Add clickhouse-operator

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-29 10:18:54 +00:00 · 2024-04-13 08:57:27 +02:00
230 changed files with 6562 additions and 9100 deletions
--- a/hack/gen_versions_map.sh
+++ b/hack/gen_versions_map.sh
@@ -20,28 +20,9 @@ miss_map=$(echo "$new_map" | awk 'NR==FNR { new_map[$1 " " $2] = $3; next } { if
 resolved_miss_map=$(
  echo "$miss_map" | while read chart version commit; do
    if [ "$commit" = HEAD ]; then
-      line=$(awk '/^version:/ {print NR; exit}' "./$chart/Chart.yaml")
-      change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
-       
-      if [ "$change_commit" = "00000000" ]; then
-        # Not commited yet, use previus commit
-        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
-        commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
-        if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
-          commit=$(echo $commit | cut -c2-)
-        fi
-      else
-        # Commited, but version_map wasn't updated
-        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
-        change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
-        if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
-          commit=$(echo $change_commit | cut -c2-)
-        else
-          commit=$(git describe --always "$change_commit~1")
-        fi
-      fi
+      line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
+      change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
+      commit=$(git describe --always "$change_commit~1")
    fi
    echo "$chart $version $commit"
  done
--- a/hack/prepare_release.sh
+++ b/hack/prepare_release.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+set -e
+
+if [ -e $1 ]; then
+  echo "Please pass version in the first argument"
+  echo "Example: $0 0.2.0"
+  exit 1
+fi
+
+version=$1
+talos_version=$(awk '/^version:/ {print $2}' packages/core/installer/images/talos/profiles/installer.yaml)
+
+set -x
+
+sed -i "/^TAG / s|=.*|= v${version}|" \
+  packages/apps/http-cache/Makefile \
+  packages/apps/kubernetes/Makefile \
+  packages/core/installer/Makefile \
+  packages/system/dashboard/Makefile
+
+sed -i "/^VERSION / s|=.*|= ${version}|" \
+  packages/core/Makefile \
+  packages/system/Makefile
+make -C packages/core fix-chartnames
+make -C packages/system fix-chartnames
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -15,6 +15,13 @@ metadata:
  namespace: cozy-system
 ---
 # Source: cozy-installer/templates/cozystack.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cozystack
+  namespace: cozy-system
+---
+# Source: cozy-installer/templates/cozystack.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -63,7 +70,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.2.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -82,7 +89,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.2.0"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
--- a/packages/apps/Makefile
+++ b/packages/apps/Makefile
@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/apps
+	cd "$(OUT)" && helm repo index .
 	rm -rf "$(TMP)"

 fix-chartnames:
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -1,25 +0,0 @@
-apiVersion: v2
-name: clickhouse
-description: Managed ClickHouse service
-icon: https://cdn.worldvectorlogo.com/logos/clickhouse.svg
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "24.3.0"
--- a/packages/apps/clickhouse/templates/clickhouse.yaml
+++ b/packages/apps/clickhouse/templates/clickhouse.yaml
@@ -1,36 +0,0 @@
-apiVersion: "clickhouse.altinity.com/v1"
-kind: "ClickHouseInstallation"
-metadata:
-  name: "{{ .Release.Name }}"
-spec:
-  {{- with .Values.size }}
-  defaults:
-    templates:
-      dataVolumeClaimTemplate: data-volume-template
-  {{- end }}
-  configuration:
-    {{- with .Values.users }}
-    users:
-      {{- range $name, $u := . }}
-      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
-      {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
-      {{- end }}
-    {{- end }}
-    profiles:
-      readonly/readonly: "1"
-    clusters:
-      - name: "clickhouse"
-        layout:
-          shardsCount: {{ .Values.shards }}
-          replicasCount: {{ .Values.replicas }}
-  {{- with .Values.size }}
-  templates:
-    volumeClaimTemplates:
-      - name: data-volume-template
-        spec:
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: {{ . }}
-  {{- end }}
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -1,10 +0,0 @@
-size: 10Gi
-shards: 1
-replicas: 2
-
-users:
-  user1:
-    password: strongpassword
-  user2:
-    readonly: true
-    password: hackme
--- a/packages/apps/http-cache/Chart.yaml
+++ b/packages/apps/http-cache/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.25.3"
+appVersion: "1.16.0"
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -1,20 +1,22 @@
+PUSH := 1
+LOAD := 0
+REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-
-include ../../../scripts/common-envs.mk
+TAG := v0.2.0

 image: image-nginx

 image-nginx:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/nginx-cache \
 		--provenance false \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)) \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)-$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:latest \
+		--tag $(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG) \
+		--tag $(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG)-$(TAG) \
+		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG) \
 		--cache-to type=inline \
 		--metadata-file images/nginx-cache.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG))" > images/nginx-cache.tag
+	echo "$(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG)" > images/nginx-cache.tag

 update:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/chrislim2888/IP2Location-C-Library | awk -F'[/^]' 'END{print $$3}') && \
--- a/packages/apps/http-cache/images/nginx-cache.json
+++ b/packages/apps/http-cache/images/nginx-cache.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:9eb68d2d503d7e22afc6fde2635f566fd3456bbdb3caad5dc9f887be1dc2b8ab",
-  "containerimage.digest": "sha256:1f44274dbc2c3be2a98e6cef83d68a041ae9ef31abb8ab069a525a2a92702bdd"
+  "containerimage.config.digest": "sha256:0487fc50bb5f870720b05e947185424a400fad38b682af8f1ca4b418ed3c5b4b",
+  "containerimage.digest": "sha256:be12f3834be0e2f129685f682fab83c871610985fc43668ce6a294c9de603798"
 }
--- a/packages/apps/http-cache/templates/haproxy/configmap.yaml
+++ b/packages/apps/http-cache/templates/haproxy/configmap.yaml
@@ -74,7 +74,7 @@ data:
        option redispatch 1
        default-server observe layer7 error-limit 10 on-error mark-down

