Add alerts from kubermatic

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-04 07:55:51 +00:00 · 2024-09-27 17:29:02 +02:00
256 changed files with 9532 additions and 22184 deletions
--- a/1
+++ b/1
@@ -10,7 +10,6 @@ build:
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/system/kamaji image
-	make -C packages/system/bucket image
 	make -C packages/core/testing image
 	make -C packages/core/installer image
 	make manifests
--- a/hack/e2e.sh
+++ b/hack/e2e.sh
@@ -36,7 +36,7 @@ mkdir -p srv1 srv2 srv3

 # Prepare cloud-init
 for i in 1 2 3; do
-  echo "hostname: srv$i" > "srv$i/meta-data"
+  echo "local-hostname: srv$i" > "srv$i/meta-data"
  echo '#cloud-config' > "srv$i/user-data"
  cat > "srv$i/network-config" <<EOT
 version: 2
@@ -114,7 +114,7 @@ machine:
    - name: zfs
    - name: spl
  install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.8.0
+    image: ghcr.io/aenix-io/cozystack/talos:v1.7.1
  files:
  - content: |
      [plugins]
@@ -182,7 +182,7 @@ timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 5
 talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11

 # Wait for etcd
-timeout 180 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'

 rm -f kubeconfig
 talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
@@ -217,10 +217,6 @@ timeout 60 sh -c 'until kubectl get hr -A | grep cozy; do sleep 1; done'
 sleep 5

 kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
-
-# Wait for Cluster-API providers
-kubectl wait deploy --timeout=30s --for=condition=available -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager
-
 # Wait for linstor controller
 kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller

--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -68,7 +68,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.16.4"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -87,7 +87,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.16.4"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
--- a/packages/apps/bucket/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/bucket/templates/dashboard-resourcemap.yaml
@@ -9,12 +9,4 @@ rules:
  - secrets
  resourceNames:
  - {{ .Release.Name }}
-  - {{ .Release.Name }}-credentials
-  verbs: ["get", "list", "watch"]
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  resourceNames:
-  - {{ .Release.Name }}-ui
  verbs: ["get", "list", "watch"]
--- a/packages/apps/bucket/templates/helmrelease.yaml
+++ b/packages/apps/bucket/templates/helmrelease.yaml
@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Release.Name }}-system
-spec:
-  chart:
-    spec:
-      chart: cozy-bucket
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '*'
-  interval: 1m0s
-  timeout: 5m0s
-  values:
-    bucketName: {{ .Release.Name }}
--- a/packages/apps/ferretdb/images/postgres-backup.tag
+++ b/packages/apps/ferretdb/images/postgres-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.0@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:cd744b2d1d50191f4908f2db83079b32973d1c009fe9468627be72efbfa0a107
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:556bc8d29ee9e90b3d64d0481dcfc66483d055803315bba3d9ece17c0d97f32b
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -76,5 +76,3 @@ spec:
        metadata:
         labels:
           policy.cozystack.io/allow-to-apiserver: "true"
-      spec:
-        enableServiceLinks: false
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.0
+version: 0.11.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.12.0@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:latest@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.12.0@sha256:df4a937b6fb2b345110174227170691d48189ffe1900c3f848cd5085990a58df
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:latest@sha256:735aa8092501fc0f2904b685b15bc0137ea294cb08301ca1185d3dec5f467f0f
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.12.0@sha256:86029548078960feecca116087b2135230d676b83c503f292eb50e1199be2790
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:latest@sha256:e56b46591cdf9140e97c3220a0c2681aadd4a4b3f7ea8473fb2504dc96e8b53a
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:1f249fbe52821a62f706c6038b13401234e1b758ac498e53395b8f9a642b015f
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:5ce80a453073c4f44347409133fc7b15f1d2f37a564d189871a4082fc552ff0f
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -16,7 +16,6 @@ spec:
        app: {{ .Release.Name }}-cluster-autoscaler
        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
-      enableServiceLinks: false
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -210,26 +210,6 @@ spec:
        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
        namespace: default
      version: v1.30.1
---
-apiVersion: cluster.x-k8s.io/v1beta1
-kind: MachineHealthCheck
-metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ $.Release.Namespace }}
-spec:
-  clusterName: {{ $.Release.Name }}
-  nodeStartupTimeout: 10m
-  selector:
-    matchLabels:
-      cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
-      cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
-  unhealthyConditions:
-  - type: Ready
-    status: Unknown
-    timeout: 30s
-  - type: Ready
-    status: "False"
-    timeout: 30s
 {{- end }}
 ---
 {{- /*
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -15,7 +15,6 @@ spec:
        app: {{ .Release.Name }}-kcsi-driver
        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
-      enableServiceLinks: false
      serviceAccountName: {{ .Release.Name }}-kcsi
      priorityClassName: system-cluster-critical
      tolerations:
--- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
@@ -30,6 +30,7 @@ spec:
      retries: -1
  values:
    cilium:
+      tunnel: disabled
      k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
      k8sServicePort: 6443
      routingMode: tunnel
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -15,7 +15,6 @@ spec:
        k8s-app: {{ .Release.Name }}-kccm
        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
-      enableServiceLinks: false
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
--- a/packages/apps/mysql/images/mariadb-backup.tag
+++ b/packages/apps/mysql/images/mariadb-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:793edb25a29cbc00781e40af883815ca36937e736e2b0d202ea9c9619fb6ca11
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:fa2b3195521cffa55eb6d71a50b875d3c234a45e5dff71b2b9002674175bea93
--- a/packages/apps/postgres/images/postgres-backup.tag
+++ b/packages/apps/postgres/images/postgres-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.0@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -10,9 +10,7 @@ spec:
  postgresql:
    parameters:
      max_wal_senders: "30"
-      {{- with .Values.postgresql.parameters.max_connections }}
-      max_connections: "{{ . }}"
-      {{- end }}
+      max_connections: “{{ .Values.postgresql.parameters.max_connections }}”

  minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
  maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
--- a/packages/apps/postgres/values.schema.json
+++ b/packages/apps/postgres/values.schema.json
@@ -29,9 +29,9 @@
                    "type": "object",
                    "properties": {
                        "max_connections": {
-                            "type": "number",
+                            "type": "string",
                            "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
-                            "default": 100
+                            "default": "100"
                        }
                    }
                }
@@ -103,4 +103,4 @@
            }
        }
    }
-}
+}
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -14,7 +14,7 @@ storageClass: ""
 ## @param postgresql.parameters.max_connections Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections
 postgresql:
  parameters:
-    max_connections: 100
+    max_connections: "100"

 ## Configuration for the quorum-based synchronous replication
 ## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
--- a/packages/apps/rabbitmq/Chart.yaml
+++ b/packages/apps/rabbitmq/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.4.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/rabbitmq/templates/rabbitmq.yaml
+++ b/packages/apps/rabbitmq/templates/rabbitmq.yaml
@@ -16,8 +16,6 @@ spec:
    statefulSet:
      spec:
        template:
-          spec:
-            enableServiceLinks: false
          metadata:
            labels:
              policy.cozystack.io/allow-to-apiserver: "true"
@@ -49,7 +47,7 @@ metadata:
    config: '{{ printf "%s %s" $user $password | sha256sum }}'
 spec:
  importCredentialsSecret:
-    name: {{ $.Release.Name }}-{{ kebabcase $user }}-credentials
+    name: {{ $.Release.Name }}-{{ $user }}-credentials
  rabbitmqClusterReference:
    name: {{ $.Release.Name }}
 ---
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -31,10 +31,7 @@ kubernetes 0.8.0 ac11056e
 kubernetes 0.8.1 e54608d8
 kubernetes 0.8.2 5ca8823
 kubernetes 0.9.0 9b6dd19
-kubernetes 0.10.0 ac5c38b
-kubernetes 0.11.0 4eaca42
-kubernetes 0.11.1 4f430a90
-kubernetes 0.12.0 HEAD
+kubernetes 0.10.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -51,14 +48,12 @@ postgres 0.4.0 ec283c33
 postgres 0.4.1 5ca8823
 postgres 0.5.0 c07c4bbd
 postgres 0.6.0 2a4768a
-postgres 0.6.2 54fd61c
-postgres 0.7.0 HEAD
+postgres 0.6.2 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
 rabbitmq 0.3.0 9e33dc0
 rabbitmq 0.4.0 36d8855
-rabbitmq 0.4.1 35536bb
-rabbitmq 0.4.2 HEAD
+rabbitmq 0.4.1 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD
--- a/packages/core/installer/images/talos/profiles/initramfs.yaml
+++ b/packages/core/installer/images/talos/profiles/initramfs.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.7.6
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
  kind: initramfs
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/installer.yaml
+++ b/packages/core/installer/images/talos/profiles/installer.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.7.6
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
  kind: installer
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/iso.yaml
+++ b/packages/core/installer/images/talos/profiles/iso.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.7.6
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
  kind: iso
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/kernel.yaml
+++ b/packages/core/installer/images/talos/profiles/kernel.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.7.6
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
  kind: kernel
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/metal.yaml
+++ b/packages/core/installer/images/talos/profiles/metal.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.0
+version: v1.7.6
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
--- a/packages/core/installer/images/talos/profiles/nocloud.yaml
+++ b/packages/core/installer/images/talos/profiles/nocloud.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.0
+version: v1.7.6
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.0
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.16.4@sha256:e2de79d1dd00a95a6876f6e4daf281eb27e8cc9d57fa2e9ea137192b544d38a7
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.15.0@sha256:aeff26a80f84b4323578e613b3bf03caa842d617ec8d9ca98706867c1e70609f
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -29,7 +29,6 @@ releases:
      enableIdentityMark: true
      ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
      autoDirectNodeRoutes: true
-      routingMode: native

 - name: cert-manager
  releaseName: cert-manager
@@ -140,19 +139,4 @@ releases:
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
-  optional: true
  dependsOn: []
-
- name: external-dns
-  releaseName: external-dns
-  chart: cozy-external-dns
-  namespace: cozy-external-dns
-  optional: true
-  dependsOn: [cilium]
-
- name: external-secrets-operator
-  releaseName: external-secrets-operator
-  chart: cozy-external-secrets-operator
-  namespace: cozy-external-secrets-operator
-  optional: true
-  dependsOn: [cilium]
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -91,19 +91,4 @@ releases:
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
-  optional: true
-  dependsOn: []
-
- name: external-dns
-  releaseName: external-dns
-  chart: cozy-external-dns
-  namespace: cozy-external-dns
-  optional: true
-  dependsOn: [] 
-
- name: external-secrets-operator
-  releaseName: external-secrets-operator
-  chart: cozy-external-secrets-operator
-  namespace: cozy-external-secrets-operator
-  optional: true
  dependsOn: []
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -175,7 +175,6 @@ releases:
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
-  optional: true
  dependsOn: [cilium,kubeovn]

 - name: dashboard
@@ -217,17 +216,3 @@ releases:
  namespace: cozy-cluster-api
  privileged: true
  dependsOn: [cilium,kubeovn,capi-operator]
-
- name: external-dns
-  releaseName: external-dns
-  chart: cozy-external-dns
-  namespace: cozy-external-dns
-  optional: true
-  dependsOn: [cilium,kubeovn]
-
- name: external-secrets-operator
-  releaseName: external-secrets-operator
-  chart: cozy-external-secrets-operator
-  namespace: cozy-external-secrets-operator
-  optional: true
-  dependsOn: [cilium,kubeovn]
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -97,21 +97,6 @@ releases:
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
-  optional: true
-  dependsOn: []
-
- name: external-dns
-  releaseName: external-dns
-  chart: cozy-external-dns
-  namespace: cozy-external-dns
-  optional: true
-  dependsOn: [cilium,kubeovn]
-
- name: external-secrets-operator
-  releaseName: external-secrets-operator
-  chart: cozy-external-secrets-operator
-  namespace: cozy-external-secrets-operator
-  optional: true
  dependsOn: []

 - name: dashboard
--- a/packages/core/platform/templates/helmreleases.yaml
+++ b/packages/core/platform/templates/helmreleases.yaml
@@ -3,7 +3,6 @@
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $dependencyNamespaces := dict }}
 {{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
-{{- $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}

 {{/* collect dependency namespaces from releases */}}
 {{- range $x := $bundle.releases }}
@@ -12,7 +11,6 @@

 {{- range $x := $bundle.releases }}
 {{- if not (has $x.name $disabledComponents) }}
-{{- if or (not $x.optional) (and ($x.optional) (has $x.name $enabledComponents)) }}
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -67,4 +65,3 @@ spec:
  {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
--- a/packages/core/platform/templates/namespaces.yaml
+++ b/packages/core/platform/templates/namespaces.yaml
@@ -1,23 +1,17 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
-{{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
-{{- $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}
 {{- $namespaces := dict }}

