Add nats-operator

FerretDB

Makefile

@@ -3,6 +3,8 @@
 build:
 	make -C packages/apps/http-cache image
 	make -C packages/apps/kubernetes image
+	make -C packages/system/cilium image
+	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/core/installer image
 	make manifests

hack/e2e.sh

@@ -0,0 +1,318 @@
+#!/bin/bash
+if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then
+  echo 'COZYSTACK_INSTALLER_YAML variable is not set!' >&2
+  echo 'please set it with following command:' >&2
+  echo >&2
+  echo 'export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2
+  echo >&2
+  exit 1
+fi
+
+if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then
+  echo "IPv4 forwarding is not enabled!" >&2
+  echo 'please enable forwarding with the following command:' >&2
+  echo >&2
+  echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >&2
+  echo >&2
+  exit 1
+fi
+
+set -x
+set -e
+
+kill `cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid` || true
+
+ip link del cozy-br0 || true
+ip link add cozy-br0 type bridge
+ip link set cozy-br0 up
+ip addr add 192.168.123.1/24 dev cozy-br0
+
+# Enable forward & masquerading
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -j MASQUERADE
+
+rm -rf srv1 srv2 srv3
+mkdir -p srv1 srv2 srv3
+
+# Prepare cloud-init
+for i in 1 2 3; do
+  echo "local-hostname: srv$i" > "srv$i/meta-data"
+  echo '#cloud-config' > "srv$i/user-data"
+  cat > "srv$i/network-config" <<EOT
+version: 2
+ethernets:
+  eth0:
+    dhcp4: false
+    addresses:
+      - "192.168.123.1$i/26"
+    gateway4: "192.168.123.1"
+    nameservers:
+      search: [cluster.local]
+      addresses: [8.8.8.8]
+EOT
+
+  ( cd srv$i && genisoimage \
+      -output seed.img \
+      -volid cidata -rational-rock -joliet \
+      user-data meta-data network-config
+  )
+done
+
+# Prepare system drive
+if [ ! -f nocloud-amd64.raw ]; then
+  wget https://github.com/aenix-io/cozystack/releases/latest/download/nocloud-amd64.raw.xz -O nocloud-amd64.raw.xz
+  rm -f nocloud-amd64.raw
+  xz --decompress nocloud-amd64.raw.xz
+fi
+for i in 1 2 3; do
+  cp nocloud-amd64.raw srv$i/system.img
+  qemu-img resize srv$i/system.img 20G
+done
+
+# Prepare data drives
+for i in 1 2 3; do
+  qemu-img create srv$i/data.img 100G
+done
+
+# Prepare networking
+for i in 1 2 3; do
+  ip link del cozy-srv$i || true
+  ip tuntap add dev cozy-srv$i mode tap
+  ip link set cozy-srv$i up
+  ip link set cozy-srv$i master cozy-br0
+done
+
+# Start VMs
+for i in 1 2 3; do
+  qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 4 -m 8192 \
+    -device virtio-net,netdev=net0,mac=52:54:00:12:34:5$i -netdev tap,id=net0,ifname=cozy-srv$i,script=no,downscript=no \
+    -drive file=srv$i/system.img,if=virtio,format=raw \
+    -drive file=srv$i/seed.img,if=virtio,format=raw \
+    -drive file=srv$i/data.img,if=virtio,format=raw \
+    -display none -daemonize -pidfile srv$i/qemu.pid
+done
+
+sleep 5
+
+# Wait for VM to start up
+timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
+
+cat > patch.yaml <<\EOT
+machine:
+  kubelet:
+    nodeIP:
+      validSubnets:
+      - 192.168.123.0/24
+    extraConfig:
+      maxPods: 512
+  kernel:
+    modules:
+    - name: openvswitch
+    - name: drbd
+      parameters:
+        - usermode_helper=disabled
+    - name: zfs
+    - name: spl
+  install:
+    image: ghcr.io/aenix-io/cozystack/talos:v1.7.1
+  files:
+  - content: |
+      [plugins]
+        [plugins."io.containerd.grpc.v1.cri"]
+          device_ownership_from_security_context = true      
+    path: /etc/cri/conf.d/20-customization.part
+    op: create
+
+cluster:
+  network:
+    cni:
+      name: none
+    dnsDomain: cozy.local
+    podSubnets:
+    - 10.244.0.0/16
+    serviceSubnets:
+    - 10.96.0.0/16
+EOT
+
+cat > patch-controlplane.yaml <<\EOT
+machine:
+  network:
+    interfaces:
+    - interface: eth0
+      vip:
+        ip: 192.168.123.10
+cluster:
+  allowSchedulingOnControlPlanes: true
+  controllerManager:
+    extraArgs:
+      bind-address: 0.0.0.0
+  scheduler:
+    extraArgs:
+      bind-address: 0.0.0.0
+  apiServer:
+    certSANs:
+    - 127.0.0.1
+  proxy:
+    disabled: true
+  discovery:
+    enabled: false
+  etcd:
+    advertisedSubnets:
+    - 192.168.123.0/24
+EOT
+
+# Gen configuration
+if [ ! -f secrets.yaml ]; then
+  talosctl gen secrets
+fi
+
+rm -f controlplane.yaml worker.yaml talosconfig kubeconfig
+talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml
+export TALOSCONFIG=$PWD/talosconfig
+
+# Apply configuration
+talosctl apply -f controlplane.yaml -n 192.168.123.11 -e 192.168.123.11 -i
+talosctl apply -f controlplane.yaml -n 192.168.123.12 -e 192.168.123.12 -i
+talosctl apply -f controlplane.yaml -n 192.168.123.13 -e 192.168.123.13 -i
+
+# Wait for VM to be configured
+timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
+
+# Bootstrap
+talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11
+
+# Wait for etcd
+timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+
+rm -f kubeconfig
+talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
+export KUBECONFIG=$PWD/kubeconfig
+
+# Wait for kubernetes nodes appear
+timeout 60 sh -c 'until [ $(kubectl get node -o name | wc -l) = 3 ]; do sleep 1; done'
+kubectl create ns cozy-system
+kubectl create -f - <<\EOT
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cozystack
+  namespace: cozy-system
+data:
+  bundle-name: "paas-full"
+  ipv4-pod-cidr: "10.244.0.0/16"
+  ipv4-pod-gateway: "10.244.0.1"
+  ipv4-svc-cidr: "10.96.0.0/16"
+  ipv4-join-cidr: "100.64.0.0/16"
+EOT
+
+#
+echo "$COZYSTACK_INSTALLER_YAML" | kubectl apply -f -
+
+# wait for cozystack pod to start
+kubectl wait deploy  --timeout=1m --for=condition=available -n cozy-system cozystack
+
+# wait for helmreleases appear
+timeout 60 sh -c 'until kubectl get hr -A | grep cozy; do sleep 1; done'
+
+sleep 5
+
+kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
+# Wait for linstor controller
+kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller
+
+# Wait for all linstor nodes become Online
+timeout 60 sh -c 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) = 3 ]; do sleep 1; done'
+
+kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv1 /dev/vdc --pool-name data --storage-pool data
+kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv2 /dev/vdc --pool-name data --storage-pool data
+kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv3 /dev/vdc --pool-name data --storage-pool data
+
+kubectl create -f- <<EOT
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: local
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: linstor.csi.linbit.com
+parameters:
+  linstor.csi.linbit.com/storagePool: "data"
+  linstor.csi.linbit.com/layerList: "storage"
+  linstor.csi.linbit.com/allowRemoteVolumeAccess: "false"
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: replicated
+provisioner: linstor.csi.linbit.com
+parameters:
+  linstor.csi.linbit.com/storagePool: "data"
+  linstor.csi.linbit.com/autoPlace: "3"
+  linstor.csi.linbit.com/layerList: "drbd storage"
+  linstor.csi.linbit.com/allowRemoteVolumeAccess: "true"
+  property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io
+  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io
+  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary
+  property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+EOT
+kubectl create -f- <<EOT
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: cozystack
+  namespace: cozy-metallb
+spec:
+  ipAddressPools:
+  - cozystack
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cozystack
+  namespace: cozy-metallb
+spec:
+  addresses:
+  - 192.168.123.200-192.168.123.250
+  autoAssign: true
+  avoidBuggyIPs: false
+EOT
+
+kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values":{
+  "host": "example.org",
+  "ingress": true,
+  "monitoring": true,
+  "etcd": true
+}}}'
+
+# Wait for HelmRelease be created
+timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done'
+
+# Wait for HelmReleases be installed
+kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root
+
+# Wait for nginx-ingress-controller
+timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done'
+kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-ingress-controller
+
+# Wait for etcd
+kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
+
+# Wait for Victoria metrics
+kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert vminsert-longterm vminsert-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
+
+# Wait for grafana
+kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db
+kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy grafana-deployment 
+
+# Get IP of nginx-ingress
+ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.status.loadBalancer.ingress..ip}')
+
+# Check Grafana
+curl -sS -k "https://$ip" -H 'Host: grafana.example.org' | grep Found