-        {{- range $i, $e := until (int $.Values.nginx.replicas) }}
+        {{- range $i, $e := until (int $.Values.replicas) }}
        server cache{{ $i }} {{ $.Release.Name }}-nginx-cache-{{ $i }}:80 check
        {{- end }}
        {{- range $i, $e := $.Values.endpoints }} 
--- a/packages/apps/http-cache/templates/haproxy/deployment.yaml
+++ b/packages/apps/http-cache/templates/haproxy/deployment.yaml
@@ -7,7 +7,7 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.haproxy.replicas }}
+  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-haproxy
--- a/packages/apps/http-cache/templates/nginx/deployment.yaml
+++ b/packages/apps/http-cache/templates/nginx/deployment.yaml
@@ -11,7 +11,7 @@ spec:
  selector:
    matchLabels:
      app: {{ $.Release.Name }}-nginx-cache
-{{- range $i := until (int $.Values.nginx.replicas) }}
+{{- range $i := until 3 }}
 ---
 apiVersion: apps/v1
 kind: Deployment
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -1,10 +1,4 @@
 external: false
-
-haproxy:
-  replicas: 2
-nginx:
-  replicas: 2
-
 size: 10Gi
 endpoints:
  - 10.100.3.1:80
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -1,25 +0,0 @@
-apiVersion: v2
-name: kafka
-description: Managed Kafka service
-icon: https://upload.wikimedia.org/wikipedia/commons/0/05/Apache_kafka.svg
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "3.7.0"
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -1,53 +0,0 @@
-apiVersion: kafka.strimzi.io/v1beta2
-kind: Kafka
-metadata:
-  name: {{ .Release.Name }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  kafka:
-    replicas: {{ .Values.replicas }}
-    listeners:
-      - name: plain
-        port: 9092
-        type: internal
-        tls: false
-      - name: tls
-        port: 9093
-        type: internal
-        tls: true
-      - name: external
-        port: 9094
-        {{- if .Values.external }}
-        type: loadbalancer
-        {{- else }}
-        type: internal
-        {{- end }}
-        tls: false
-    config:
-      offsets.topic.replication.factor: 3
-      transaction.state.log.replication.factor: 3
-      transaction.state.log.min.isr: 2
-      default.replication.factor: 3
-      min.insync.replicas: 2
-    storage:
-      type: jbod
-      volumes:
-      - id: 0
-        type: persistent-claim
-        {{- with .Values.kafka.size }}
-        size: {{ . }}
-        {{- end }}
-        deleteClaim: true
-  zookeeper:
-    replicas: {{ .Values.replicas }}
-    storage:
-      type: persistent-claim
-      {{- with .Values.zookeeper.size }}
-      size: {{ . }}
-      {{- end }}
-      deleteClaim: false
-  entityOperator:
-    topicOperator: {}
-    userOperator: {}
--- a/packages/apps/kafka/templates/topics.yaml
+++ b/packages/apps/kafka/templates/topics.yaml
@@ -1,17 +0,0 @@
-{{- range $topic := .Values.topics }}
---
-apiVersion: kafka.strimzi.io/v1beta2
-kind: KafkaTopic
-metadata:
-  name: "{{ $.Release.Name }}-{{ kebabcase $topic.name }}"
-  labels:
-    strimzi.io/cluster: "{{ $.Release.Name }}"
-spec:
-  topicName: "{{ $topic.name }}"
-  partitions: 10
-  replicas: 3
-  {{- with $topic.config }}
-  config:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -1,22 +0,0 @@
-external: false
-kafka:
-  size: 10Gi
-  replicas: 3
-zookeeper:
-  size: 5Gi
-  replicas: 3
-
-topics:
-  - name: Results
-    partitions: 1
-    replicas: 3
-    config:
-      min.insync.replicas: 2
-  - name: Orders
-    config:
-      cleanup.policy: compact
-      segment.ms: 3600000
-      max.compaction.lag.ms: 5400000
-      min.insync.replicas: 2
-    partitions: 1
-    replicationFactor: 3
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.0"
+appVersion: "1.16.0"
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,17 +1,19 @@
+PUSH := 1
+LOAD := 0
+REGISTRY := ghcr.io/aenix-io/cozystack
+TAG := v0.2.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1