 {{/* collect namespaces from releases */}}
 {{- range $x := $bundle.releases }}
-  {{- if not (hasKey $namespaces $x.namespace) }}
-    {{- if not (has $x.name $disabledComponents) }}
-      {{- if and ($x.optional) (has $x.name $enabledComponents) }}
-        {{- $_ := set $namespaces $x.namespace false }}
-      {{- end }}
-    {{- end }}
-  {{- end }}
-  {{/* if at least one release requires a privileged namespace, then it should be privileged */}}
-  {{- if or $x.privileged (index $namespaces $x.namespace) }}
-    {{- $_ := set $namespaces $x.namespace true }}
-  {{- end }}
+{{- if not (hasKey $namespaces $x.namespace) }}
+{{- $_ := set $namespaces $x.namespace false }}
+{{- end }}
+{{/* if at least one release requires a privileged namespace, then it should be privileged */}}
+{{- if or $x.privileged (index $namespaces $x.namespace) }}
+{{- $_ := set $namespaces $x.namespace true }}
+{{- end }}
 {{- end }}

 {{/* Add extra namespaces */}}
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.16.4@sha256:25b298d621ec79431d106184d59849bbae634588742583d111628126ad8615c5
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.15.0@sha256:20cc84e4a11db31434881355c070113a7823501a28a6114ca02830b18607ad21
--- a/packages/extra/ingress/templates/dashboard.yaml
+++ b/packages/extra/ingress/templates/dashboard.yaml
@@ -1,36 +1,29 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
-
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}  
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}  
-
-{{- if .Values.dashboard }}  
-apiVersion: networking.k8s.io/v1  
-kind: Ingress  
-metadata:  
-  annotations:  
-    cert-manager.io/cluster-issuer: letsencrypt-prod  
-    {{- if eq $issuerType "cloudflare" }} 
-    {{- else }}  
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}  
-    {{- end }}  
-  name: dashboard-{{ .Release.Namespace }}  
-  namespace: cozy-dashboard  
-spec:  
-  ingressClassName: {{ .Release.Namespace }}  
-  rules:  
-  - host: dashboard.{{ $host }}  
-    http:  
-      paths:  
-      - backend:  
-          service:  
-            name: dashboard  
-            port:  
-              number: 80  
-        path: /  
-        pathType: Prefix  
-  tls:  
-  - hosts:  
-    - dashboard.{{ $host }}  
-    secretName: dashboard-{{ .Release.Namespace }}-tls  
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- if .Values.dashboard }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    acme.cert-manager.io/http01-ingress-class: tenant-root
+  name: dashboard-{{ .Release.Namespace }}
+  namespace: cozy-dashboard
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: dashboard.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: dashboard
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - dashboard.{{ $host }}
+    secretName: dashboard-{{ .Release.Namespace }}-tls
 {{- end }}
--- a/packages/extra/monitoring/Chart.yaml
+++ b/packages/extra/monitoring/Chart.yaml
@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.5.0
+version: 1.4.0
--- a/packages/extra/monitoring/templates/alerta/alerta.yaml
+++ b/packages/extra/monitoring/templates/alerta/alerta.yaml
@@ -1,6 +1,3 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
-
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -148,18 +145,16 @@ metadata:
  labels:
    app: alerta
  annotations:
-    {{- if ne $issuerType "cloudflare" }} 
    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
-    {{- end }} 
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  ingressClassName: {{ $ingress }}
  tls:
    - hosts:
-        - "{{ printf "alerta.%s" (.Values.host | default $host) }}"
+        - "{{ .Values.host | default (printf "alerta.%s" $host) }}"
      secretName: alerta-tls
  rules:
-    - host: "{{ printf "alerta.%s" (.Values.host | default $host) }}"
+    - host: "{{ .Values.host | default (printf "alerta.%s" $host) }}"
      http:
        paths:
          - path: /
--- a/packages/extra/monitoring/templates/grafana/grafana.yaml
+++ b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -1,6 +1,3 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
-
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -25,7 +22,7 @@ spec:
      password: ${GF_DATABASE_PASSWORD}
      #ssl_mode: require
    server:
-      root_url: "https://{{ printf "grafana.%s" (.Values.host | default $host) }}"
+      root_url: "https://{{ .Values.host | default (printf "grafana.%s" $host) }}"
    security:
      admin_user: user
      admin_password: ${GF_PASSWORD}
@@ -93,14 +90,12 @@ spec:
  ingress:
    metadata:
      annotations:
-        {{- if ne $issuerType "cloudflare" }}
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"  
-        {{- end }}
+        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
        cert-manager.io/cluster-issuer: letsencrypt-prod
    spec:
      ingressClassName: "{{ $ingress }}"
      rules:
-        - host: "{{ printf "grafana.%s" (.Values.host | default $host) }}"
+        - host: "{{ .Values.host | default (printf "grafana.%s" $host) }}"
          http:
            paths:
              - backend:
@@ -112,5 +107,5 @@ spec:
                pathType: Prefix
      tls:
      - hosts:
-        - "{{ printf "grafana.%s" (.Values.host | default $host) }}"
+        - "{{ .Values.host | default (printf "grafana.%s" $host) }}"
        secretName: grafana-ingress-tls
--- a/packages/extra/seaweedfs/Chart.yaml
+++ b/packages/extra/seaweedfs/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.2.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/extra/seaweedfs/templates/seaweedfs.yaml
+++ b/packages/extra/seaweedfs/templates/seaweedfs.yaml
@@ -38,10 +38,6 @@ spec:
          storageClass: {{ . }}
          {{- end }}
          maxVolumes: 0
-
-      filer:
-        s3:
-          domainName: {{ .Values.host | default (printf "s3.%s" $host) }}
      
      s3:
        ingress:
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -12,8 +12,6 @@ monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
 monitoring 1.3.0 6c5cf5b
-monitoring 1.4.0 adaf603b
-monitoring 1.5.0 HEAD
+monitoring 1.4.0 HEAD
 seaweedfs 0.1.0 5ca8823
-seaweedfs 0.2.0 9e33dc0
-seaweedfs 0.2.1 HEAD
+seaweedfs 0.2.0 HEAD
--- a/packages/system/bucket/.helmignore
+++ b/packages/system/bucket/.helmignore
@@ -1,2 +0,0 @@
-hack
-.gitkeep
--- a/packages/system/bucket/Chart.yaml
+++ b/packages/system/bucket/Chart.yaml
@@ -1,3 +0,0 @@
-apiVersion: v2
-name: cozy-bucket
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/system/bucket/Makefile
+++ b/packages/system/bucket/Makefile
@@ -1,25 +0,0 @@
-S3MANAGER_TAG=v0.5.0
-
-export NAME=s3manager-system
-
-include ../../../scripts/common-envs.mk
-include ../../../scripts/package.mk
-
-update:
-	rm -rf charts
-	helm pull oci://ghcr.io/aenix-io/charts/etcd-operator --untar --untardir charts
-
-image: image-s3manager
-
-image-s3manager:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/s3manager \
-		--provenance false \
-		--tag $(REGISTRY)/s3manager:$(call settag,$(S3MANAGER_TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/s3manager:latest \
-		--cache-to type=inline \
-		--metadata-file images/s3manager.json \
-		--push=$(PUSH) \
-		--load=$(LOAD)
-	echo "$(REGISTRY)/s3manager:$(call settag,$(S3MANAGER_TAG))@$$(yq e '."containerimage.digest"' images/s3manager.json -o json -r)" \
-		> images/s3manager.tag
-	rm -f images/s3manager.json
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +0,0 @@
-ghcr.io/aenix-io/cozystack/s3manager:latest@sha256:7a1a0864f823dc3343d79dffa44ab73f77f0e1b3642a0fe0fa29b280c3184a9b
--- a/packages/system/bucket/images/s3manager/Dockerfile
+++ b/packages/system/bucket/images/s3manager/Dockerfile
@@ -1,20 +0,0 @@
-# Source: https://github.com/cloudlena/s3manager/blob/main/Dockerfile
-
-FROM docker.io/library/golang:1 AS builder
-WORKDIR /usr/src/app
-RUN wget -O- https://github.com/cloudlena/s3manager/archive/9a7c8e446b422f8973b8c461990f39fdafee9c27.tar.gz | tar -xzf- --strip 1
-ADD cozystack.patch /
-RUN git apply /cozystack.patch
-RUN CGO_ENABLED=0 go build -ldflags="-s -w" -a -installsuffix cgo -o bin/s3manager
-
-FROM docker.io/library/alpine:latest
-WORKDIR /usr/src/app
-RUN addgroup -S s3manager && adduser -S s3manager -G s3manager
-RUN apk add --no-cache \
-  ca-certificates \
-  dumb-init
-COPY --from=builder --chown=s3manager:s3manager /usr/src/app/bin/s3manager ./
-USER s3manager
-EXPOSE 8080
-ENTRYPOINT [ "/usr/bin/dumb-init", "--" ]
-CMD [ "/usr/src/app/s3manager" ]
--- a/packages/system/bucket/images/s3manager/cozystack.patch
+++ b/packages/system/bucket/images/s3manager/cozystack.patch
@@ -1,26 +0,0 @@
-diff --git a/web/template/bucket.html.tmpl b/web/template/bucket.html.tmpl
-index e2f8d28..87add13 100644
--- a/web/template/bucket.html.tmpl
-+++ b/web/template/bucket.html.tmpl
-@@ -13,7 +13,7 @@
- 
- <nav class="nav-extended">
-     <div class="nav-wrapper container">
-        <a href="/buckets/{{$.BucketName}}" class="brand-logo center"><i class="material-icons">folder_open</i>{{ .BucketName }}</a>
-+        <a href="/" class="brand-logo">Cozystack S3 Manager</a>
-         {{ if not .Objects }}
-         <ul class="right">
-             <li>
-diff --git a/web/template/buckets.html.tmpl b/web/template/buckets.html.tmpl
-index c7ea184..fb1dce7 100644
--- a/web/template/buckets.html.tmpl
-+++ b/web/template/buckets.html.tmpl
-@@ -1,7 +1,7 @@
- {{ define "content" }}
- <nav>
-     <div class="nav-wrapper container">
-        <a href="/" class="brand-logo">S3 Manager</a>
-+        <a href="/" class="brand-logo">Cozystack S3 Manager</a>
-     </div>
- </nav>
- 
--- a/packages/system/bucket/templates/deployment.yaml
+++ b/packages/system/bucket/templates/deployment.yaml
@@ -1,35 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ .Values.bucketName }}-ui
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: {{ .Values.bucketName }}-ui
-  template:
-    metadata:
-      labels:
-        app: {{ .Values.bucketName }}-ui
-    spec:
-      containers:
-      - name: s3manager
-        image: "{{ $.Files.Get "images/s3manager.tag" | trim }}"
-        env:
-        - name: ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.bucketName }}-credentials
-              key: endpoint
-        - name: SKIP_SSL_VERIFICATION
-          value: "true"
-        - name: ACCESS_KEY_ID
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.bucketName }}-credentials
-              key: accessKey
-        - name: SECRET_ACCESS_KEY
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.bucketName }}-credentials
-              key: secretKey
--- a/packages/system/bucket/templates/ingress.yaml
+++ b/packages/system/bucket/templates/ingress.yaml
@@ -1,28 +0,0 @@
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ .Values.bucketName }}-ui
-  annotations:
-    nginx.ingress.kubernetes.io/auth-type: "basic"
-    nginx.ingress.kubernetes.io/auth-secret: "{{ .Values.bucketName }}-ui-auth"
-    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "99999"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "99999"
-spec:
-  ingressClassName: {{ $ingress }}
-  rules:
-  - host: {{ .Values.bucketName }}.{{ $host }}
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.bucketName }}-ui
-            port:
-              number: 8080
--- a/packages/system/bucket/templates/secret.yaml
+++ b/packages/system/bucket/templates/secret.yaml
@@ -1,22 +0,0 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace .Values.bucketName }}
-{{- $bucketInfo := fromJson (b64dec (index $existingSecret.data "BucketInfo")) }}
-{{- $accessKeyID := index $bucketInfo.spec.secretS3 "accessKeyID" }}
-{{- $accessSecretKey := index $bucketInfo.spec.secretS3 "accessSecretKey" }}
-{{- $endpoint := index $bucketInfo.spec.secretS3 "endpoint" }}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.bucketName }}-credentials
-type: Opaque
-stringData:
-  accessKey: {{ $accessKeyID | quote }}
-  secretKey: {{ $accessSecretKey | quote }}
-  endpoint: {{ trimPrefix "https://" $endpoint }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.bucketName }}-ui-auth
-data:
-  auth: {{ htpasswd $accessKeyID $accessSecretKey | b64enc | quote }}
--- a/packages/system/bucket/templates/service.yaml
+++ b/packages/system/bucket/templates/service.yaml
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Values.bucketName }}-ui
-spec:
-  selector:
-    app: {{ .Values.bucketName }}-ui
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 8080
-  type: ClusterIP
--- a/packages/system/bucket/values.yaml
+++ b/packages/system/bucket/values.yaml
@@ -1 +0,0 @@
-bucketName: ""
--- a/packages/system/capi-operator/values.yaml
+++ b/packages/system/capi-operator/values.yaml
@@ -1,9 +0,0 @@
-cluster-api-operator:
-  resources:
-    manager:
-      limits:
-        cpu: 200m
-        memory: 512Mi
-      requests:
-        cpu: 100m
-        memory: 100Mi
--- a/packages/system/cert-manager-issuers/templates/cluster-issuers.yaml
+++ b/packages/system/cert-manager-issuers/templates/cluster-issuers.yaml
@@ -1,57 +1,35 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
-
-apiVersion: cert-manager.io/v1 
-kind: ClusterIssuer  
-metadata:  
-  name: letsencrypt-prod  
-spec:  
-  acme:  
-    privateKeySecretRef:  
-      name: letsencrypt-prod  
-    server: https://acme-v02.api.letsencrypt.org/directory  
-    solvers:  
-    - {{- if eq $issuerType "cloudflare" }}  
-        dns01:  
-          cloudflare:  
-            apiTokenSecretRef:  
-              name: cloudflare-api-token-secret  
-              key: api-token  
-      {{- else }}  
-        http01:  
-          ingress:  
-            class: nginx  
-      {{- end }}  
-
---  
-
-apiVersion: cert-manager.io/v1  
-kind: ClusterIssuer  
-metadata:  
-  name: letsencrypt-stage  
-spec:  
-  acme:  
-    privateKeySecretRef:  
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+  name: letsencrypt-prod
+spec:
+  acme:
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-stage
+spec:
+  acme:
+    privateKeySecretRef:
      name: letsencrypt-stage
-    server: https://acme-staging-v02.api.letsencrypt.org/directory  
-    solvers:  
-    - {{- if eq $issuerType "cloudflare" }}  
-        dns01:  
-          cloudflare:  
-            apiTokenSecretRef:  
-              name: cloudflare-api-token-secret  
-              key: api-token  
-      {{- else }}  
-        http01:  
-          ingress:  
-            class: nginx  
-      {{- end }}  
-
---  
-
-apiVersion: cert-manager.io/v1  
-kind: ClusterIssuer  
-metadata:  
-  name: selfsigned-cluster-issuer  
-spec:  
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+spec:
  selfSigned: {}
--- a/packages/system/cilium/charts/cilium/Chart.yaml
+++ b/packages/system/cilium/charts/cilium/Chart.yaml
@@ -79,7 +79,7 @@ annotations:
    Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
    be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.2
+appVersion: 1.16.1
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.2
+version: 1.16.1
--- a/packages/system/cilium/charts/cilium/README.md
+++ b/packages/system/cilium/charts/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium

-![Version: 1.16.2](https://img.shields.io/badge/Version-1.16.2-informational?style=flat-square) ![AppVersion: 1.16.2](https://img.shields.io/badge/AppVersion-1.16.2-informational?style=flat-square)
+![Version: 1.16.1](https://img.shields.io/badge/Version-1.16.1-informational?style=flat-square) ![AppVersion: 1.16.1](https://img.shields.io/badge/AppVersion-1.16.1-informational?style=flat-square)

 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.2","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.1","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -484,7 +484,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.2","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.1","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -590,7 +590,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -717,7 +717,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716","awsDigest":"sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd","azureDigest":"sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727","genericDigest":"sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.2","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804","awsDigest":"sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4","azureDigest":"sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22","genericDigest":"sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.1","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -767,7 +767,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
@@ -26,6 +26,10 @@ spec:
  template:
    metadata:
      annotations:
+        {{- if and .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
+        prometheus.io/port: "{{ .Values.envoy.prometheus.port }}"
+        prometheus.io/scrape: "true"
+        {{- end }}
        {{- if .Values.envoy.rollOutPods }}
        # ensure pods roll when configmap updates
        cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }}
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml
@@ -1,33 +0,0 @@
-{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
-{{- if and $envoyDS (not .Values.preflight.enabled) .Values.envoy.prometheus.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: cilium-envoy
-  namespace: {{ .Release.Namespace }}
-  {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }}
-  annotations:
-  {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }}
-    prometheus.io/scrape: "true"
-    prometheus.io/port: {{ .Values.envoy.prometheus.port | quote }}
-  {{- end }}
-  {{- with .Values.envoy.annotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- end }}
-  labels:
-    k8s-app: cilium-envoy
-    app.kubernetes.io/name: cilium-envoy
-    app.kubernetes.io/part-of: cilium
-    io.cilium/app: proxy
-spec:
-  clusterIP: None
-  type: ClusterIP
-  selector:
-    k8s-app: cilium-envoy
-  ports:
-  - name: envoy-metrics
-    port: {{ .Values.envoy.prometheus.port }}
-    protocol: TCP
-    targetPort: envoy-metrics
-{{- end }}
--- a/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml
@@ -362,7 +362,7 @@ spec:
              name: cilium-clustermesh
              optional: true
              # note: items are not explicitly listed here, since the entries of this secret
-              # depend on the peers configured, and that would cause a restart of all operators
+              # depend on the peers configured, and that would cause a restart of all agents
              # at every addition/removal. Leaving the field empty makes each secret entry
              # to be automatically projected into the volume as a file whose name is the key.
          - secret:
@@ -384,28 +384,5 @@ spec:
              - key: {{ .Values.tls.caBundle.key }}
                path: common-etcd-client-ca.crt
          {{- end }}
-          # note: we configure the volume for the kvstoremesh-specific certificate
-          # regardless of whether KVStoreMesh is enabled or not, so that it can be
-          # automatically mounted in case KVStoreMesh gets subsequently enabled,
-          # without requiring an operator restart.
-          - secret:
-              name: clustermesh-apiserver-local-cert
-              optional: true
-              items:
-              - key: tls.key
-                path: local-etcd-client.key
-              - key: tls.crt
-                path: local-etcd-client.crt
-          {{- if not .Values.tls.caBundle.enabled }}
-              - key: ca.crt
-                path: local-etcd-client-ca.crt
-          {{- else }}
-          - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
-              name: {{ .Values.tls.caBundle.name }}
-              optional: true
-              items:
-              - key: {{ .Values.tls.caBundle.key }}
-                path: local-etcd-client-ca.crt
-          {{- end }}
      {{- end }}
 {{- end }}
--- a/packages/system/cilium/charts/cilium/templates/validate.yaml
+++ b/packages/system/cilium/charts/cilium/templates/validate.yaml
@@ -1,47 +1,3 @@
-{{/* validate deprecated options are not being used */}}
-
-{{/* Options deprecated in v1.15 and removed in v1.16 */}}
-{{- if or
-  (dig "encryption" "keyFile" "" .Values.AsMap)
-  (dig "encryption" "mountPath" "" .Values.AsMap)
-  (dig "encryption" "secretName" "" .Values.AsMap)
-  (dig "encryption" "interface" "" .Values.AsMap)
-}}
-  {{ fail "encryption.{keyFile,mountPath,secretName,interface} were deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if or
-  ((dig "proxy" "prometheus" "enabled" "" .Values.AsMap) | toString)
-  (dig "proxy" "prometheus" "port" "" .Values.AsMap)
-}}
-  {{ fail "proxy.prometheus.enabled and proxy.prometheus.port were deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if (dig "endpointStatus" "" .Values.AsMap) }}
-  {{ fail "endpointStatus has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if (dig "remoteNodeIdentity" "" .Values.AsMap) }}
-  {{ fail "remoteNodeIdentity was deprecated in v1.15 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if (dig "containerRuntime" "integration" "" .Values.AsMap) }}
-  {{ fail "containerRuntime.integration was deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if (dig "etcd" "managed" "" .Values.AsMap) }}
-  {{ fail "etcd.managed was deprecated in v1.10 has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
-{{- end }}
-
-{{/* Options deprecated in v1.14 and removed in v1.15 */}}
-{{- if .Values.tunnel }}
-  {{ fail "tunnel was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if or (dig "clustermesh" "apiserver" "tls" "ca" "cert" "" .Values.AsMap) (dig "clustermesh" "apiserver" "tls" "ca" "key" "" .Values.AsMap) }}
-  {{ fail "clustermesh.apiserver.tls.ca.cert and clustermesh.apiserver.tls.ca.key were deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if .Values.enableK8sEventHandover }}
-  {{ fail "enableK8sEventHandover was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
-{{- end }}
-{{- if .Values.enableCnpStatusUpdates }}
-  {{ fail "enableCnpStatusUpdates was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
-{{- end }}
-
 {{/* validate hubble config */}}
 {{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }}
  {{- if not .Values.hubble.relay.enabled }}
--- a/packages/system/cilium/charts/cilium/values.yaml
+++ b/packages/system/cilium/charts/cilium/values.yaml
@@ -153,10 +153,10 @@ image:
  # @schema
  override: ~
  repository: "quay.io/cilium/cilium"
-  tag: "v1.16.2"
+  tag: "v1.16.1"
  pullPolicy: "IfNotPresent"
  # cilium-digest
-  digest: "sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea"
+  digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
  useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1309,9 +1309,9 @@ hubble:
      # @schema
      override: ~
      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.2"
+      tag: "v1.16.1"
      # hubble-relay-digest
-      digest: "sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c"
+      digest: "sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35"
      useDigest: true
      pullPolicy: "IfNotPresent"
    # -- Specifies the resources for the hubble-relay pods
@@ -2158,9 +2158,9 @@ envoy:
    # @schema
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047"
+    tag: "v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51"
    pullPolicy: "IfNotPresent"
-    digest: "sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f"
+    digest: "sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b"
    useDigest: true
  # -- Additional containers added to the cilium Envoy DaemonSet.
  extraContainers: []
@@ -2474,15 +2474,15 @@ operator:
    # @schema
    override: ~
    repository: "quay.io/cilium/operator"
-    tag: "v1.16.2"
+    tag: "v1.16.1"
    # operator-generic-digest
-    genericDigest: "sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a"
+    genericDigest: "sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4"
    # operator-azure-digest
-    azureDigest: "sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727"
+    azureDigest: "sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22"
    # operator-aws-digest
-    awsDigest: "sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd"
+    awsDigest: "sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4"
    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716"
+    alibabacloudDigest: "sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804"
    useDigest: true
    pullPolicy: "IfNotPresent"
    suffix: ""
@@ -2756,9 +2756,9 @@ preflight:
    # @schema
    override: ~
    repository: "quay.io/cilium/cilium"
-    tag: "v1.16.2"
+    tag: "v1.16.1"
    # cilium-digest
-    digest: "sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea"
+    digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
    useDigest: true
    pullPolicy: "IfNotPresent"
  # -- The priority class to use for the preflight pod.
@@ -2905,9 +2905,9 @@ clustermesh:
      # @schema
      override: ~
      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.2"
+      tag: "v1.16.1"
      # clustermesh-apiserver-digest
-      digest: "sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73"
+      digest: "sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f"
      useDigest: true
      pullPolicy: "IfNotPresent"
    # -- TCP port for the clustermesh-apiserver health API.
@@ -3406,7 +3406,7 @@ authentication:
          override: ~
          repository: "docker.io/library/busybox"
          tag: "1.36.1"
-          digest: "sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140"
+          digest: "sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"
          useDigest: true
          pullPolicy: "IfNotPresent"
        # SPIRE agent configuration
--- a/packages/system/cilium/images/cilium/Dockerfile
+++ b/packages/system/cilium/images/cilium/Dockerfile
@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.2
+ARG VERSION=v1.16.1
 FROM quay.io/cilium/cilium:${VERSION}
--- a/packages/system/cilium/values-kubeovn.yaml
+++ b/packages/system/cilium/values-kubeovn.yaml
@@ -15,4 +15,4 @@ cilium:
  enableIdentityMark: false
  enableRuntimeDeviceDetection: true
  forceDeviceDetection: true
-  devices: "ovn0 genev_sys_6081"
+  devices: ovn0
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -12,7 +12,7 @@ cilium:
    mode: "kubernetes"
  image:
    repository: ghcr.io/aenix-io/cozystack/cilium
-    tag: 1.16.2
-    digest: "sha256:534c5b04fef356a6be59234243c23c0c09702fe1e2c8872012afb391ce2965c4"
+    tag: 1.16.1
+    digest: "sha256:9593dbc3bd25487b52d8f43330d4a308e450605479a8384a32117e9613289892"
  envoy:
    enabled: false
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -33,11 +33,11 @@ kubeapps:
    image:
      registry: ghcr.io/aenix-io/cozystack
      repository: dashboard
-      tag: v0.16.4
+      tag: v0.15.0
      digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
  kubeappsapis:
    image:
      registry: ghcr.io/aenix-io/cozystack
      repository: kubeapps-apis
-      tag: v0.16.4
-      digest: "sha256:55bc8e2495933112c7cb4bb9e3b1fcb8df46aa14e27fa007f78388a9757e3238"
+      tag: v0.15.0
+      digest: "sha256:70c095c8f7e3ecfa11433a3a2c8f57f6ff5a0053f006939a2c171c180cc50baf"
--- a/packages/system/external-dns/.helmignore
+++ b/packages/system/external-dns/.helmignore
@@ -1,3 +0,0 @@
-images
-hack
-.gitkeep
--- a/packages/system/external-dns/Chart.yaml
+++ b/packages/system/external-dns/Chart.yaml
@@ -1,3 +0,0 @@
-apiVersion: v2
-name: cozy-external-dns
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/system/external-dns/Makefile
+++ b/packages/system/external-dns/Makefile
@@ -1,10 +0,0 @@
-export NAME=external-dns
-export NAMESPACE=cozy-$(NAME)
-
-include ../../../scripts/package.mk
-
-update:
-	rm -rf charts
-	helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
-	helm repo update external-dns
-	helm pull external-dns/external-dns --untar --untardir charts
--- a/packages/system/external-dns/charts/external-dns/.helmignore
+++ b/packages/system/external-dns/charts/external-dns/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/packages/system/external-dns/charts/external-dns/CHANGELOG.md
+++ b/packages/system/external-dns/charts/external-dns/CHANGELOG.md
@@ -1,219 +0,0 @@
-# ExternalDNS Helm Chart Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
---
-
-<!--
-### Added - For new features.
-### Changed - For changes in existing functionality.
-### Deprecated - For soon-to-be removed features.
-### Removed - For now removed features.
-### Fixed - For any bug fixes.
-### Security - In case of vulnerabilities.
-->
-
-## [UNRELEASED]
-
-## [v1.15.0] - 2023-09-10
-
-### Changed
-
- Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0). ([#xxxx](https://github.com/kubernetes-sigs/external-dns/pull/xxxx)) _@stevehipwell_
-
-### Fixed
-
- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits. ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) _@crutonjohn_
- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
- Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
- Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes. ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ & _@hatrx_
-
-## [v1.14.5] - 2023-06-10
-
-### Added
-
- Added support for `extraContainers` argument. ([#4432](https://github.com/kubernetes-sigs/external-dns/pull/4432)) _@omerap12_
- Added support for setting `excludeDomains` argument.  ([#4380](https://github.com/kubernetes-sigs/external-dns/pull/4380)) _@bford-evs_
-
-### Changed
-
- Updated _ExternalDNS_ OCI image version to [v0.14.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.2). ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
- Updated `DNSEndpoint` CRD. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
- Changed the implementation for `revisionHistoryLimit` to be more generic. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
-
-### Fixed