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/Makefile

@@ -11,7 +11,7 @@ repo:
 	rm -rf "$(TMP)"
 
 fix-chartnames:
-	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
+	find . -maxdepth 2 -name Chart.yaml  | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
 
 gen-versions-map: fix-chartnames
 	../../hack/gen_versions_map.sh

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -14,6 +14,7 @@ spec:
       {{- range $name, $u := . }}
       {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
+      {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
     {{- end }}
     profiles:

packages/apps/ferretdb/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v2
-name: kube-ovn
+name: ferretdb
-description: Helm chart for Kube-OVN
+description: Managed FerretDB service
+icon: ferretdb.svg
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.13.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.13.0"
+appVersion: "1.22.0"

packages/apps/ferretdb/Makefile

@@ -0,0 +1,2 @@
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/apps/ferretdb/README.md

@@ -0,0 +1,34 @@
+# Managed FerretDB Service
+
+## Parameters
+
+### Common parameters
+
+| Name                     | Description                                                                                                             | Value   |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`               | Enable external access from outside the cluster                                                                         | `false` |
+| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
+| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
+
+### Configuration parameters
+
+| Name    | Description         | Value |
+| ------- | ------------------- | ----- |
+| `users` | Users configuration | `{}`  |
+
+### Backup parameters
+
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable pereiodic backups                       | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/postgres-backups`                      |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+
+