-include ../../../scripts/common-envs.mk
-
 image: image-ubuntu-container-disk

 image-ubuntu-container-disk:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/ubuntu-container-disk \
 		--provenance false \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)) \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:latest \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG) \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG) \
+		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG) \
 		--cache-to type=inline \
 		--metadata-file images/ubuntu-container-disk.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG))" > images/ubuntu-container-disk.tag
+	echo "$(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG)" > images/ubuntu-container-disk.tag
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.json
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:a7e8e6e35ac07bcf6253c9cfcf21fd3c315bd0653ad0427dd5f0cae95ffd3722",
-  "containerimage.digest": "sha256:c03bffeeb70fe7dd680d2eca3021d2405fbcd9961dd38437f5673560c31c72cc"
+  "containerimage.config.digest": "sha256:43d0bfd01c5e364ba961f1e3dc2c7ccd7fd4ca65bd26bc8c4a5298d7ff2c9f4f",
+  "containerimage.digest": "sha256:908b3c186bee86f1c9476317eb6582d07f19776b291aa068e5642f8fd08fa9e7"
 }
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -15,12 +15,6 @@ spec:
      labels:
        app: {{ .Release.Name }}-cluster-autoscaler
    spec:
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
      containers:
      - image: ghcr.io/kvaps/test:cluster-autoscaller
        name: cluster-autoscaler
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -64,13 +64,12 @@ metadata:
    cluster.x-k8s.io/managed-by: kamaji
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
-{{- range $groupName, $group := .Values.nodeGroups }}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ $.Release.Namespace }}
+  name: {{ .Release.Name }}-md-0
+  namespace: {{ .Release.Namespace }}
 spec:
  template:
    spec:
@@ -79,7 +78,7 @@ spec:
          kubeletExtraArgs: {}
        discovery:
          bootstrapToken:
-            apiServerEndpoint: {{ $.Release.Name }}.{{ $.Release.Namespace }}.svc:6443
+            apiServerEndpoint: {{ .Release.Name }}.{{ .Release.Namespace }}.svc:6443
      initConfiguration:
        skipPhases:
        - addon/kube-proxy
@@ -87,8 +86,8 @@ spec:
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ $.Release.Namespace }}
+  name: {{ .Release.Name }}-md-0
+  namespace: {{ .Release.Namespace }}
 spec:
  template:
    spec:
@@ -96,7 +95,7 @@ spec:
        checkStrategy: ssh
      virtualMachineTemplate:
        metadata:
-          namespace: {{ $.Release.Namespace }}
+          namespace: {{ .Release.Namespace }}
        spec:
          runStrategy: Always
          template:
@@ -104,7 +103,7 @@ spec:
              domain:
                cpu:
                  threads: 1
-                  cores: {{ $group.resources.cpu }}
+                  cores: 2
                  sockets: 1
                devices:
                  disks:
@@ -113,7 +112,7 @@ spec:
                    name: containervolume
                  networkInterfaceMultiqueue: true
                memory:
-                  guest: {{ $group.resources.memory }}
+                  guest: 1024Mi
              evictionStrategy: External
              volumes:
              - containerDisk:
@@ -123,28 +122,29 @@ spec:
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ $.Release.Namespace }}
+  name: {{ .Release.Name }}-md-0
+  namespace: {{ .Release.Namespace }}
  annotations:
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "{{ $group.minReplicas }}"
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "{{ $group.maxReplicas }}"
-    capacity.cluster-autoscaler.kubernetes.io/memory: "{{ $group.resources.memory }}"
-    capacity.cluster-autoscaler.kubernetes.io/cpu: "{{ $group.resources.cpu }}"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "2"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "0"
+    capacity.cluster-autoscaler.kubernetes.io/memory: "1024Mi"
+    capacity.cluster-autoscaler.kubernetes.io/cpu: "2"
 spec:
-  clusterName: {{ $.Release.Name }}
+  clusterName: {{ .Release.Name }}
+  selector:
+    matchLabels: null
  template:
    spec:
      bootstrap:
        configRef:
          apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
          kind: KubeadmConfigTemplate
-          name: {{ $.Release.Name }}-{{ $groupName }}
+          name: {{ .Release.Name }}-md-0
          namespace: default
-      clusterName: {{ $.Release.Name }}
+      clusterName: {{ .Release.Name }}
      infrastructureRef:
        apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
        kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}
+        name: {{ .Release.Name }}-md-0
        namespace: default
-      version: v1.29.0
-{{- end }}
+      version: v1.23.10
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -16,10 +16,12 @@ spec:
    spec:
      serviceAccountName: {{ .Release.Name }}-kcsi
      priorityClassName: system-cluster-critical
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
+        - key: node-role.kubernetes.io/master
          operator: Exists
          effect: "NoSchedule"
      containers:
--- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml
@@ -12,12 +12,6 @@ spec:
    spec:
      serviceAccountName: {{ .Release.Name }}-flux-teardown
      restartPolicy: Never
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
      containers:
        - name: kubectl
          image: docker.io/clastix/kubectl:v1.29.1
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -14,12 +14,6 @@ spec:
      labels:
        k8s-app: {{ .Release.Name }}-kccm
    spec:
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
      containers:
      - name: kubevirt-cloud-controller-manager
        args:
@@ -50,4 +44,6 @@ spec:
      - secret:
          secretName: {{ .Release.Name }}-admin-kubeconfig
        name: kubeconfig
+      tolerations:
+      - operator: Exists
      serviceAccountName: {{ .Release.Name }}-kccm
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -0,0 +1,11 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "host": {
+      "type": "string",
+      "title": "Domain name for this kubernetes cluster",
+      "description": "This host will be used for all apps deployed in this tenant"
+    }
+  }
+}
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -1,10 +1 @@
 host: ""
-controlPlane:
-  replicas: 2
-nodeGroups:
-  md0:
-    minReplicas: 0
-    maxReplicas: 10
-    resources:
-      cpu: 2
-      memory: 1024Mi
--- a/packages/apps/mysql/Chart.yaml
+++ b/packages/apps/mysql/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.2.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "11.0.2"
+appVersion: "1.16.0"
--- a/packages/apps/mysql/templates/mariadb.yaml
+++ b/packages/apps/mysql/templates/mariadb.yaml
@@ -12,7 +12,7 @@ spec:

  port: 3306

-  replicas: {{ .Values.replicas }}
+  replicas: 2
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
@@ -28,13 +28,11 @@ spec:
            - {{ .Release.Name }}
        topologyKey: "kubernetes.io/hostname"

-  {{- if gt (int .Values.replicas) 1 }}
  replication:
    enabled: true
    #primary:
    #  podIndex: 0
    #  automaticFailover: true
-  {{- end }}

  metrics:
    enabled: true
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -1,8 +1,6 @@
 external: false
 size: 10Gi

-replicas: 2
-
 users:
  root:
    password: strongpassword
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "16.2"
+appVersion: "1.16.0"
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -4,7 +4,7 @@ kind: Cluster
 metadata:
  name: {{ .Release.Name }}
 spec:
-  instances: {{ .Values.replicas }}
+  instances: 2
  enableSuperuserAccess: true

  postgresql:
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -1,6 +1,5 @@
 external: false
 size: 10Gi
-replicas: 2