-
- Fixed the `ServiceMonitor` job name to correctly use the instance label. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
-
-## [v1.14.4] - 2023-04-03
-
-### Added
-
- Added support for setting `dnsConfig`. ([#4265](https://github.com/kubernetes-sigs/external-dns/pull/4265)) _@davhdavh_
- Added support for `DNSEndpoint` CRD. ([#4322](https://github.com/kubernetes-sigs/external-dns/pull/4322)) _@onedr0p_
-
-### Changed
-
- Updated _ExternalDNS_ OCI image version to [v0.14.1](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.1). ([#4357](https://github.com/kubernetes-sigs/external-dns/pull/4357)) _@stevehipwell_
-
-## [v1.14.3] - 2023-01-26
-
-### Fixed
-
- Fixed args for webhook deployment. ([#4202](https://github.com/kubernetes-sigs/external-dns/pull/4202)) [@webwurst](https://github.com/webwurst)
- Fixed support for `gateway-grpcroute`, `gateway-tlsroute`, `gateway-tcproute` & `gateway-udproute`. ([#4205](https://github.com/kubernetes-sigs/external-dns/pull/4205)) [@orenlevi111](https://github.com/orenlevi111)
- Fixed incorrect implementation for setting the `automountServiceAccountToken`. ([#4208](https://github.com/kubernetes-sigs/external-dns/pull/4208)) [@stevehipwell](https://github.com/stevehipwell)
-
-## [v1.14.2] - 2024-01-22
-
-### Fixed
-
- Restore template support in `.Values.provider` and `.Values.provider.name`
-
-## [v1.14.1] - 2024-01-11
-
-### Fixed
-
- Fixed webhook install failure: `"http-webhook-metrics": must be no more than 15 characters`. ([#4173](https://github.com/kubernetes-sigs/external-dns/pull/4173)) [@gabe565](https://github.com/gabe565)
-
-## [v1.14.0] - 2024-01-10
-
-### Added
-
- Added the option to explicitly enable or disable service account token automounting. ([#3983](https://github.com/kubernetes-sigs/external-dns/pull/3983)) [@gilles-gosuin](https://github.com/gilles-gosuin)
- Added the option to configure revisionHistoryLimit on the K8s Deployment resource. ([#4008](https://github.com/kubernetes-sigs/external-dns/pull/4008)) [@arnisoph](https://github.com/arnisoph)
- Added support for webhook providers, as a sidecar. ([#4032](https://github.com/kubernetes-sigs/external-dns/pull/4032) [@mloiseleur](https://github.com/mloiseleur)
- Added the option to configure ipFamilyPolicy and ipFamilies of external-dns Service.  ([#4153](https://github.com/kubernetes-sigs/external-dns/pull/4153)) [@dongjiang1989](https://github.com/dongjiang1989)
-
-### Changed
-
- Avoid unnecessary pod restart on each helm chart version. ([#4103](https://github.com/kubernetes-sigs/external-dns/pull/4103)) [@jkroepke](https://github.com/jkroepke)
- Updated _ExternalDNS_ OCI image version to [v0.14.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.0). ([#4073](https://github.com/kubernetes-sigs/external-dns/pull/4073)) [@appkins](https://github.com/appkins)
-
-### Deprecated
-
- The `secretConfiguration` value has been deprecated in favour of creating secrets external to the Helm chart and configuring their use via the `extraVolumes` & `extraVolumeMounts` values. ([#4161](https://github.com/kubernetes-sigs/external-dns/pull/4161)) [@stevehipwell](https://github.com/stevehipwell)
-
-## [v1.13.1] - 2023-09-07
-
-### Added
-
- Added RBAC for Traefik to ClusterRole. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3325)) [@ThomasK33](https://github.com/thomask33)
- Added support for init containers. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3838)) [@calvinbui](https://github.com/calvinbui)
-
-### Changed
-
- Disallowed privilege escalation in container security context and set the seccomp profile type to `RuntimeDefault`. ([#3689](https://github.com/kubernetes-sigs/external-dns/pull/3689)) [@nrvnrvn](https://github.com/nrvnrvn)
- Updated _ExternalDNS_ OCI image version to [v0.13.6](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.6). ([#3917](https://github.com/kubernetes-sigs/external-dns/pull/3917)) [@stevehipwell](https://github.com/stevehipwell)
-
-### Removed
-
- Removed RBAC rule for already removed `contour-ingressroute` source. ([#3764](https://github.com/kubernetes-sigs/external-dns/pull/3764)) [@johngmyers](https://github.com/johngmyers)
-
-## [v1.13.0] - 2023-03-30
-
-### All Changes
-
- Updated _ExternalDNS_ version to [v0.13.5](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.5). ([#3661](https://github.com/kubernetes-sigs/external-dns/pull/3661)) [@GMartinez-Sisti](https://github.com/GMartinez-Sisti)
- Adding missing gateway-httproute cluster role permission. ([#3541](https://github.com/kubernetes-sigs/external-dns/pull/3541)) [@nicon89](https://github.com/nicon89)
-
-## [v1.12.2] - 2023-03-30
-
-### All Changes
-
- Added support for ServiceMonitor relabelling. ([#3366](https://github.com/kubernetes-sigs/external-dns/pull/3366)) [@jkroepke](https://github.com/jkroepke)
- Updated chart icon path. ([#3492](https://github.com/kubernetes-sigs/external-dns/pull/3494)) [kundan2707](https://github.com/kundan2707)
- Added RBAC for Gateway-API resources to ClusterRole. ([#3499](https://github.com/kubernetes-sigs/external-dns/pull/3499)) [@michaelvl](https://github.com/MichaelVL)
- Added RBAC for F5 VirtualServer to ClusterRole. ([#3503](https://github.com/kubernetes-sigs/external-dns/pull/3503)) [@mikejoh](https://github.com/mikejoh)
- Added support for running ExternalDNS with namespaced scope. ([#3403](https://github.com/kubernetes-sigs/external-dns/pull/3403)) [@jkroepke](https://github.com/jkroepke)
- Updated _ExternalDNS_ version to [v0.13.4](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.4). ([#3516](https://github.com/kubernetes-sigs/external-dns/pull/3516)) [@stevehipwell](https://github.com/stevehipwell)
-
-## [v1.12.1] - 2023-02-06
-
-### All Changes
-
- Updated _ExternalDNS_ version to [v0.13.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.2). ([#3371](https://github.com/kubernetes-sigs/external-dns/pull/3371)) [@stevehipwell](https://github.com/stevehipwell)
- Added `secretConfiguration.subPath` to mount specific files from secret as a sub-path. ([#3227](https://github.com/kubernetes-sigs/external-dns/pull/3227)) [@jkroepke](https://github.com/jkroepke)
- Changed to use `registry.k8s.io` instead of `k8s.gcr.io`. ([#3261](https://github.com/kubernetes-sigs/external-dns/pull/3261)) [@johngmyers](https://github.com/johngmyers)
-
-## [v1.12.0] - 2022-11-29
-
-### All Changes
-
- Added ability to provide ExternalDNS with secret configuration via `secretConfiguration`. ([#3144](https://github.com/kubernetes-sigs/external-dns/pull/3144)) [@jkroepke](https://github.com/jkroepke)
- Added the ability to template `provider` & `extraArgs`. ([#3144](https://github.com/kubernetes-sigs/external-dns/pull/3144)) [@jkroepke](https://github.com/jkroepke)
- Added the ability to customise the service account labels. ([#3145](https://github.com/kubernetes-sigs/external-dns/pull/3145)) [@jkroepke](https://github.com/jkroepke)
- Updated _ExternalDNS_ version to [v0.13.1](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.1). ([#3197](https://github.com/kubernetes-sigs/external-dns/pull/3197)) [@stevehipwell](https://github.com/stevehipwell)
-
-## [v1.11.0] - 2022-08-10
-
-### Added
-
- Added support to configure `dnsPolicy` on the Helm chart deployment. [@michelzanini](https://github.com/michelzanini)
- Added ability to customise the deployment strategy. [mac-chaffee](https://github.com/mac-chaffee)
-
-### Changed
-
- Updated _ExternalDNS_ version to [v0.12.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.12.2). [@stevehipwell](https://github.com/stevehipwell)
- Changed default deployment strategy to `Recreate`. [mac-chaffee](https://github.com/mac-chaffee)
-
-## [v1.10.1] - 2022-07-11
-
-### Fixed
-
- Fixed incorrect addition of `namespace` to `ClusterRole` & `ClusterRoleBinding`. [@stevehipwell](https://github.com/stevehipwell)
-
-## [v1.10.0] - 2022-07-08
-
-### Added
-
- Added `commonLabels` value to allow the addition of labels to all resources. [@stevehipwell](https://github.com/stevehipwell)
- Added support for [Process Namespace Sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) via the `shareProcessNamespace`
- value. ([#2715](https://github.com/kubernetes-sigs/external-dns/pull/2715)) [@wolffberg](https://github.com/wolffberg)
-
-### Changed
-
- Update _ExternalDNS_ version to [v0.12.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.12.0). [@vojtechmares](https://github.com/vojtechmares)
- Set resource namespaces to `{{ .Release.Namespace }}` in the templates instead of waiting until apply time for inference. [@stevehipwell](https://github.com/stevehipwell)
- Fixed `rbac.additionalPermissions` default value.([#2796](https://github.com/kubernetes-sigs/external-dns/pull/2796)) [@tamalsaha](https://github.com/tamalsaha)
-
-## [v1.9.0] - 2022-04-19
-
-### Changed
-
- Update _ExternalDNS_ version to [v0.11.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.11.0). ([#2690](https://github.com/kubernetes-sigs/external-dns/pull/2690)) [@stevehipwell](https://github.com/stevehipwell)
-
-## [v1.8.0] - 2022-04-13
-
-### Added
-
- Add annotations to Deployment. ([#2477](https://github.com/kubernetes-sigs/external-dns/pull/2477)) [@beastob](https://github.com/beastob)
-
-### Changed
-
- Fix RBAC for `istio-virtualservice` source when `istio-gateway` isn't also added. ([#2564](https://github.com/kubernetes-sigs/external-dns/pull/2564)) [@mcwarman](https://github.com/mcwarman)
-
-<!--
-RELEASE LINKS
-->
-[UNRELEASED]: https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
-[v1.15.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.15.0
-[v1.14.5]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.5
-[v1.14.4]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.4
-[v1.14.3]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.3
-[v1.14.2]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.2
-[v1.14.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.1
-[v1.14.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.0
-[v1.13.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.13.1
-[v1.13.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.13.0
-[v1.12.2]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.2
-[v1.12.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.1
-[v1.12.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.0
-[v1.11.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.11.0
-[v1.10.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.10.1
-[v1.10.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.10.0
-[v1.9.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.9.0
-[v1.8.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.8.0
--- a/packages/system/external-dns/charts/external-dns/Chart.yaml
+++ b/packages/system/external-dns/charts/external-dns/Chart.yaml
@@ -1,33 +0,0 @@
-annotations:
-  artifacthub.io/changes: |
-    - kind: changed
-      description: "Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0)."
-    - kind: fixed
-      description: "Fixed `provider.webhook.resources` behavior to correctly leverage resource limits."
-    - kind: fixed
-      description: "Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy."
-    - kind: fixed
-      description: "Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`."
-    - kind: fixed
-      description: "Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes."
-apiVersion: v2
-appVersion: 0.15.0
-description: ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with
-  DNS providers.
-home: https://github.com/kubernetes-sigs/external-dns/
-icon: https://github.com/kubernetes-sigs/external-dns/raw/master/docs/img/external-dns.png
-keywords:
- kubernetes
- externaldns
- external-dns
- dns
- service
- ingress
-maintainers:
- email: steve.hipwell@gmail.com
-  name: stevehipwell
-name: external-dns
-sources:
- https://github.com/kubernetes-sigs/external-dns/
-type: application
-version: 1.15.0
--- a/packages/system/external-dns/charts/external-dns/README.md
+++ b/packages/system/external-dns/charts/external-dns/README.md
@@ -1,182 +0,0 @@
-# external-dns
-
-![Version: 1.15.0](https://img.shields.io/badge/Version-1.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
-
-ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.
-
-**Homepage:** <https://github.com/kubernetes-sigs/external-dns/>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| stevehipwell | <steve.hipwell@gmail.com> |  |
-
-## Source Code
-
-* <https://github.com/kubernetes-sigs/external-dns/>
-
-## Installing the Chart
-
-Before you can install the chart you will need to add the `external-dns` repo to [Helm](https://helm.sh/).
-
-```shell
-helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
-```
-
-After you've installed the repo you can install the chart.
-
-```shell
-helm upgrade --install external-dns external-dns/external-dns --version 1.15.0
-```
-
-## Providers
-
-Configuring the _ExternalDNS_ provider should be done via the `provider.name` value with provider specific configuration being set via the `provider.<name>.<key>` values, where supported, and the `extraArgs` value. For legacy support `provider` can be set to the name of the provider with all additional configuration being set via the `extraArgs` value.
-See [documentation](https://kubernetes-sigs.github.io/external-dns/#new-providers) for more info on available providers and tutorials.
-
-### Providers with Specific Configuration Support
-
-| Provider               | Supported  |
-|------------------------|------------|
-| `webhook`              | ✅         |
-
-### Other Providers
-
-For set up for a specific provider using the Helm chart, see the following links:
-
- [AWS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#using-helm-with-oidc)
- [akamai-edgedns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/akamai-edgedns.md#using-helm)
- [cloudflare](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md#using-helm)
- [digitalocean](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/digitalocean.md#using-helm)
- [godaddy](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/godaddy.md#using-helm)
- [ns1](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ns1.md#using-helm)
- [plural](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/plural.md#using-helm)
-
-## Namespaced Scoped Installation
-
-external-dns supports running on a namespaced only scope, too.
-If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`.
-
-### Limited Supported
-
-Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources.
-For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`.
-Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same
-namespaces as `external-dns`.
-
-The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported.
-
-If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`).
-
-### Support Matrix
-
