cdiUploadProxy }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if eq $issuerType "cloudflare" }} 
+    {{- else }}
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    {{- end }}
+  name: cdi-uploadproxy-{{ .Release.Namespace }}
+  namespace: cozy-kubevirt-cdi
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: cdi-uploadproxy.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: cdi-uploadproxy
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cdi-uploadproxy.{{ $host }}
+    secretName: cdi-uploadproxy-{{ .Release.Namespace }}-tls
+{{- end }}

packages/extra/ingress/templates/dashboard.yaml

@@ -1,36 +1,36 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}  
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}  
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 
-{{- if .Values.dashboard }}  
-apiVersion: networking.k8s.io/v1  
-kind: Ingress  
-metadata:  
-  annotations:  
-    cert-manager.io/cluster-issuer: letsencrypt-prod  
+{{- if .Values.dashboard }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
     {{- if eq $issuerType "cloudflare" }} 
-    {{- else }}  
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}  
-    {{- end }}  
-  name: dashboard-{{ .Release.Namespace }}  
-  namespace: cozy-dashboard  
-spec:  
-  ingressClassName: {{ .Release.Namespace }}  
-  rules:  
-  - host: dashboard.{{ $host }}  
-    http:  
-      paths:  
-      - backend:  
-          service:  
-            name: dashboard  
-            port:  
-              number: 80  
-        path: /  
-        pathType: Prefix  
-  tls:  
-  - hosts:  
-    - dashboard.{{ $host }}  
-    secretName: dashboard-{{ .Release.Namespace }}-tls  
+    {{- else }}
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    {{- end }}
+  name: dashboard-{{ .Release.Namespace }}
+  namespace: cozy-dashboard
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: dashboard.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: dashboard
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - dashboard.{{ $host }}
+    secretName: dashboard-{{ .Release.Namespace }}-tls
 {{- end }}

packages/extra/ingress/values.schema.json

@@ -30,6 +30,11 @@
             "type": "boolean",
             "description": "Should ingress serve Cozystack service dashboard",
             "default": false
+        },
+        "cdiUploadProxy": {
+            "type": "boolean",
+            "description": "Should ingress serve CDI upload proxy",
+            "default": false
         }
     }
 }

packages/extra/ingress/values.yaml

@@ -27,3 +27,6 @@ clouflareProxy: false
 
 ## @param dashboard Should ingress serve Cozystack service dashboard
 dashboard: false
+
+## @param cdiUploadProxy Should ingress serve CDI upload proxy
+cdiUploadProxy: false

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -1,4 +1,4 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
@@ -36,7 +36,7 @@ data:
         'endpoint'    : "/api",
         'provider'    : "basic"
       })
-      .constant('colors', {});    
+      .constant('colors', {});  
 ---
 apiVersion: v1
 kind: Service

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -1,4 +1,4 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
@@ -94,7 +94,7 @@ spec:
     metadata:
       annotations:
         {{- if ne $issuerType "cloudflare" }}
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"  
+        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
         {{- end }}
         cert-manager.io/cluster-issuer: letsencrypt-prod
     spec:

packages/extra/versions_map

@@ -6,7 +6,8 @@ etcd 2.2.0 5ca8823
 etcd 2.3.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
-ingress 1.2.0 HEAD
+ingress 1.2.0 ced8e5b
+ingress 1.3.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:latest@sha256:7a1a0864f823dc3343d79dffa44ab73f77f0e1b3642a0fe0fa29b280c3184a9b
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:04e514a992983f51d5deb8b97f0ecaef0ec634e5f5a65806a073db995eaa4109

packages/system/bucket/templates/ingress.yaml

@@ -1,3 +1,4 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.2
+appVersion: 1.16.3
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.2
+version: 1.16.3

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.2](https://img.shields.io/badge/Version-1.16.2-informational?style=flat-square) ![AppVersion: 1.16.2](https://img.shields.io/badge/AppVersion-1.16.2-informational?style=flat-square)
+![Version: 1.16.3](https://img.shields.io/badge/Version-1.16.3-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.2","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.3","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -484,7 +484,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.2","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.3","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -590,7 +590,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.3","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -717,7 +717,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716","awsDigest":"sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd","azureDigest":"sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727","genericDigest":"sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.2","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898","awsDigest":"sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916","azureDigest":"sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542","genericDigest":"sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.3","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -767,7 +767,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.3","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/templates/_helpers.tpl