 users:
  user1:
--- a/packages/apps/rabbitmq/Chart.yaml
+++ b/packages/apps/rabbitmq/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.12.2"
+appVersion: "1.16.0"
--- a/packages/apps/rabbitmq/templates/rabbitmq.yaml
+++ b/packages/apps/rabbitmq/templates/rabbitmq.yaml
@@ -6,7 +6,7 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 3
  {{- if .Values.external }}
  service:
    type: LoadBalancer
--- a/packages/apps/rabbitmq/values.schema.json
+++ b/packages/apps/rabbitmq/values.schema.json
@@ -5,10 +5,6 @@
    "external": {
      "type": "boolean",
      "title": "Enable external Access"
-    },
-    "replicas": {
-      "type": "integer",
-      "title": "Replicas"
    }
  }
 }
--- a/packages/apps/rabbitmq/values.yaml
+++ b/packages/apps/rabbitmq/values.yaml
@@ -1,2 +1 @@
-replicas: 3
 external: false
--- a/packages/apps/redis/Chart.yaml
+++ b/packages/apps/redis/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "6.2.6"
+appVersion: "1.16.0"
--- a/packages/apps/redis/templates/redisfailover.yaml
+++ b/packages/apps/redis/templates/redisfailover.yaml
@@ -14,7 +14,7 @@ spec:
      limits:
        memory: 100Mi
  redis:
-    replicas: {{ .Values.replicas }}
+    replicas: 3
    resources:
      requests:
        cpu: 150m
--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -9,10 +9,6 @@
    "size": {
      "type": "string",
      "title": "Disk Size"
-    },
-    "replicas": {
-      "type": "integer",
-      "title": "Replicas"
    }
  }
 }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -1,3 +1,2 @@
-replicas: 2
 external: false
 size: 5Gi
--- a/packages/apps/tcp-balancer/Chart.yaml
+++ b/packages/apps/tcp-balancer/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.9.7"
+appVersion: "1.16.0"
--- a/packages/apps/tcp-balancer/templates/deployment.yaml
+++ b/packages/apps/tcp-balancer/templates/deployment.yaml
@@ -7,7 +7,7 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-haproxy
--- a/packages/apps/tcp-balancer/values.yaml
+++ b/packages/apps/tcp-balancer/values.yaml
@@ -1,5 +1,4 @@
 external: false
-replicas: 2
 httpAndHttps:
  mode: tcp
  targetPorts:
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -1,26 +1,15 @@
-clickhouse 0.1.0 ca79f72
-clickhouse 0.2.0 HEAD
-http-cache 0.1.0 a956713
-http-cache 0.2.0 HEAD
-kafka 0.1.0 HEAD
-kubernetes 0.1.0 f642698
-kubernetes 0.2.0 HEAD
+http-cache 0.1.0 HEAD
+kubernetes 0.1.0 HEAD
 mysql 0.1.0 f642698
-mysql 0.2.0 8b975ff0
-mysql 0.3.0 HEAD
-postgres 0.1.0 f642698
-postgres 0.2.0 HEAD
-rabbitmq 0.1.0 f642698
-rabbitmq 0.2.0 HEAD
-redis 0.1.1 f642698
-redis 0.2.0 HEAD
-tcp-balancer 0.1.0 f642698
-tcp-balancer 0.2.0 HEAD
+mysql 0.2.0 HEAD
+postgres 0.1.0 HEAD
+rabbitmq 0.1.0 HEAD
+redis 0.1.1 HEAD
+tcp-balancer 0.1.0 HEAD
 tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 HEAD
-vpn 0.1.0 f642698
-vpn 0.2.0 HEAD
+vpn 0.1.0 HEAD
--- a/packages/apps/vpn/Chart.yaml
+++ b/packages/apps/vpn/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vpn
-description: Managed VPN service
+description: Establish a connection from your computer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Outline_VPN_icon.png/600px-Outline_VPN_icon.png

 # A chart can be either an 'application' or a 'library' chart.
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.8.1"
+appVersion: "1.16.0"
--- a/packages/apps/vpn/templates/deployment.yaml
+++ b/packages/apps/vpn/templates/deployment.yaml
@@ -4,7 +4,7 @@ kind: Deployment
 metadata:
  name: {{ .Release.Name }}-vpn
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-vpn
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -1,5 +1,4 @@
 external: false
-replicas: 2

 users:
  user1:
--- a/packages/core/Makefile
+++ b/packages/core/Makefile
@@ -0,0 +1,6 @@
+VERSION := 0.2.0
+
+gen: fix-chartnames
+	
+fix-chartnames:
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do printf "name: cozy-%s\nversion: $(VERSION)\n" "$$i" > "$$i/Chart.yaml"; done
--- a/packages/core/fluxcd/Chart.yaml
+++ b/packages/core/fluxcd/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-fluxcd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/core/fluxcd/Makefile
+++ b/packages/core/fluxcd/Makefile
@@ -1,5 +1,5 @@
+NAMESPACE=cozy-fluxcd
 NAME=fluxcd
-NAMESPACE=cozy-$(NAME)

 API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))

--- a/packages/core/installer/Chart.yaml
+++ b/packages/core/installer/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-installer
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -1,10 +1,11 @@
-NAME=installer
 NAMESPACE=cozy-system
-
+NAME=installer
+PUSH := 1
+LOAD := 0
+REGISTRY := ghcr.io/aenix-io/cozystack
+TAG := v0.2.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)

-include ../../../scripts/common-envs.mk
-
 show:
 	helm template -n $(NAMESPACE) $(NAME) .

@@ -23,37 +24,37 @@ image-cozystack:
 	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
-		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
+		--tag $(REGISTRY)/cozystack:$(TAG) \
+		--cache-from type=registry,ref=$(REGISTRY)/cozystack:$(TAG) \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/cozystack:$(call settag,$(TAG))" > images/cozystack.tag
+	echo "$(REGISTRY)/cozystack:$(TAG)" > images/cozystack.tag

 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
-	docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(TALOS_VERSION)
+	docker push ghcr.io/aenix-io/cozystack/talos:$(TALOS_VERSION)

 image-matchbox:
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \
 		--provenance false \
-		--tag $(REGISTRY)/matchbox:$(call settag,$(TAG)) \
-		--tag $(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION)-$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/matchbox:latest \
+		--tag $(REGISTRY)/matchbox:$(TAG) \
+		--tag $(REGISTRY)/matchbox:$(TALOS_VERSION)-$(TAG) \
+		--cache-from type=registry,ref=$(REGISTRY)/matchbox:$(TALOS_VERSION) \
 		--cache-to type=inline \
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION))" > images/matchbox.tag
+	echo "$(REGISTRY)/matchbox:$(TALOS_VERSION)" > images/matchbox.tag