-| Source                 | Supported  | Infos                  |
-|------------------------|------------|------------------------|
-| `ingress`              | ✅         |                        |
-| `istio-gateway`        | ✅         |                        |
-| `istio-virtualservice` | ✅         |                        |
-| `crd`                  | ✅         |                        |
-| `kong-tcpingress`      | ✅         |                        |
-| `openshift-route`      | ✅         |                        |
-| `skipper-routegroup`   | ✅         |                        |
-| `gloo-proxy`           | ✅         |                        |
-| `contour-httpproxy`    | ✅         |                        |
-| `service`              | ⚠️️         | NodePort not supported |
-| `node`                 | ❌         |                        |
-| `pod`                  | ❌         |                        |
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| affinity | object | `{}` | Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
-| automountServiceAccountToken | bool | `nil` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`. |
-| commonLabels | object | `{}` | Labels to add to all chart resources. |
-| deploymentAnnotations | object | `{}` | Annotations to add to the `Deployment`. |
-| deploymentStrategy | object | `{"type":"Recreate"}` | [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). |
-| dnsConfig | object | `nil` | [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used. |
-| dnsPolicy | string | `nil` | [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used. |
-| domainFilters | list | `[]` |  |
-| env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container. |
-| excludeDomains | list | `[]` |  |
-| extraArgs | list | `[]` | Extra arguments to provide to _ExternalDNS_. |
-| extraContainers | object | `{}` | Extra containers to add to the `Deployment`. |
-| extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container. |
-| extraVolumes | list | `[]` | Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`. |
-| fullnameOverride | string | `nil` | Override the full name of the chart. |
-| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `external-dns` container. |
-| image.repository | string | `"registry.k8s.io/external-dns/external-dns"` | Image repository for the `external-dns` container. |
-| image.tag | string | `nil` | Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set. |
-| imagePullSecrets | list | `[]` | Image pull secrets. |
-| initContainers | list | `[]` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition. |
-| interval | string | `"1m"` | Interval for DNS updates. |
-| livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
-| logFormat | string | `"text"` | Log format. |
-| logLevel | string | `"info"` | Log level. |
-| nameOverride | string | `nil` | Override the name of the chart. |
-| namespaced | bool | `false` | if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too). |
-| nodeSelector | object | `{}` | Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
-| podAnnotations | object | `{}` | Annotations to add to the `Pod`. |
-| podLabels | object | `{}` | Labels to add to the `Pod`. |
-| podSecurityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation. |
-| policy | string | `"upsert-only"` | How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`. |
-| priorityClassName | string | `nil` | Priority class name for the `Pod`. |
-| provider.name | string | `"aws"` | _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers). |
-| provider.webhook.args | list | `[]` | Extra arguments to provide for the `webhook` container. |
-| provider.webhook.env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container. |
-| provider.webhook.extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container. |
-| provider.webhook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `webhook` container. |
-| provider.webhook.image.repository | string | `nil` | Image repository for the `webhook` container. |
-| provider.webhook.image.tag | string | `nil` | Image tag for the `webhook` container. |
-| provider.webhook.livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
-| provider.webhook.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. |
-| provider.webhook.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. |
-| provider.webhook.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. |
-| provider.webhook.service.port | int | `8080` | Webhook exposed HTTP port for the service. |
-| provider.webhook.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. |
-| rbac.additionalPermissions | list | `[]` | Additional rules to add to the `ClusterRole`. |
-| rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |
-| readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
-| registry | string | `"txt"` | Specify the registry for storing ownership and labels. Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`. |
-| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container. |
-| revisionHistoryLimit | int | `nil` | Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``. |
-| secretConfiguration.data | object | `{}` | `Secret` data. |
-| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). |
-| secretConfiguration.mountPath | string | `nil` | Mount path for the `Secret`, this can be templated. |
-| secretConfiguration.subPath | string | `nil` | Sub-path for mounting the `Secret`, this can be templated. |
-| securityContext | object | See _values.yaml_ | [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container. |
-| service.annotations | object | `{}` | Service annotations. |
-| service.ipFamilies | list | `[]` | Service IP families. |
-| service.ipFamilyPolicy | string | `nil` | Service IP family policy. |
-| service.port | int | `7979` | Service HTTP port. |
-| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
-| serviceAccount.automountServiceAccountToken | string | `nil` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`. |
-| serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. |
-| serviceAccount.labels | object | `{}` | Labels to add to the service account. |
-| serviceAccount.name | string | `nil` | If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use. |
-| serviceMonitor.additionalLabels | object | `{}` | Additional labels for the `ServiceMonitor`. |
-| serviceMonitor.annotations | object | `{}` | Annotations to add to the `ServiceMonitor`. |
-| serviceMonitor.bearerTokenFile | string | `nil` | Provide a bearer token file for the `ServiceMonitor`. |
-| serviceMonitor.enabled | bool | `false` | If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_. |
-| serviceMonitor.interval | string | `nil` | If set override the _Prometheus_ default interval. |
-| serviceMonitor.metricRelabelings | list | `[]` | [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion. |
-| serviceMonitor.namespace | string | `nil` | If set create the `ServiceMonitor` in an alternate namespace. |
-| serviceMonitor.relabelings | list | `[]` | [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion. |
-| serviceMonitor.scheme | string | `nil` | If set overrides the _Prometheus_ default scheme. |
-| serviceMonitor.scrapeTimeout | string | `nil` | If set override the _Prometheus_ default scrape timeout. |
-| serviceMonitor.targetLabels | list | `[]` | Provide target labels for the `ServiceMonitor`. |
-| serviceMonitor.tlsConfig | object | `{}` | Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig). |
-| shareProcessNamespace | bool | `false` | If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled. |
-| sources | list | `["service","ingress"]` | _Kubernetes_ resources to monitor for DNS entries. |
-| terminationGracePeriodSeconds | int | `nil` | Termination grace period for the `Pod` in seconds. |
-| tolerations | list | `[]` | Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
-| topologySpreadConstraints | list | `[]` | Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels. |
-| triggerLoopOnEvent | bool | `false` | If `true`, triggers run loop on create/update/delete events in addition of regular interval. |
-| txtOwnerId | string | `nil` | Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`. |
-| txtPrefix | string | `nil` | Specify a prefix for the domain names of TXT records created for the `txt` registry. Mutually exclusive with `txtSuffix`. |
-| txtSuffix | string | `nil` | Specify a suffix for the domain names of TXT records created for the `txt` registry. Mutually exclusive with `txtPrefix`. |
-
----------------------------------------------
-
-Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).
--- a/packages/system/external-dns/charts/external-dns/README.md.gotmpl
+++ b/packages/system/external-dns/charts/external-dns/README.md.gotmpl
@@ -1,91 +0,0 @@
-{{ template "chart.header" . }}
-{{ template "chart.deprecationWarning" . }}
-
-{{ template "chart.badgesSection" . }}
-
-{{ template "chart.description" . }}
-
-{{ template "chart.homepageLine" . }}
-
-{{ template "chart.maintainersSection" . }}
-
-{{ template "chart.sourcesSection" . }}
-
-## Installing the Chart
-
-Before you can install the chart you will need to add the `external-dns` repo to [Helm](https://helm.sh/).
-
-```shell
-helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
-```
-
-After you've installed the repo you can install the chart.
-
-```shell
-helm upgrade --install {{ template "chart.name" . }} external-dns/{{ template "chart.name" . }} --version {{ template "chart.version" . }}
-```
-
-## Providers
-
-Configuring the _ExternalDNS_ provider should be done via the `provider.name` value with provider specific configuration being set via the `provider.<name>.<key>` values, where supported, and the `extraArgs` value. For legacy support `provider` can be set to the name of the provider with all additional configuration being set via the `extraArgs` value.
-See [documentation](https://kubernetes-sigs.github.io/external-dns/#new-providers) for more info on available providers and tutorials.
-
-### Providers with Specific Configuration Support
-
-| Provider               | Supported  |
-|------------------------|------------|
-| `webhook`              | ✅         |
-
-### Other Providers
-
-For set up for a specific provider using the Helm chart, see the following links:
-
- [AWS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#using-helm-with-oidc)
- [akamai-edgedns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/akamai-edgedns.md#using-helm)
- [cloudflare](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md#using-helm)
- [digitalocean](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/digitalocean.md#using-helm)
- [godaddy](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/godaddy.md#using-helm)
- [ns1](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ns1.md#using-helm)
- [plural](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/plural.md#using-helm)
-
-## Namespaced Scoped Installation
-
-external-dns supports running on a namespaced only scope, too.
-If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`.
-
-### Limited Supported
-
-Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources.
-For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`.
-Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same
-namespaces as `external-dns`.
-
-The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported.
-
-If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`).
-
-### Support Matrix
-
-| Source                 | Supported  | Infos                  |
-|------------------------|------------|------------------------|
-| `ingress`              | ✅         |                        |
-| `istio-gateway`        | ✅         |                        |
-| `istio-virtualservice` | ✅         |                        |
-| `crd`                  | ✅         |                        |
-| `kong-tcpingress`      | ✅         |                        |
-| `openshift-route`      | ✅         |                        |
-| `skipper-routegroup`   | ✅         |                        |
-| `gloo-proxy`           | ✅         |                        |
-| `contour-httpproxy`    | ✅         |                        |
-| `service`              | ⚠️️         | NodePort not supported |
-| `node`                 | ❌         |                        |
-| `pod`                  | ❌         |                        |
-
-
-{{ template "chart.requirementsSection" . }}
-
-{{ template "chart.valuesSection" . }}
-
----------------------------------------------
-
-Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).
--- a/packages/system/external-dns/charts/external-dns/RELEASE.md
+++ b/packages/system/external-dns/charts/external-dns/RELEASE.md
@@ -1,10 +0,0 @@
-### Changed
-
- Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0). ([#xxxx](https://github.com/kubernetes-sigs/external-dns/pull/xxxx)) _@stevehipwell_
-
-### Fixed
-
- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits. ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) _@crutonjohn_
- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
- Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
- Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes. ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ & _@hatrx_
--- a/packages/system/external-dns/charts/external-dns/ci/ci-values.yaml
+++ b/packages/system/external-dns/charts/external-dns/ci/ci-values.yaml
@@ -1,2 +0,0 @@
-provider:
-  name: inmemory
--- a/packages/system/external-dns/charts/external-dns/crds/dnsendpoint.yaml
+++ b/packages/system/external-dns/charts/external-dns/crds/dnsendpoint.yaml
@@ -1,102 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: dnsendpoints.externaldns.k8s.io
-  annotations:
-    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/external-dns/pull/2007
-spec:
-  group: externaldns.k8s.io
-  names:
-    kind: DNSEndpoint
-    listKind: DNSEndpointList
-    plural: dnsendpoints
-    singular: dnsendpoint
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: DNSEndpointSpec defines the desired state of DNSEndpoint
-              properties:
-                endpoints:
-                  items:
-                    description:
-                      Endpoint is a high-level way of a connection between
-                      a service and an IP
-                    properties:
-                      dnsName:
-                        description: The hostname of the DNS record
-                        type: string
-                      labels:
-                        additionalProperties:
-                          type: string
-                        description: Labels stores labels defined for the Endpoint
-                        type: object
-                      providerSpecific:
-                        description: ProviderSpecific stores provider specific config
-                        items:
-                          description:
-                            ProviderSpecificProperty holds the name and value
-                            of a configuration which is specific to individual DNS providers
-                          properties:
-                            name:
-                              type: string
-                            value:
-                              type: string
-                          type: object
-                        type: array
-                      recordTTL:
-                        description: TTL for the record
-                        format: int64
-                        type: integer
-                      recordType:
-                        description:
-                          RecordType type of record, e.g. CNAME, A, AAAA,
-                          SRV, TXT etc
-                        type: string
-                      setIdentifier:
-                        description:
-                          Identifier to distinguish multiple records with
-                          the same name and type (e.g. Route53 records with routing
-                          policies other than 'simple')
-                        type: string
-                      targets:
-                        description: The targets the DNS record points to
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-              type: object
-            status:
-              description: DNSEndpointStatus defines the observed state of DNSEndpoint
-              properties:
-                observedGeneration:
-                  description: The generation observed by the external-dns controller.
-                  format: int64
-                  type: integer
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
--- a/packages/system/external-dns/charts/external-dns/templates/NOTES.txt
+++ b/packages/system/external-dns/charts/external-dns/templates/NOTES.txt
@@ -1,7 +0,0 @@
-***********************************************************************
-* External DNS                                                        *
-***********************************************************************
-  Chart version: {{ .Chart.Version }}
-  App version:   {{ .Chart.AppVersion }}
-  Image tag:     {{ include "external-dns.image" . }}
-***********************************************************************
--- a/packages/system/external-dns/charts/external-dns/templates/_helpers.tpl
+++ b/packages/system/external-dns/charts/external-dns/templates/_helpers.tpl
@@ -1,95 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "external-dns.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "external-dns.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "external-dns.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "external-dns.labels" -}}
-helm.sh/chart: {{ include "external-dns.chart" . }}
-{{ include "external-dns.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- with .Values.commonLabels }}
-{{ toYaml . }}
-{{- end }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "external-dns.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "external-dns.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "external-dns.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "external-dns.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-The image to use
-*/}}
-{{- define "external-dns.image" -}}
-{{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }}
-{{- end }}
-
-{{/*
-Provider name, Keeps backward compatibility on provider
-*/}}
-{{- define "external-dns.providerName" -}}
-{{- if eq (typeOf .Values.provider) "string" }}
-{{- .Values.provider }}
-{{- else }}
-{{- .Values.provider.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-The image to use for optional webhook sidecar
-*/}}
-{{- define "external-dns.webhookImage" -}}
-{{- with .image }}
-{{- if or (empty .repository) (empty .tag) }}
-{{- fail "ERROR: webhook provider needs an image repository and a tag" }}
-{{- end }}
-{{- printf "%s:%s" .repository .tag }}
-{{- end }}
-{{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/clusterrole.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/clusterrole.yaml
@@ -1,127 +0,0 @@
-{{- if .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }}
-metadata:
-  name: {{ template "external-dns.fullname" . }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-rules:
-{{- if and (not .Values.namespaced) (or (has "node" .Values.sources) (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources)) }}
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["list","watch"]
-{{- end }}
-{{- if or (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if or (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
-  - apiGroups: [""]
-    resources: ["services","endpoints"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if or (has "ingress" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
-  - apiGroups: ["extensions","networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if or (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) }}
-  - apiGroups: ["networking.istio.io"]
-    resources: ["gateways"]
-    verbs: ["get","watch","list"]
-{{- end }}
-
-{{- if has "istio-virtualservice" .Values.sources }}
-  - apiGroups: ["networking.istio.io"]
-    resources: ["virtualservices"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "ambassador-host" .Values.sources }}
-  - apiGroups: ["getambassador.io"]
-    resources: ["hosts","ingresses"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "contour-httpproxy" .Values.sources }}
-  - apiGroups: ["projectcontour.io"]
-    resources: ["httpproxies"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "crd" .Values.sources }}
-  - apiGroups: ["externaldns.k8s.io"]
-    resources: ["dnsendpoints"]
-    verbs: ["get","watch","list"]
-  - apiGroups: ["externaldns.k8s.io"]
-    resources: ["dnsendpoints/status"]
-    verbs: ["*"]
-{{- end }}
-{{- if or (has "gateway-httproute" .Values.sources) (has "gateway-grpcroute" .Values.sources) (has "gateway-tlsroute" .Values.sources) (has "gateway-tcproute" .Values.sources) (has "gateway-udproute" .Values.sources) }}
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["gateways"]
-    verbs: ["get","watch","list"]
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["get","watch","list"]    
-{{- end }}
-{{- if has "gateway-httproute" .Values.sources }}
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["httproutes"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "gateway-grpcroute" .Values.sources }}
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["grpcroutes"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "gateway-tlsroute" .Values.sources }}
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["tlsroutes"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "gateway-tcproute" .Values.sources }}
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["tcproutes"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "gateway-udproute" .Values.sources }}
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["udproutes"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "gloo-proxy" .Values.sources }}
-  - apiGroups: ["gloo.solo.io","gateway.solo.io"]
-    resources: ["proxies","virtualservices"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "kong-tcpingress" .Values.sources }}
-  - apiGroups: ["configuration.konghq.com"]
-    resources: ["tcpingresses"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "traefik-proxy" .Values.sources }}
-  - apiGroups: ["traefik.containo.us", "traefik.io"]
-    resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "openshift-route" .Values.sources }}
-  - apiGroups: ["route.openshift.io"]
-    resources: ["routes"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- if has "skipper-routegroup" .Values.sources }}
-  - apiGroups: ["zalando.org"]
-    resources: ["routegroups"]
-    verbs: ["get","watch","list"]
-  - apiGroups: ["zalando.org"]
-    resources: ["routegroups/status"]
-    verbs: ["patch","update"]
-{{- end }}
-{{- if has "f5-virtualserver" .Values.sources }}
-  - apiGroups: ["cis.f5.com"]
-    resources: ["virtualservers"]
-    verbs: ["get","watch","list"]
-{{- end }}
-{{- with .Values.rbac.additionalPermissions }}
-  {{- toYaml . | nindent 2 }}
-{{- end }}
-{{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/clusterrolebinding.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/clusterrolebinding.yaml
@@ -1,16 +0,0 @@
-{{- if .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: {{ .Values.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
-metadata:
-  name: {{ printf "%s-viewer" (include "external-dns.fullname" .) }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }}
-  name: {{ template "external-dns.fullname" . }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "external-dns.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
-{{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/deployment.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/deployment.yaml
@@ -1,209 +0,0 @@
-{{- $providerName := tpl (include "external-dns.providerName" .) $ }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "external-dns.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-  {{- with .Values.deploymentAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "external-dns.selectorLabels" . | nindent 6 }}
-  strategy:
-    {{- toYaml .Values.deploymentStrategy | nindent 4 }}
-  {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }}
-  revisionHistoryLimit: {{ .Values.revisionHistoryLimit | int64 }}
-  {{- end }}
-  template:
-    metadata:
-      labels:
-        {{- include "external-dns.selectorLabels" . | nindent 8 }}
-      {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- if or .Values.secretConfiguration.enabled .Values.podAnnotations }}
-      annotations:
-        {{- if .Values.secretConfiguration.enabled }}
-        checksum/secret: {{ tpl (toYaml .Values.secretConfiguration.data) . | sha256sum }}
-        {{- end }}
-        {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      {{- end }}
-    spec:
-    {{- if not (quote .Values.automountServiceAccountToken | empty) }}
-      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
-    {{- end }}
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "external-dns.serviceAccountName" . }}
-      {{- with .Values.shareProcessNamespace }}
-      shareProcessNamespace: {{ . }}
-      {{- end }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.priorityClassName }}
-      priorityClassName: {{ . | quote }}
-      {{- end }}
-      {{- with .Values.terminationGracePeriodSeconds }}
-      terminationGracePeriodSeconds: {{ . }}
-      {{- end }}
-      {{- with .Values.dnsPolicy }}
-      dnsPolicy: {{ . }}
-      {{- end }}
-      {{- with .Values.dnsConfig }}
-      dnsConfig:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.initContainers }}
-      initContainers:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-      {{- with .Values.extraContainers }}
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-        - name: external-dns
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          image: {{ include "external-dns.image" . }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- with .Values.env }}
-          env:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          args:
-            - --log-level={{ .Values.logLevel }}
-            - --log-format={{ .Values.logFormat }}
-            - --interval={{ .Values.interval }}
-            {{- if .Values.triggerLoopOnEvent }}
-            - --events
-            {{- end }}
-            {{- range .Values.sources }}
-            - --source={{ . }}
-            {{- end }}
-            - --policy={{ .Values.policy }}
-            - --registry={{ .Values.registry }}
-            {{- if .Values.txtOwnerId }}
-            - --txt-owner-id={{ .Values.txtOwnerId }}
-            {{- end }}
-            {{- if .Values.txtPrefix }}
-            - --txt-prefix={{ .Values.txtPrefix }}
-            {{- end }}
-            {{- if and (eq .Values.txtPrefix "") (ne .Values.txtSuffix "") }}
-            - --txt-suffix={{ .Values.txtSuffix }}
-            {{- end }}
-            {{- if .Values.namespaced }}
-            - --namespace={{ .Release.Namespace }}
-            {{- end }}
-            {{- range .Values.domainFilters }}
-            - --domain-filter={{ . }}
-            {{- end }}
-            {{- range .Values.excludeDomains }}
-            - --exclude-domains={{ . }}
-            {{- end }}
-            - --provider={{ $providerName }}
-          {{- range .Values.extraArgs }}
-            - {{ tpl . $ }}
-          {{- end }}
-          ports:
-            - name: http
-              protocol: TCP
-              containerPort: 7979
-          livenessProbe:
-            {{- toYaml .Values.livenessProbe | nindent 12 }}
-          readinessProbe:
-            {{- toYaml .Values.readinessProbe | nindent 12 }}
-          {{- if or .Values.secretConfiguration.enabled .Values.extraVolumeMounts }}
-          volumeMounts:
-            {{- if .Values.secretConfiguration.enabled }}
-            - name: secrets
-              mountPath: {{ tpl .Values.secretConfiguration.mountPath $ }}
-            {{- with .Values.secretConfiguration.subPath }}
-              subPath: {{ tpl . $ }}
-            {{- end }}
-            {{- end }}
-            {{- with .Values.extraVolumeMounts }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
-          {{- end }}
-          {{- with .Values.resources }}
-          resources:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-        {{- if eq $providerName "webhook" }}
-        {{- with .Values.provider.webhook }}
-        - name: webhook
-          image: {{ include "external-dns.webhookImage" . }}
-          imagePullPolicy: {{ .image.pullPolicy }}
-          {{- with .env }}
-          env:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .args }}
-          args:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          ports:
-            - name: http-webhook
-              protocol: TCP
-              containerPort: 8080
-          livenessProbe:
-            {{- toYaml .livenessProbe | nindent 12 }}
-          readinessProbe:
-            {{- toYaml .readinessProbe | nindent 12 }}
-          {{- if .extraVolumeMounts }}
-          volumeMounts:
-            {{- with .extraVolumeMounts }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
-          {{- end }}
-          {{- with .resources }}
-          resources:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-        {{- end }}
-        {{- end }}
-      {{- if or .Values.secretConfiguration.enabled .Values.extraVolumes }}