packages/apps/ferretdb/ferretdb.svg

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="200mm"
+   height="195.323mm"
+   viewBox="0 0 200 195.323"
+   version="1.1"
+   id="svg948"
+   inkscape:version="1.1.1 (c3084ef, 2021-09-22)"
+   sodipodi:docname="ferretdb.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview950"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:document-units="mm"
+     showgrid="false"
+     inkscape:zoom="0.64052329"
+     inkscape:cx="-69.474445"
+     inkscape:cy="579.99452"
+     inkscape:window-width="3440"
+     inkscape:window-height="1387"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="layer1" />
+  <defs
+     id="defs945" />
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1">
+    <path
+       d="M 95.871302,0.25836635 C 73.52529,3.312081 51.107429,17.502874 38.138123,36.831094 c -2.083712,3.125567 -5.676318,9.628178 -5.676318,10.274847 0,0.0719 1.724451,-0.970003 3.808162,-2.335187 25.651206,-16.921175 56.260205,-20.046742 81.156963,-8.298921 5.42484,2.550751 8.83781,5.029648 13.68783,9.879665 8.15521,8.191137 14.11894,19.148592 18.25044,33.554942 2.15556,7.400765 3.95187,17.495992 4.4189,24.35786 0.10778,1.86816 0.39518,3.52075 0.57482,3.62853 1.00593,0.61075 5.53261,-5.96372 8.73003,-12.645965 5.06558,-10.634111 7.43669,-21.0886 7.40077,-32.692714 -0.036,-16.418213 -5.71224,-30.213814 -17.13674,-41.710153 C 143.22184,10.640997 130.43216,3.6354156 117.03174,0.90503536 113.90617,0.29429263 111.6069,0.11466224 105.75097,0.00688441 101.69132,-0.02904391 97.272414,0.07873086 95.871302,0.25836635 Z"
+       id="path824"
+       style="fill:#216778;stroke-width:0.0359261" />
+    <path
+       d="m 48.377049,48.219658 c -2.335194,1.149625 -6.251134,4.742233 -9.700036,8.873735 -1.54482,1.832222 -3.880014,4.095564 -5.604464,5.388902 -4.02372,3.017795 -10.885597,9.735963 -14.370424,14.083015 -18.1785821,22.525641 -23.2441594,48.21277 -14.585984,74.00768 7.113359,21.12453 23.567499,35.13569 48.859444,41.4946 9.843739,2.51482 24.60935,3.91593 30.788632,2.94593 l 1.580747,-0.25148 -2.442972,-1.43704 C 69.42972,185.49312 60.017093,172.27233 57.39449,157.57857 c -0.790373,-4.45483 -0.826299,-12.35856 -0.03593,-16.70562 1.760377,-9.77189 6.682247,-18.7534 13.364494,-24.35786 3.125567,-2.6226 8.586328,-5.31706 12.933381,-6.35891 6.538543,-1.58075 10.526335,-3.37705 14.657827,-6.64633 2.658538,-2.0837 4.993728,-5.2452 6.933738,-9.340763 1.65259,-3.484834 5.17335,-14.550063 5.17335,-16.310439 0,-1.221482 -1.25742,-2.874082 -3.05372,-3.987789 -0.93408,-0.574812 -2.40705,-0.898147 -6.17927,-1.293338 C 84.949773,70.888992 76.866409,67.943063 67.094521,60.218953 65.693406,59.105246 64.00488,57.847837 63.322285,57.416727 62.639691,57.021536 61.2745,55.512639 60.340423,54.111526 c -2.838159,-4.131492 -6.358912,-6.790025 -9.053367,-6.825953 -0.574817,0 -1.904081,0.431119 -2.910011,0.934085 z m 17.639695,16.633763 c 1.221486,0.610741 2.55075,1.401113 2.981863,1.724447 l 0.790373,0.646669 -1.257411,5.029649 c -1.077783,4.38298 -1.257413,5.496687 -1.149634,8.622257 0.107777,3.089642 0.215555,3.77223 0.934077,4.778161 1.18556,1.616673 3.233345,2.586676 5.532613,2.586676 3.269271,0 5.820021,-1.86815 10.059296,-7.436693 1.221486,-1.580744 2.19149,-2.442973 3.628532,-3.125571 2.227415,-1.113706 3.808162,-1.221481 8.765958,-0.790372 l 3.305202,0.323335 v 1.940007 c 0,3.053724 1.616677,4.814099 4.921857,5.317065 l 1.58075,0.21555 -0.57481,1.329266 c -2.51483,6.071499 -8.981521,12.93338 -15.05302,15.987093 -0.970004,0.46703 -3.161494,1.32926 -4.850018,1.90408 -2.766306,0.89815 -3.520754,1.00593 -8.262994,1.00593 -4.706313,0 -5.496687,-0.10778 -8.083363,-0.97001 -7.795954,-2.58667 -13.58005,-8.334832 -16.202652,-16.058942 -0.934077,-2.73038 -0.970004,-10.670039 -0.03593,-13.975231 1.257413,-4.562611 3.484828,-8.33485 5.820023,-9.80782 1.508893,-0.970003 4.311126,-0.646669 7.149285,0.754454 z"
+       id="path826"
+       style="fill:#216778;stroke-width:0.0359261" />
+    <path
+       d="m 181.55494,78.397542 c 0,1.616673 -1.7963,9.089295 -3.30519,13.759681 -5.67632,17.495987 -15.95117,33.195677 -29.35159,44.656087 -9.41263,8.08336 -16.09488,11.64004 -26.69306,14.26265 -6.82596,1.68852 -11.28078,2.22741 -19.93897,2.44297 -10.813737,0.2874 -21.483776,-0.6826 -31.040108,-2.76631 -1.832229,-0.39519 -3.377049,-0.64667 -3.484828,-0.53889 -0.431112,0.39519 1.221487,5.89187 2.658529,8.80189 2.622602,5.38891 5.604466,9.41262 10.921522,14.72968 5.604465,5.60446 9.771888,8.6941 16.238576,12.03522 16.023019,8.263 34.417169,9.37671 53.278339,3.1615 19.90304,-6.50262 34.52495,-18.25043 42.39275,-34.05791 5.24521,-10.4904 7.40077,-21.69934 6.6104,-34.489 -0.97001,-15.77155 -6.79003,-31.219754 -15.23265,-40.344967 -1.32926,-1.437041 -2.55075,-2.586676 -2.73038,-2.586676 -0.17963,0 -0.32334,0.431109 -0.32334,0.934075 z"
+       id="path828"
+       style="fill:#216778;stroke-width:0.0359261" />
+  </g>
+</svg>