-assets: talos-iso talos-nocloud
+assets: talos-iso

-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud:
+talos-initramfs talos-kernel talos-installer talos-iso:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
 		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
--- a/packages/core/installer/hack/gen-profiles.sh
+++ b/packages/core/installer/hack/gen-profiles.sh
@@ -2,7 +2,7 @@
 set -e
 set -u

-PROFILES="initramfs kernel iso installer nocloud"
+PROFILES="initramfs kernel iso installer"
 FIRMWARES="amd-ucode amdgpu-firmware bnx2-bnx2x i915-ucode intel-ice-firmware intel-ucode qlogic-firmware"
 EXTENSIONS="drbd zfs"

@@ -32,14 +32,6 @@ done

 for profile in $PROFILES; do
  echo "writing profile images/talos/profiles/$profile.yaml"
-  if [ "$profile" = "nocloud" ]; then
-    image_options="{ diskSize: 1306525696, diskFormat: raw }"
-    out_format=".xz"
-  else
-    image_options="{}"
-    out_format="raw"
-  fi
-
  cat > images/talos/profiles/$profile.yaml <<EOT
 # this file generated by hack/gen-profiles.sh
 # do not edit it
@@ -66,7 +58,6 @@ input:
    - imageRef: ghcr.io/siderolabs/zfs:${ZFS_VERSION}
 output:
  kind: ${profile}
-  imageOptions: ${image_options}
-  outFormat: ${out_format}
+  outFormat: raw
 EOT
 done
--- a/packages/core/installer/images/cozystack.json
+++ b/packages/core/installer/images/cozystack.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:aefc3ca9f56f69270d7ce6f56a1ce5b531332d5641481eb54c8e74b66b0f3341",
-  "containerimage.digest": "sha256:a2bf43cb7eb812166edfeb1a4fae6a76a4ddba93be2c0ba9040a804ccb53c261"
+  "containerimage.config.digest": "sha256:326a169fb5d4277a5c3b0359e0c885b31d1360b58475bbc316be1971c710cd8d",
+  "containerimage.digest": "sha256:a608bdb75b3e06f6365f5f0b3fea82ac93c564d11f316f17e3d46e8a497a321d"
 }
--- a/packages/core/installer/images/cozystack.tag
+++ b/packages/core/installer/images/cozystack.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.4.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.2.0
--- a/packages/core/installer/images/matchbox.json
+++ b/packages/core/installer/images/matchbox.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:68ea72fcc581352fabfd87fa6fd482968cc85ee520cab7a614f1244d7ae36eb0",
-  "containerimage.digest": "sha256:cea915e08a19eb6892f3facf3b3648368cd4a05abefc49bc2616ba3340c27e82"
+  "containerimage.config.digest": "sha256:dc584f743bb73e04dcbebca7ab4f602f2c067190fd9609c3fd84412e83c20445",
+  "containerimage.digest": "sha256:39ab0bf769b269a8082eeb31a9672e39caa61dd342ba2157b954c642f54a32ff"
 }
--- a/packages/core/installer/images/matchbox.tag
+++ b/packages/core/installer/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/matchbox:v1.7.1
+ghcr.io/aenix-io/cozystack/matchbox:v1.6.4
--- a/packages/core/installer/images/talos/profiles/initramfs.yaml
+++ b/packages/core/installer/images/talos/profiles/initramfs.yaml
@@ -3,25 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.6.4
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.6.4
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
 output:
  kind: initramfs
-  imageOptions: {}
  outFormat: raw
--- a/packages/core/installer/images/talos/profiles/installer.yaml
+++ b/packages/core/installer/images/talos/profiles/installer.yaml
@@ -3,25 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.6.4
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.6.4
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
 output:
  kind: installer
-  imageOptions: {}
  outFormat: raw
--- a/packages/core/installer/images/talos/profiles/iso.yaml
+++ b/packages/core/installer/images/talos/profiles/iso.yaml
@@ -3,25 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.6.4
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.6.4
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
 output:
  kind: iso
-  imageOptions: {}
  outFormat: raw
--- a/packages/core/installer/images/talos/profiles/kernel.yaml
+++ b/packages/core/installer/images/talos/profiles/kernel.yaml
@@ -3,25 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.6.4
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.6.4
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
 output:
  kind: kernel
-  imageOptions: {}
  outFormat: raw
--- a/packages/core/installer/images/talos/profiles/nocloud.yaml
+++ b/packages/core/installer/images/talos/profiles/nocloud.yaml
@@ -1,27 +0,0 @@
-# this file generated by hack/gen-profiles.sh
-# do not edit it
-arch: amd64
-platform: metal
-secureboot: false
-version: v1.7.1
-input:
-  kernel:
-    path: /usr/install/amd64/vmlinuz
-  initramfs:
-    path: /usr/install/amd64/initramfs.xz
-  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
-  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
-output:
-  kind: nocloud
-  imageOptions: { diskSize: 1306525696, diskFormat: raw }
-  outFormat: .xz
--- a/packages/core/installer/templates/cozystack.yaml
+++ b/packages/core/installer/templates/cozystack.yaml
@@ -12,6 +12,12 @@ metadata:
  name: cozystack
  namespace: cozy-system
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cozystack
+  namespace: cozy-system
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/packages/core/platform/Chart.yaml
+++ b/packages/core/platform/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-platform
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/core/platform/Makefile
+++ b/packages/core/platform/Makefile
@@ -1,5 +1,5 @@
-NAME=platform
 NAMESPACE=cozy-system
+NAME=platform

 API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))

--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -52,12 +52,6 @@ releases:
  privileged: true
  dependsOn: [cilium]