@@ -115,7 +115,7 @@ Convert a map to a comma-separated string: key1=value1,key2=value2
 Enable automatic lookup of k8sServiceHost from the cluster-info ConfigMap (kubeadm-based clusters only)
 */}}
 {{- define "k8sServiceHost" }}
-  {{- if eq .Values.k8sServiceHost "auto" }}
+  {{- if and (eq .Values.k8sServiceHost "auto") (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }}
     {{- $configmap := (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }}
     {{- $kubeconfig := get $configmap.data "kubeconfig" }}
     {{- $k8sServer := get ($kubeconfig | fromYaml) "clusters" | mustFirst | dig "cluster" "server" "" }}
@@ -130,7 +130,7 @@ Enable automatic lookup of k8sServiceHost from the cluster-info ConfigMap (kubea
 Enable automatic lookup of k8sServicePort from the cluster-info ConfigMap (kubeadm-based clusters only)
 */}}
 {{- define "k8sServicePort" }}
-  {{- if eq .Values.k8sServiceHost "auto" }}
+  {{- if and (eq .Values.k8sServiceHost "auto") (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }}
     {{- $configmap := (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }}
     {{- $kubeconfig := get $configmap.data "kubeconfig" }}
     {{- $k8sServer := get ($kubeconfig | fromYaml) "clusters" | mustFirst | dig "cluster" "server" "" }}

packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml

@@ -27,6 +27,15 @@ rules:
 {{- end }}
 {{- end }}
 {{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - cilium-config
+  verbs:
+   # allow patching of the configmap to set annotations
+  - patch
 {{- if or .Values.operator.removeNodeTaints .Values.operator.setNodeNetworkStatus (include "hasDuration" .Values.operator.endpointGCInterval) }}
 - apiGroups:
   - ""

packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/metrics-server-secret.yaml

@@ -29,4 +29,9 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
 {{- end }}

packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml

@@ -19,4 +19,9 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - client auth
 {{- end }}

packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml

@@ -28,4 +28,9 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
 {{- end }}

packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml

@@ -29,4 +29,10 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
+    - client auth
 {{- end }}

packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml

@@ -19,4 +19,9 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - client auth
 {{- end }}

packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl

@@ -54,6 +54,7 @@ spec:
                   - signing
                   - key encipherment
                   - server auth
+                  - client auth
                   validity: {{ $certValidityStr }}
                 {{- if .Values.hubble.relay.enabled }}
                 - name: hubble-relay-client-certs

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.2"
+  tag: "v1.16.3"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea"
+  digest: "sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1309,9 +1309,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.2"
+      tag: "v1.16.3"
       # hubble-relay-digest
-      digest: "sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c"
+      digest: "sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2158,9 +2158,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047"
+    tag: "v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f"
+    digest: "sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2474,15 +2474,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.2"
+    tag: "v1.16.3"
     # operator-generic-digest
-    genericDigest: "sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a"
+    genericDigest: "sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b"
     # operator-azure-digest
-    azureDigest: "sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727"
+    azureDigest: "sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542"
     # operator-aws-digest
-    awsDigest: "sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd"
+    awsDigest: "sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716"
+    alibabacloudDigest: "sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2756,9 +2756,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.2"
+    tag: "v1.16.3"
     # cilium-digest
-    digest: "sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea"
+    digest: "sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2905,9 +2905,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.2"
+      tag: "v1.16.3"
       # clustermesh-apiserver-digest
-      digest: "sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73"
+      digest: "sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.2
+ARG VERSION=v1.16.3
 FROM quay.io/cilium/cilium:${VERSION}

packages/system/cilium/values.yaml

@@ -12,7 +12,7 @@ cilium:
     mode: "kubernetes"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
-    tag: 1.16.2
-    digest: "sha256:534c5b04fef356a6be59234243c23c0c09702fe1e2c8872012afb391ce2965c4"
+    tag: 1.16.3
+    digest: "sha256:a2a37ab3ea769b85703478f1f46c3fd9696fc7037b73b0a3ba5c53821f4791a7"
   envoy:
     enabled: false

packages/system/clickhouse-operator/values.yaml

@@ -4,3 +4,7 @@ altinity-clickhouse-operator:
       config.yaml:
         watch:
           namespaces: [".*"]
+        clickhouse:
+          configuration:
+            network:
+              hostRegexpTemplate: "(chi-{chi}-[^.]+\\d+-\\d+|clickhouse\\-{chi})\\.{namespace}\\.svc\\.cozy\\.local$"

packages/system/dashboard/values.yaml

@@ -33,11 +33,11 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.16.5
+      tag: v0.17.0
       digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.16.5
-      digest: "sha256:126bb6955ff142e7e00e712c037f3e97bd39b360641fba0b8ca8bc083d5e8224"
+      tag: v0.17.0
+      digest: "sha256:c7d809d5ef2d57dba3d5e977e310866b2c897e9362d717de8c394f22c6dbf0fc"