-      volumes:
-        {{- if .Values.secretConfiguration.enabled }}
-        - name: secrets
-          secret:
-            secretName: {{ include "external-dns.fullname" . }}
-        {{- end }}
-        {{- with .Values.extraVolumes }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/secret.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/secret.yaml
@@ -1,13 +0,0 @@
-{{- if .Values.secretConfiguration.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "external-dns.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-data:
-{{- range $key, $value := .Values.secretConfiguration.data }}
-  {{ $key }}: {{ tpl $value $ | b64enc | quote }}
-{{- end }}
-{{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/service.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/service.yaml
@@ -1,36 +0,0 @@
-{{- $providerName := include "external-dns.providerName" . }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "external-dns.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-{{- with .Values.service.ipFamilies }}
-  ipFamilies:
-    {{- toYaml . | nindent 4 }}
-{{- end }}
-{{- with .Values.service.ipFamilyPolicy }}
-  ipFamilyPolicy: {{ . }}
-{{- end }}
-  type: ClusterIP
-  selector:
-    {{- include "external-dns.selectorLabels" . | nindent 4 }}
-  ports:
-    - name: http
-      port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-    {{- if eq $providerName "webhook" }}
-    {{- with .Values.provider.webhook.service }}
-    - name: http-webhook
-      port: {{ .port }}
-      targetPort: http-webhook
-      protocol: TCP
-    {{- end }}
-    {{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/serviceaccount.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/serviceaccount.yaml
@@ -1,17 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "external-dns.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.labels }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
-{{- end }}
--- a/packages/system/external-dns/charts/external-dns/templates/servicemonitor.yaml
+++ b/packages/system/external-dns/charts/external-dns/templates/servicemonitor.yaml
@@ -1,86 +0,0 @@
-{{- if .Values.serviceMonitor.enabled -}}
-{{- $providerName := include "external-dns.providerName" . }}
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: {{ include "external-dns.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
-  {{- with .Values.serviceMonitor.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "external-dns.labels" . | nindent 4 }}
-  {{- with .Values.serviceMonitor.additionalLabels }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  jobLabel: app.kubernetes.io/instance
-  namespaceSelector:
-    matchNames:
-      - {{ .Release.Namespace }}
-  selector:
-    matchLabels:
-      {{- include "external-dns.selectorLabels" . | nindent 6 }}
-  endpoints:
-    - port: http
-      path: /metrics
-      {{- with .Values.serviceMonitor.interval }}
-      interval: {{ . }}
-      {{- end }}
-      {{- with .Values.serviceMonitor.scheme }}
-      scheme: {{ . }}
-      {{- end }}
-      {{- with .Values.serviceMonitor.bearerTokenFile }}
-      bearerTokenFile: {{ . }}
-      {{- end }}
-      {{- with .Values.serviceMonitor.tlsConfig }}
-      tlsConfig:
-        {{- toYaml .| nindent 8 }}
-      {{- end }}
-      {{- with .Values.serviceMonitor.scrapeTimeout }}
-      scrapeTimeout: {{ . }}
-      {{- end }}
-      {{- with .Values.serviceMonitor.metricRelabelings }}
-      metricRelabelings:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.serviceMonitor.relabelings }}
-      relabelings:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    {{- if eq $providerName "webhook" }}
-    {{- with .Values.provider.webhook.serviceMonitor }}
-    - port: http-webhook
-      path: /metrics
-      {{- with .interval }}
-      interval: {{ . }}
-      {{- end }}
-      {{- with .scheme }}
-      scheme: {{ . }}
-      {{- end }}
-      {{- with .bearerTokenFile }}
-      bearerTokenFile: {{ . }}
-      {{- end }}
-      {{- with .tlsConfig }}
-      tlsConfig:
-        {{- toYaml .| nindent 8 }}
-      {{- end }}
-      {{- with .scrapeTimeout }}
-      scrapeTimeout: {{ . }}
-      {{- end }}
-      {{- with .metricRelabelings }}
-      metricRelabelings:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .relabelings }}
-      relabelings:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    {{- end }}
-    {{- end }}
-  {{- with .Values.serviceMonitor.targetLabels }}
-  targetLabels:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
--- a/packages/system/external-dns/charts/external-dns/values.schema.json
+++ b/packages/system/external-dns/charts/external-dns/values.schema.json
@@ -1,91 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema",
-  "type": "object",
-  "properties": {
-    "provider": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "type": "object",
-          "properties": {
-            "name": {
-              "type": "string"
-            }
-          }
-        }
-      ]
-    },
-    "extraArgs": {
-      "type": "array",
-      "items": {
-        "type": "string"
-      }
-    },
-    "secretConfiguration": {
-      "$comment": "This value is DEPRECATED as secrets should be configured external to the chart and exposed to the container via extraVolumes & extraVolumeMounts.",
-      "type": "object",
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        },
-        "mountPath": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "subPath": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "data": {
-          "type": "object",
-          "patternProperties": {
-            ".+": {
-              "type": "string"
-            }
-          }
-        }
-      }
-    },
-    "service": {
-      "type": "object",
-      "properties": {
-        "annotations": {
-          "type": "object"
-        },
-        "ipFamilies": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "enum": [
-              "IPv6",
-              "IPv4"
-            ]
-          }
-        },
-        "ipFamilyPolicy": {
-          "type": [
-            "string",
-            "null"
-          ],
-          "items": {
-            "type": "string",
-            "enum": [
-              "SingleStack",
-              "PreferDualStack",
-              "RequireDualStack"
-            ]
-          }
-        },
-        "port": {
-          "type": "integer"
-        }
-      }
-    }
-  }
-}
--- a/packages/system/external-dns/charts/external-dns/values.yaml
+++ b/packages/system/external-dns/charts/external-dns/values.yaml
@@ -1,297 +0,0 @@
-# Default values for external-dns.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-image:
-  # -- Image repository for the `external-dns` container.
-  repository: registry.k8s.io/external-dns/external-dns
-  # -- (string) Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set.
-  tag:
-  # -- Image pull policy for the `external-dns` container.
-  pullPolicy: IfNotPresent
-
-# -- Image pull secrets.
-imagePullSecrets: []
-
-# -- (string) Override the name of the chart.
-nameOverride:
-
-# -- (string) Override the full name of the chart.
-fullnameOverride:
-
-# -- Labels to add to all chart resources.
-commonLabels: {}
-
-serviceAccount:
-  # -- If `true`, create a new `ServiceAccount`.
-  create: true
-  # -- Labels to add to the service account.
-  labels: {}
-  # -- Annotations to add to the service account.
-  annotations: {}
-  # -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use.
-  name:
-  # -- Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`.
-  automountServiceAccountToken:
-
-service:
-  # -- Service annotations.
-  annotations: {}
-  # -- Service HTTP port.
-  port: 7979
-  # -- Service IP families.
-  ipFamilies: []
-  # -- (string) Service IP family policy.
-  ipFamilyPolicy:
-
-rbac:
-  # -- If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API.
-  create: true
-  # -- Additional rules to add to the `ClusterRole`.
-  additionalPermissions: []
-
-# -- Annotations to add to the `Deployment`.
-deploymentAnnotations: {}
-
-# -- Extra containers to add to the `Deployment`.
-extraContainers: {}
-
-# -- [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
-deploymentStrategy:
-  type: Recreate
-
-# -- (int) Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``.
-revisionHistoryLimit:
-
-# -- Labels to add to the `Pod`.
-podLabels: {}
-
-# -- Annotations to add to the `Pod`.
-podAnnotations: {}
-
-# -- (bool) Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`.
-automountServiceAccountToken:
-
-# -- If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled.
-shareProcessNamespace: false
-
-# -- [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation.
-# @default -- See _values.yaml_
-podSecurityContext:
-  runAsNonRoot: true
-  fsGroup: 65534
-  seccompProfile:
-    type: RuntimeDefault
-
-# -- (string) Priority class name for the `Pod`.
-priorityClassName:
-
-# -- (int) Termination grace period for the `Pod` in seconds.
-terminationGracePeriodSeconds:
-
-# -- (string) [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used.
-dnsPolicy:
-
-# -- (object) [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used.
-dnsConfig:
-
-# -- [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition.
-initContainers: []
-
-# -- [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container.
-# @default -- See _values.yaml_
-securityContext:
-  privileged: false
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 65532
-  runAsGroup: 65532
-  capabilities:
-    drop: ["ALL"]
-
-# -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container.
-env: []
-
-# -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
-# @default -- See _values.yaml_
-livenessProbe:
-  httpGet:
-    path: /healthz
-    port: http
-  initialDelaySeconds: 10
-  periodSeconds: 10
-  timeoutSeconds: 5
-  failureThreshold: 2
-  successThreshold: 1
-
-# -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
-# @default -- See _values.yaml_
-readinessProbe:
-  httpGet:
-    path: /healthz
-    port: http
-  initialDelaySeconds: 5
-  periodSeconds: 10
-  timeoutSeconds: 5
-  failureThreshold: 6
-  successThreshold: 1
-
-# -- Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`.
-extraVolumes: []
-
-# -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container.
-extraVolumeMounts: []
-
-# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container.
-resources: {}
-
-# -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-nodeSelector: {}
-
-# -- Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels.
-affinity: {}
-
-# -- Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels.
-topologySpreadConstraints: []
-
-# -- Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-tolerations: []
-
-serviceMonitor:
-  # -- If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_.
-  enabled: false
-  # -- Additional labels for the `ServiceMonitor`.
-  additionalLabels: {}
-  # -- Annotations to add to the `ServiceMonitor`.
-  annotations: {}
-  # -- (string) If set create the `ServiceMonitor` in an alternate namespace.
-  namespace:
-  # -- (string) If set override the _Prometheus_ default interval.
-  interval:
-  # -- (string) If set override the _Prometheus_ default scrape timeout.
-  scrapeTimeout:
-  # -- (string) If set overrides the _Prometheus_ default scheme.
-  scheme:
-  # -- Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig).
-  tlsConfig: {}
-  # -- (string) Provide a bearer token file for the `ServiceMonitor`.
-  bearerTokenFile:
-  # -- [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion.
-  relabelings: []
-  # -- [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion.
-  metricRelabelings: []
-  # -- Provide target labels for the `ServiceMonitor`.
-  targetLabels: []
-
-# -- Log level.
-logLevel: info
-
-# -- Log format.
-logFormat: text
-
-# -- Interval for DNS updates.
-interval: 1m
-
-# -- If `true`, triggers run loop on create/update/delete events in addition of regular interval.
-triggerLoopOnEvent: false
-
-# -- if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too).
-namespaced: false
-
-# -- _Kubernetes_ resources to monitor for DNS entries.
-sources:
-  - service
-  - ingress
-
-# -- How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`.
-policy: upsert-only
-
-# -- Specify the registry for storing ownership and labels.
-# Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
-registry: txt
-# -- (string) Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`.
-txtOwnerId:
-# -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
-# Mutually exclusive with `txtSuffix`.
-txtPrefix:
-# -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
-# Mutually exclusive with `txtPrefix`.
-txtSuffix:
-
-## - Limit possible target zones by domain suffixes.
-domainFilters: []
-
-## -- Intentionally exclude domains from being managed.
-excludeDomains: []
-
-provider:
-  # -- _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers).
-  name: aws
-  webhook:
-    image:
-      # -- (string) Image repository for the `webhook` container.
-      repository:
-      # -- (string) Image tag for the `webhook` container.
-      tag:
-      # -- Image pull policy for the `webhook` container.
-      pullPolicy: IfNotPresent
-    # -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container.
-    env: []
-    # -- Extra arguments to provide for the `webhook` container.
-    args: []
-    # -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container.
-    extraVolumeMounts: []
-    # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container.
-    resources: {}
-    # -- [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container.
-    # @default -- See _values.yaml_
-    securityContext: {}
-    # -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
-    # @default -- See _values.yaml_
-    livenessProbe:
-      httpGet:
-        path: /healthz
-        port: http-webhook
-      initialDelaySeconds: 10
-      periodSeconds: 10
-      timeoutSeconds: 5
-      failureThreshold: 2
-      successThreshold: 1
-    # -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container.
-    # @default -- See _values.yaml_
-    readinessProbe:
-      httpGet:
-        path: /healthz
-        port: http-webhook
-      initialDelaySeconds: 5
-      periodSeconds: 10
-      timeoutSeconds: 5
-      failureThreshold: 6
-      successThreshold: 1
-    service:
-      # -- Webhook exposed HTTP port for the service.
-      port: 8080
-    # -- Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container.
-    # @default -- See _values.yaml_
-    serviceMonitor:
-      interval:
-      scheme:
-      tlsConfig: {}
-      bearerTokenFile:
-      scrapeTimeout:
-      metricRelabelings: []
-      relabelings: []
-
-# -- Extra arguments to provide to _ExternalDNS_.