- name: etcd-operator
-  releaseName: etcd-operator
-  chart: cozy-etcd-operator
-  namespace: cozy-etcd-operator
-  dependsOn: [cilium,cert-manager]
-
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -26,12 +26,6 @@ releases:
  privileged: true
  dependsOn: [victoria-metrics-operator]

- name: etcd-operator
-  releaseName: etcd-operator
-  chart: cozy-etcd-operator
-  namespace: cozy-etcd-operator
-  dependsOn: [cert-manager]
-
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -81,12 +81,6 @@ releases:
  privileged: true
  dependsOn: [cilium,kubeovn]

- name: etcd-operator
-  releaseName: etcd-operator
-  chart: cozy-etcd-operator
-  namespace: cozy-etcd-operator
-  dependsOn: [cilium,kubeovn,cert-manager]
-
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -26,12 +26,6 @@ releases:
  privileged: true
  dependsOn: [victoria-metrics-operator]

- name: etcd-operator
-  releaseName: etcd-operator
-  chart: cozy-etcd-operator
-  namespace: cozy-etcd-operator
-  dependsOn: [cert-manager]
-
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
--- a/packages/core/platform/templates/helmreleases.yaml
+++ b/packages/core/platform/templates/helmreleases.yaml
@@ -23,11 +23,9 @@ spec:
  interval: 1m
  releaseName: {{ $x.releaseName | default $x.name }}
  install:
-    crds: CreateReplace
    remediation:
      retries: -1
  upgrade:
-    crds: CreateReplace
    remediation:
      retries: -1
  chart:
--- a/packages/extra/Makefile
+++ b/packages/extra/Makefile
@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/extra
+	cd "$(OUT)" && helm repo index .
 	rm -rf "$(TMP)"

 fix-chartnames:
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 2.0.0
+version: 1.0.0
--- a/packages/extra/etcd/templates/datastore.yaml
+++ b/packages/extra/etcd/templates/datastore.yaml
@@ -1,50 +0,0 @@
---
-apiVersion: kamaji.clastix.io/v1alpha1
-kind: DataStore
-metadata:
-  name: {{ .Release.Namespace }}
-spec:
-  driver: etcd
-  endpoints:
-  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc:2379
-  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc:2379
-  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc:2379
-  tlsConfig:
-    certificateAuthority:
-      certificate:
-        secretReference:
-          keyPath: tls.crt
-          name: etcd-ca-tls
-          namespace: {{ .Release.Namespace }}
-      privateKey:
-        secretReference:
-          keyPath: tls.key
-          name: etcd-ca-tls
-          namespace: {{ .Release.Namespace }}
-    clientCertificate:
-      certificate:
-        secretReference:
-          keyPath: tls.crt
-          name: etcd-client-tls
-          namespace: {{ .Release.Namespace }}
-      privateKey:
-        secretReference:
-          keyPath: tls.key
-          name: etcd-client-tls
-          namespace: {{ .Release.Namespace }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-ca-tls
-  annotations:
-    helm.sh/hook: pre-install
-    helm.sh/resource-policy: keep
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-client-tls
-  annotations:
-    helm.sh/hook: pre-install
-    helm.sh/resource-policy: keep
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -1,176 +0,0 @@
---
-apiVersion: etcd.aenix.io/v1alpha1
-kind: EtcdCluster
-metadata:
-  name: etcd
-spec:
-  storage: {}
-  security:
-    tls:
-      peerTrustedCASecret: etcd-peer-ca-tls
-      peerSecret: etcd-peer-tls
-      serverSecret: etcd-server-tls
-      clientTrustedCASecret: etcd-ca-tls
-      clientSecret: etcd-client-tls
-  podTemplate:
-    spec:
-      topologySpreadConstraints:
-      - maxSkew: 1
-        topologyKey: "kubernetes.io/hostname"
-        whenUnsatisfiable: ScheduleAnyway
-        labelSelector:
-          matchLabels:
-            app.kubernetes.io/instance: etcd
---
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: etcd-selfsigning-issuer
-spec:
-  selfSigned: {}
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: etcd-peer-ca
-spec:
-  isCA: true
-  usages:
-  - "signing"
-  - "key encipherment"
-  - "cert sign"
-  commonName: etcd-peer-ca
-  subject:
-    organizations:
-      - ACME Inc.
-    organizationalUnits:
-      - Widgets
-  secretName: etcd-peer-ca-tls
-  privateKey:
-    algorithm: RSA
-    size: 4096
-  issuerRef:
-    name: etcd-selfsigning-issuer
-    kind: Issuer
-    group: cert-manager.io
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: etcd-ca
-spec:
-  isCA: true
-  usages:
-  - "signing"
-  - "key encipherment"
-  - "cert sign"
-  commonName: etcd-ca
-  subject:
-    organizations:
-      - ACME Inc.
-    organizationalUnits:
-      - Widgets
-  secretName: etcd-ca-tls
-  privateKey:
-    algorithm: RSA
-    size: 4096
-  issuerRef:
-    name: etcd-selfsigning-issuer
-    kind: Issuer
-    group: cert-manager.io
---
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: etcd-peer-issuer
-spec:
-  ca:
-    secretName: etcd-peer-ca-tls
---
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: etcd-issuer
-spec:
-  ca:
-    secretName: etcd-ca-tls
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: etcd-server
-spec:
-  secretName: etcd-server-tls
-  isCA: false
-  usages:
-    - "server auth"
-    - "signing"
-    - "key encipherment"
-  dnsNames:
-  - etcd-0
-  - etcd-0.etcd-headless
-  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
-  - etcd-1
-  - etcd-1.etcd-headless
-  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
-  - etcd-2
-  - etcd-2.etcd-headless
-  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
-  - localhost
-  - "127.0.0.1"
-  privateKey:
-    rotationPolicy: Always
-    algorithm: RSA
-    size: 4096
-  issuerRef:
-    name: etcd-issuer
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: etcd-peer
-spec:
-  secretName: etcd-peer-tls
-  isCA: false
-  usages:
-    - "server auth"
-    - "client auth"
-    - "signing"
-    - "key encipherment"
-  dnsNames:
-  - etcd-0
-  - etcd-0.etcd-headless
-  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
-  - etcd-1
-  - etcd-1.etcd-headless
-  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
-  - etcd-2
-  - etcd-2.etcd-headless
-  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
-  - localhost
-  - "127.0.0.1"
-  privateKey:
-    rotationPolicy: Always
-    algorithm: RSA
-    size: 4096
-  issuerRef:
-    name: etcd-peer-issuer
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: etcd-client
-spec:
-  commonName: root
-  secretName: etcd-client-tls
-  usages:
-  - "signing"
-  - "key encipherment"
-  - "client auth"
-  privateKey:
-    rotationPolicy: Always
-    algorithm: RSA
-    size: 4096
-  issuerRef:
-    name: etcd-issuer
-    kind: Issuer
--- a/packages/extra/etcd/templates/kamaji-etcd.yaml
+++ b/packages/extra/etcd/templates/kamaji-etcd.yaml
@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kamaji-etcd
+spec:
+  chart:
+    spec:
+      chart: cozy-kamaji-etcd
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '*'
+  interval: 1m0s
+  timeout: 5m0s
+  values:
+    kamaji-etcd:
+      fullnameOverride: etcd
--- a/packages/extra/monitoring/templates/grafana/grafana.yaml
+++ b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -67,7 +67,7 @@ spec:
  ingress:
    metadata:
      annotations:
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
+        kubernetes.io/ingress.class: "{{ $ingress }}"
        cert-manager.io/cluster-issuer: letsencrypt-prod
    spec:
      ingressClassName: "{{ $ingress }}"
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -1,4 +1,3 @@
-etcd 1.0.0 f7eaab0
-etcd 2.0.0 HEAD
+etcd 1.0.0 HEAD
 ingress 1.0.0 HEAD
 monitoring 1.0.0 HEAD
--- a/packages/system/Makefile
+++ b/packages/system/Makefile
@@ -1,12 +1,13 @@
 OUT=../../_out/repos/system
+VERSION := 0.2.0