packages/apps/ferretdb/templates/backup-cronjob.yaml

@@ -0,0 +1,99 @@
+{{- if .Values.backup.enabled }}
+{{ $image := .Files.Get "images/backup.json" | fromJson }}
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}-backup
+spec:
+  schedule: "{{ .Values.backup.schedule }}"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        spec:
+          restartPolicy: OnFailure
+      template:
+        metadata:
+          annotations:
+            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
+            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: mysqldump
+            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+            command:
+            - /bin/sh
+            - /scripts/backup.sh
+            env:
+            - name: REPO_PREFIX
+              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
+            - name: CLEANUP_STRATEGY
+              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-postgres-superuser
+                  key: username
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-postgres-superuser
+                  key: password
+            - name: PGHOST
+              value: {{ .Release.Name }}-postgres-rw
+            - name: PGPORT
+              value: "5432"
+            - name: PGDATABASE
+              value: postgres
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3AccessKey
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3SecretKey
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.backup.s3Region }}
+            - name: RESTIC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: resticPassword
+            volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /.cache
+              name: cache
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+          volumes:
+          - name: scripts
+            secret:
+              secretName: {{ .Release.Name }}-backup-script
+          - name: tmp
+            emptyDir: {}
+          - name: cache
+            emptyDir: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 9000
+            runAsGroup: 9000
+            seccompProfile:
+              type: RuntimeDefault
+{{- end }}

packages/apps/ferretdb/templates/backup-script.yaml

@@ -0,0 +1,50 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup-script
+stringData:
+  backup.sh: |
+    #!/bin/sh
+    set -e
+    set -o pipefail
+
+    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
+    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
+    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
+    echo "Job ID: $JOB_ID"
+    echo "Target repo: $REPO_PREFIX"
+    echo "Cleanup strategy: $CLEANUP_STRATEGY"
+    echo "Start backup for:"
+    echo "$DB_LIST"
+    echo
+    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for db in $DB_LIST; do
+      (
+        set -x
+        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
+          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
+        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
+        pg_dump -Z0 -Ft -d "$db" | \
+          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
+        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
+      )
+    done
+    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+
+    echo
+    echo "Run cleanup:"
+    echo
+
+    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for db in $DB_LIST; do
+      (
+        set -x
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
+        restic prune -r "s3:${REPO_PREFIX}/$db"
+      )
+    done
+    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+{{- end }}

packages/apps/ferretdb/templates/backup-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup
+stringData:
+  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
+  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
+  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
+{{- end }}

packages/apps/ferretdb/templates/external-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
+  {{- if .Values.external }}
+  externalTrafficPolicy: Local
+  allocateLoadBalancerNodePorts: false
+  {{- end }}
+  ports:
+  - name: ferretdb
+    port: 27017
+  selector:
+    app: {{ .Release.Name }}

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      containers:
+      - name: ferretdb
+        image: ghcr.io/ferretdb/ferretdb:1.22.0
+        ports:
+        - containerPort: 27017
+        env:
+          - name: FERRETDB_POSTGRESQL_URL
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-postgres-app
+                key: uri

packages/apps/ferretdb/templates/init-job.yaml

@@ -0,0 +1,66 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-init-job
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ .Release.Name }}-init-job
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }}
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: postgres
+        image: ghcr.io/cloudnative-pg/postgresql:15.3
+        command:
+        - bash
+        - /scripts/init.sh
+        env:
+        - name: PGUSER
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-postgres-superuser
+              key: username
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-postgres-superuser
+              key: password
+        - name: PGHOST
+          value: {{ .Release.Name }}-postgres-rw
+        - name: PGPORT
+          value: "5432"
+        - name: PGDATABASE
+          value: postgres
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        volumeMounts:
+        - mountPath: /etc/secret
+          name: secret
+        - mountPath: /scripts
+          name: scripts
+      securityContext:
+        fsGroup: 26
+        runAsGroup: 26
+        runAsNonRoot: true
+        runAsUser: 26
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+      - name: secret
+        secret:
+          secretName: {{ .Release.Name }}-postgres-superuser
+      - name: scripts
+        secret:
+          secretName: {{ .Release.Name }}-init-script