-extraArgs: []
-
-secretConfiguration:
-  # -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**).
-  enabled: false
-  # -- Mount path for the `Secret`, this can be templated.
-  mountPath:
-  # -- Sub-path for mounting the `Secret`, this can be templated.
-  subPath:
-  # -- `Secret` data.
-  data: {}
--- a/packages/system/external-dns/values.yaml
+++ b/packages/system/external-dns/values.yaml
@@ -1,23 +0,0 @@
-external-dns:
-    # -- How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`.
-  policy: upsert-only
-  # -- Specify the registry for storing ownership and labels.
-  # Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
-  registry: txt
-  # -- (string) Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`.
-  txtOwnerId:
-  # -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
-  # Mutually exclusive with `txtSuffix`.
-  txtPrefix:
-  # -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
-  # Mutually exclusive with `txtPrefix`.
-  txtSuffix:
-
-    ## - Limit possible target zones by domain suffixes.
-  domainFilters: []
-  ## -- Intentionally exclude domains from being managed.
-  excludeDomains: []
-
-  # -- Specify the DNS provider (e.g., "aws", "google", "azure", etc.)
-  provider:
-    name: ""
--- a/packages/system/external-secrets-operator/.helmignore
+++ b/packages/system/external-secrets-operator/.helmignore
@@ -1,3 +0,0 @@
-images
-hack
-.gitkeep
--- a/packages/system/external-secrets-operator/Chart.yaml
+++ b/packages/system/external-secrets-operator/Chart.yaml
@@ -1,3 +0,0 @@
-apiVersion: v2
-name: cozy-external-secrets-operator
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/system/external-secrets-operator/Makefile
+++ b/packages/system/external-secrets-operator/Makefile
@@ -1,11 +0,0 @@
-export NAME=external-secrets-operator
-export NAMESPACE=cozy-$(NAME)
-
-include ../../../scripts/package.mk
-
-update:
-	rm -rf charts
-	helm repo add external-secrets https://charts.external-secrets.io
-	helm repo update external-secrets
-	helm pull external-secrets/external-secrets --untar --untardir charts
-	rm -rf charts/external-secrets/charts
--- a/packages/system/external-secrets-operator/charts/external-secrets/Chart.lock
+++ b/packages/system/external-secrets-operator/charts/external-secrets/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: bitwarden-sdk-server
-  repository: oci://ghcr.io/external-secrets/charts
-  version: v0.3.1
-digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
-generated: "2024-09-20T12:57:07.63511+02:00"
--- a/packages/system/external-secrets-operator/charts/external-secrets/Chart.yaml
+++ b/packages/system/external-secrets-operator/charts/external-secrets/Chart.yaml
@@ -1,20 +0,0 @@
-apiVersion: v2
-appVersion: v0.10.4
-dependencies:
- condition: bitwarden-sdk-server.enabled
-  name: bitwarden-sdk-server
-  repository: oci://ghcr.io/external-secrets/charts
-  version: v0.3.1
-description: External secret management for Kubernetes
-home: https://github.com/external-secrets/external-secrets
-icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
-keywords:
- kubernetes-external-secrets
- secrets
-kubeVersion: '>= 1.19.0-0'
-maintainers:
- email: kellinmcavoy@gmail.com
-  name: mcavoyk
-name: external-secrets
-type: application
-version: 0.10.4
--- a/packages/system/external-secrets-operator/charts/external-secrets/README.md
+++ b/packages/system/external-secrets-operator/charts/external-secrets/README.md
@@ -1,225 +0,0 @@
-# External Secrets
-
-<p><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x"  alt="external-secrets"></p>
-
-[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
-
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.10.4](https://img.shields.io/badge/Version-0.10.4-informational?style=flat-square)
-
-External secret management for Kubernetes
-
-## TL;DR
-```bash
-helm repo add external-secrets https://charts.external-secrets.io
-helm install external-secrets external-secrets/external-secrets
-```
-
-## Installing the Chart
-To install the chart with the release name `external-secrets`:
-```bash
-helm install external-secrets external-secrets/external-secrets
-```
-
-### Custom Resources
-By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
-
-## Uninstalling the Chart
-To uninstall the `external-secrets` deployment:
-```bash
-helm uninstall external-secrets
-```
-The command removes all the Kubernetes components associated with the chart and deletes the release.
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| affinity | object | `{}` |  |
-| bitwarden-sdk-server.enabled | bool | `false` |  |
-| certController.affinity | object | `{}` |  |
-| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
-| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
-| certController.extraArgs | object | `{}` |  |
-| certController.extraEnv | list | `[]` |  |
-| certController.extraVolumeMounts | list | `[]` |  |
-| certController.extraVolumes | list | `[]` |  |
-| certController.fullnameOverride | string | `""` |  |
-| certController.hostNetwork | bool | `false` | Run the certController on the host network |
-| certController.image.flavour | string | `""` |  |
-| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
-| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
-| certController.image.tag | string | `""` |  |
-| certController.imagePullSecrets | list | `[]` |  |
-| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
-| certController.metrics.listen.port | int | `8080` |  |
-| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
-| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
-| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
-| certController.nameOverride | string | `""` |  |
-| certController.nodeSelector | object | `{}` |  |
-| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
-| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
-| certController.podLabels | object | `{}` |  |
-| certController.podSecurityContext.enabled | bool | `true` |  |
-| certController.priorityClassName | string | `""` | Pod priority class name. |
-| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
-| certController.readinessProbe.address | string | `""` | Address for readiness probe |
-| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
-| certController.replicaCount | int | `1` |  |
-| certController.requeueInterval | string | `"5m"` |  |
-| certController.resources | object | `{}` |  |
-| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
-| certController.securityContext.allowPrivilegeEscalation | bool | `false` |  |
-| certController.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
-| certController.securityContext.enabled | bool | `true` |  |
-| certController.securityContext.readOnlyRootFilesystem | bool | `true` |  |
-| certController.securityContext.runAsNonRoot | bool | `true` |  |
-| certController.securityContext.runAsUser | int | `1000` |  |
-| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
-| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
-| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
-| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
-| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
-| certController.tolerations | list | `[]` |  |
-| certController.topologySpreadConstraints | list | `[]` |  |
-| commonLabels | object | `{}` | Additional labels added to all helm chart resources. |
-| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
-| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
-| crds.annotations | object | `{}` |  |
-| crds.conversion.enabled | bool | `true` |  |
-| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
-| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
-| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
-| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
-| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
-| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
-| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
-| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
-| extraArgs | object | `{}` |  |
-| extraContainers | list | `[]` |  |
-| extraEnv | list | `[]` |  |
-| extraObjects | list | `[]` |  |
-| extraVolumeMounts | list | `[]` |  |
-| extraVolumes | list | `[]` |  |
-| fullnameOverride | string | `""` |  |
-| global.affinity | object | `{}` |  |
-| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
-| global.nodeSelector | object | `{}` |  |
-| global.tolerations | list | `[]` |  |
-| global.topologySpreadConstraints | list | `[]` |  |
-| hostNetwork | bool | `false` | Run the controller on the host network |
-| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
-| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
-| imagePullSecrets | list | `[]` |  |
-| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
-| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
-| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
-| metrics.listen.port | int | `8080` |  |
-| metrics.service.annotations | object | `{}` | Additional service annotations |
-| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
-| metrics.service.port | int | `8080` | Metrics service port to scrape |
-| nameOverride | string | `""` |  |
-| namespaceOverride | string | `""` |  |
-| nodeSelector | object | `{}` |  |
-| podAnnotations | object | `{}` | Annotations to add to Pod |
-| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
-| podLabels | object | `{}` |  |
-| podSecurityContext.enabled | bool | `true` |  |
-| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
-| priorityClassName | string | `""` | Pod priority class name. |
-| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
-| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
-| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
-| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
-| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
-| replicaCount | int | `1` |  |
-| resources | object | `{}` |  |
-| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
-| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
-| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
-| securityContext.allowPrivilegeEscalation | bool | `false` |  |
-| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
-| securityContext.enabled | bool | `true` |  |
-| securityContext.readOnlyRootFilesystem | bool | `true` |  |
-| securityContext.runAsNonRoot | bool | `true` |  |
-| securityContext.runAsUser | int | `1000` |  |
-| securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
-| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
-| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
-| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
-| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
-| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
-| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
-| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
-| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
-| serviceMonitor.honorLabels | bool | `false` | Let prometheus add an exported_ prefix to conflicting labels |
-| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
-| serviceMonitor.metricRelabelings | list | `[]` | Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) |
-| serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors |
-| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
-| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
-| tolerations | list | `[]` |  |
-| topologySpreadConstraints | list | `[]` |  |
-| webhook.affinity | object | `{}` |  |
-| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
-| webhook.certDir | string | `"/tmp/certs"` |  |
-| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
-| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
-| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
-| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
-| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
-| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
-| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
-| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
-| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
-| webhook.extraArgs | object | `{}` |  |
-| webhook.extraEnv | list | `[]` |  |
-| webhook.extraVolumeMounts | list | `[]` |  |
-| webhook.extraVolumes | list | `[]` |  |
-| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
-| webhook.fullnameOverride | string | `""` |  |
-| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
-| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
-| webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
-| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
-| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
-| webhook.imagePullSecrets | list | `[]` |  |
-| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
-| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
-| webhook.metrics.listen.port | int | `8080` |  |
-| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
-| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
-| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
-| webhook.nameOverride | string | `""` |  |
-| webhook.nodeSelector | object | `{}` |  |
-| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
-| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
-| webhook.podLabels | object | `{}` |  |
-| webhook.podSecurityContext.enabled | bool | `true` |  |
-| webhook.port | int | `10250` | The port the webhook will listen to |
-| webhook.priorityClassName | string | `""` | Pod priority class name. |
-| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
-| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
-| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
-| webhook.replicaCount | int | `1` |  |
-| webhook.resources | object | `{}` |  |
-| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
-| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
-| webhook.securityContext.allowPrivilegeEscalation | bool | `false` |  |
-| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
-| webhook.securityContext.enabled | bool | `true` |  |
-| webhook.securityContext.readOnlyRootFilesystem | bool | `true` |  |
-| webhook.securityContext.runAsNonRoot | bool | `true` |  |
-| webhook.securityContext.runAsUser | int | `1000` |  |
-| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
-| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
-| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
-| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
-| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
-| webhook.tolerations | list | `[]` |  |
-| webhook.topologySpreadConstraints | list | `[]` |  |
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`ghcr.io/aenix-io/cozystack/s3manager:latest@sha256:7a1a0864f823dc3343d79dffa44ab73f77f0e1b3642a0fe0fa29b280c3184a9b`