-include ../../scripts/common-envs.mk
+gen: fix-chartnames

-repo:
+repo: fix-chartnames
 	rm -rf "$(OUT)"
 	mkdir -p "$(OUT)"
-	helm package -d "$(OUT)" $$(find . -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")') --version $(VERSION)
+	helm package -d "$(OUT)" $$(find . -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")')
 	cd "$(OUT)" && helm repo index .

 fix-chartnames:
-	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do printf "name: cozy-%s\nversion: $(VERSION)\n" "$$i" > "$$i/Chart.yaml"; done
--- a/packages/system/capi-operator/Chart.yaml
+++ b/packages/system/capi-operator/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-capi-operator
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/system/capi-operator/Makefile
+++ b/packages/system/capi-operator/Makefile
@@ -1,7 +1,14 @@
 NAME=capi-operator
 NAMESPACE=cozy-cluster-api

-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .

 update:
 	rm -rf charts
--- a/packages/system/capi-providers/Chart.yaml
+++ b/packages/system/capi-providers/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-capi-providers
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/system/capi-providers/Makefile
+++ b/packages/system/capi-providers/Makefile
@@ -1,4 +1,11 @@
 NAME=capi-providers
 NAMESPACE=cozy-cluster-api

-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
--- a/packages/system/capi-providers/templates/providers.yaml
+++ b/packages/system/capi-providers/templates/providers.yaml
@@ -13,7 +13,7 @@ spec:
  deployment:
    containers:
    - name: manager
-      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix
+      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.6.0-fix7
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: BootstrapProvider
--- a/packages/system/cert-manager-issuers/Chart.yaml
+++ b/packages/system/cert-manager-issuers/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-cert-manager-issuers
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/system/cert-manager-issuers/Makefile
+++ b/packages/system/cert-manager-issuers/Makefile
@@ -1,4 +1,11 @@
 NAME=cert-manager-issuers
 NAMESPACE=cozy-cert-manager

-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
--- a/packages/system/cert-manager/Chart.yaml
+++ b/packages/system/cert-manager/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-cert-manager
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/system/cert-manager/Makefile
+++ b/packages/system/cert-manager/Makefile
@@ -1,7 +1,14 @@
 NAME=cert-manager
-NAMESPACE=cozy-$(NAME)
+NAMESPACE=cozy-cert-manager

-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .

 update:
 	rm -rf charts
--- a/packages/system/cilium/Chart.yaml
+++ b/packages/system/cilium/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-cilium
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/packages/system/cilium/Makefile
+++ b/packages/system/cilium/Makefile
@@ -1,7 +1,14 @@
+NAMESPACE=cozy-cilium
 NAME=cilium
-NAMESPACE=cozy-$(NAME)

-include ../../../scripts/package-system.mk
+show:
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm template --dry-run=server -n $(NAMESPACE) $(NAME) . -f -
+
+apply:
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm upgrade -i -n $(NAMESPACE) $(NAME) . -f -
+
+diff:
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) . -f -

 update:
 	rm -rf charts
--- a/packages/system/cilium/charts/cilium/Chart.yaml
+++ b/packages/system/cilium/charts/cilium/Chart.yaml
@@ -122,7 +122,7 @@ annotations:
      description: |
        CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
 apiVersion: v2
-appVersion: 1.14.10
+appVersion: 1.14.9
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
@@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.14.10
+version: 1.14.9
--- a/packages/system/cilium/charts/cilium/README.md
+++ b/packages/system/cilium/charts/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium

-![Version: 1.14.10](https://img.shields.io/badge/Version-1.14.10-informational?style=flat-square) ![AppVersion: 1.14.10](https://img.shields.io/badge/AppVersion-1.14.10-informational?style=flat-square)
+![Version: 1.14.9](https://img.shields.io/badge/Version-1.14.9-informational?style=flat-square) ![AppVersion: 1.14.9](https://img.shields.io/badge/AppVersion-1.14.9-informational?style=flat-square)

 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -131,7 +131,7 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
 | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
-| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.11","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
+| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
 | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
 | certgen.extraVolumes | list | `[]` | Additional certgen volumes. |
@@ -155,12 +155,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.10","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.9","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.10","useDigest":true}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.9","useDigest":true}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
@@ -312,7 +312,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -419,7 +419,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.10","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.9","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -511,7 +511,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -596,7 +596,7 @@ contributors across the globe, there is almost always someone available to help.
 | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
 | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
 | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
-| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. |
+| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. |
 | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
 | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
@@ -619,7 +619,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14","awsDigest":"sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6","azureDigest":"sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4","genericDigest":"sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.10","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5","awsDigest":"sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec","azureDigest":"sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17","genericDigest":"sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.9","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -666,7 +666,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
@@ -61,7 +61,7 @@ spec:
        image: {{ include "cilium.image" .Values.envoy.image | quote }}
        imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
        command:
-        - /usr/bin/cilium-envoy-starter
+        - /usr/bin/cilium-envoy
        args:
        - '-c /var/run/cilium/envoy/bootstrap-config.json'
        - '--base-id 0'
--- a/packages/system/cilium/charts/cilium/values.yaml
+++ b/packages/system/cilium/charts/cilium/values.yaml
@@ -143,10 +143,10 @@ rollOutCiliumPods: false
 image:
  override: ~
  repository: "quay.io/cilium/cilium"
-  tag: "v1.14.10"
+  tag: "v1.14.9"
  pullPolicy: "IfNotPresent"
  # cilium-digest
-  digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031"
+  digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
  useDigest: true

 # -- Affinity for cilium-agent.
@@ -933,8 +933,8 @@ certgen:
  image:
    override: ~
    repository: "quay.io/cilium/certgen"
-    tag: "v0.1.11"
-    digest: "sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6"
+    tag: "v0.1.9"
+    digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f"
    useDigest: true
    pullPolicy: "IfNotPresent"
  # -- Seconds after which the completed job pod will be deleted
@@ -1109,9 +1109,9 @@ hubble:
    image:
      override: ~
      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.14.10"
+      tag: "v1.14.9"
       # hubble-relay-digest
-      digest: "sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0"
+      digest: "sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa"
      useDigest: true
      pullPolicy: "IfNotPresent"

@@ -1853,9 +1853,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f"
+    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
    pullPolicy: "IfNotPresent"
-    digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc"
+    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
    useDigest: true

  # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -2269,15 +2269,15 @@ operator:
  image:
    override: ~
    repository: "quay.io/cilium/operator"
-    tag: "v1.14.10"
+    tag: "v1.14.9"
    # operator-generic-digest
-    genericDigest: "sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909"
+    genericDigest: "sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712"
    # operator-azure-digest
-    azureDigest: "sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4"
+    azureDigest: "sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17"
    # operator-aws-digest
-    awsDigest: "sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6"
+    awsDigest: "sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec"
    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14"
+    alibabacloudDigest: "sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5"
    useDigest: true
    pullPolicy: "IfNotPresent"
    suffix: ""
@@ -2468,8 +2468,6 @@ nodeinit:
    override: ~
    repository: "quay.io/cilium/startup-script"
    tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f"
-    digest: "sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2"
-    useDigest: true
    pullPolicy: "IfNotPresent"

  # -- The priority class to use for the nodeinit pod.
@@ -2556,9 +2554,9 @@ preflight:
  image:
    override: ~
    repository: "quay.io/cilium/cilium"
-    tag: "v1.14.10"
+    tag: "v1.14.9"
    # cilium-digest
-    digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031"
+    digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
    useDigest: true
    pullPolicy: "IfNotPresent"

@@ -2706,9 +2704,9 @@ clustermesh:
    image:
      override: ~
      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.14.10"
+      tag: "v1.14.9"
      # clustermesh-apiserver-digest
-      digest: "sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798"
+      digest: "sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3"
      useDigest: true
      pullPolicy: "IfNotPresent"

@@ -2753,9 +2751,9 @@ clustermesh:
      image:
        override: ~
        repository: "quay.io/cilium/kvstoremesh"
-        tag: "v1.14.10"
+        tag: "v1.14.9"
        # kvstoremesh-digest
-        digest: "sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070"
+        digest: "sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22"
        useDigest: true
        pullPolicy: "IfNotPresent"

--- a/packages/system/cilium/charts/cilium/values.yaml.tmpl
+++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl
@@ -1854,9 +1854,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f"
+    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
    pullPolicy: "${PULL_POLICY}"
-    digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc"
+    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
    useDigest: true

  # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -2469,8 +2469,6 @@ nodeinit:
    override: ~
    repository: "${CILIUM_NODEINIT_REPO}"
    tag: "${CILIUM_NODEINIT_VERSION}"
-    digest: "${CILIUM_NODEINIT_DIGEST}"
-    useDigest: true
    pullPolicy: "${PULL_POLICY}"

  # -- The priority class to use for the nodeinit pod.
--- a/packages/system/clickhouse-operator/Chart.yaml
+++ b/packages/system/clickhouse-operator/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-clickhouse-operator
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.3.0
--- a/packages/system/clickhouse-operator/Makefile
+++ b/packages/system/clickhouse-operator/Makefile
@@ -1,7 +1,14 @@
 NAME=clickhouse-operator
 NAMESPACE=cozy-clickhouse-operator

-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .

 update:
 	rm -rf charts
--- a/packages/system/clickhouse-operator/values.yaml
+++ b/packages/system/clickhouse-operator/values.yaml
@@ -1,6 +0,0 @@
-altinity-clickhouse-operator:
-  configs:
-    files:
-      config.yaml:
-        watch:
-          namespaces: [".*"]
--- a/packages/system/dashboard/Chart.yaml
+++ b/packages/system/dashboard/Chart.yaml
@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-dashboard
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 0.2.0
--- a/Show More
+++ b/Show More