packages/apps/ferretdb/templates/init-script.yaml

@@ -0,0 +1,104 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-init-script
+stringData:
+  init.sh: |
+    #!/bin/bash
+    set -e
+    echo "== create users"
+    {{- if .Values.users }}
+    psql -v ON_ERROR_STOP=1 <<\EOT
+    {{- range $user, $u := .Values.users }}
+    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
+    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
+    {{- end }}
+    EOT
+    {{- end }}
+
+    echo "== delete users"
+    MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ')
+    DEFINED_USERS="{{ join " " (keys .Values.users) }}"
+    DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done)
+
+    echo "users to delete: $DELETE_USERS"
+    for user in $DELETE_USERS; do
+    # https://stackoverflow.com/a/51257346/2931267
+    psql -v ON_ERROR_STOP=1 --echo-all <<EOT
+    REASSIGN OWNED BY $user TO postgres;
+    DROP OWNED BY $user;
+    DROP USER $user;
+    EOT
+    done
+    
+    echo "== create roles"
+    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
+    SELECT 'CREATE ROLE app_admin NOINHERIT;'
+    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'app_admin')\gexec
+    COMMENT ON ROLE app_admin IS 'role managed by helm';
+    EOT
+
+    echo "== grant privileges on databases to roles"
+    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
+    ALTER DATABASE app OWNER TO app_admin;
+
+    DO $$
+    DECLARE
+        schema_record record;
+    BEGIN
+        -- Loop over all schemas
+        FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
+            -- Changing Schema Ownership
+            EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, 'app_admin');
+    
+            -- Add rights for the admin role
+            EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, 'app_admin');
+        END LOOP;
+    END$$;
+    EOT
+
+    echo "== setup event trigger for schema creation"
+    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
+    CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
+    RETURNS event_trigger LANGUAGE plpgsql AS $$
+    DECLARE
+      obj record;
+    BEGIN
+      FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
+        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
+
+        -- Set owner for schema
+        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
+
+        -- Set privileges for admin role
+        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, 'app_admin');
+      END LOOP;
+    END;
+    $$;
+
+    DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
+    CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
+    WHEN TAG IN ('CREATE SCHEMA')
+    EXECUTE PROCEDURE auto_grant_schema_privileges();
+    EOT
+
+    echo "== assign roles to users"
+    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
+    GRANT app_admin TO app;
+    {{- range $user, $u := $.Values.users }}
+    GRANT app_admin TO {{ $user }};
+    {{- end }}
+    EOT

packages/apps/ferretdb/templates/postgres.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ .Release.Name }}-postgres
+spec:
+  instances: {{ .Values.replicas }}
+  enableSuperuserAccess: true
+
+  minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
+  maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
+
+  monitoring:
+    enablePodMonitor: true
+
+  storage:
+    size: {{ required ".Values.size is required" .Values.size }}
+
+  {{- if .Values.users }}
+  managed:
+    roles:
+    {{- range $user, $config := .Values.users }}
+    - name: {{ $user }}
+      ensure: present
+      passwordSecret:
+        name: {{ printf "%s-user-%s" $.Release.Name $user }}
+      login: true
+      inRoles:
+      - app
+    {{- end }}
+  {{- end }}
+
+{{- range $user, $config := .Values.users }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-user-%s" $.Release.Name $user }}
+  labels:
+    cnpg.io/reload: "true"
+type: kubernetes.io/basic-auth
+data:
+  username: {{ $user | b64enc }}
+  password: {{ $config.password | b64enc }}
+{{- end }}

packages/apps/ferretdb/values.schema.json

@@ -0,0 +1,81 @@
+{
+    "title": "Chart Values",
+    "type": "object",
+    "properties": {
+        "external": {
+            "type": "boolean",
+            "description": "Enable external access from outside the cluster",
+            "default": false
+        },
+        "size": {
+            "type": "string",
+            "description": "Persistent Volume size",
+            "default": "10Gi"
+        },
+        "replicas": {
+            "type": "number",
+            "description": "Number of Postgres replicas",
+            "default": 2
+        },
+        "quorum": {
+            "type": "object",
+            "properties": {
+                "minSyncReplicas": {
+                    "type": "number",
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "default": 0
+                },
+                "maxSyncReplicas": {
+                    "type": "number",
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "default": 0
+                }
+            }
+        },
+        "backup": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable pereiodic backups",
+                    "default": false
+                },
+                "s3Region": {
+                    "type": "string",
+                    "description": "The AWS S3 region where backups are stored",
+                    "default": "us-east-1"
+                },
+                "s3Bucket": {
+                    "type": "string",
+                    "description": "The S3 bucket used for storing backups",
+                    "default": "s3.example.org/postgres-backups"
+                },
+                "schedule": {
+                    "type": "string",
+                    "description": "Cron schedule for automated backups",
+                    "default": "0 2 * * *"
+                },
+                "cleanupStrategy": {
+                    "type": "string",
+                    "description": "The strategy for cleaning up old backups",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                },
+                "s3AccessKey": {
+                    "type": "string",
+                    "description": "The access key for S3, used for authentication",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                },
+                "s3SecretKey": {
+                    "type": "string",
+                    "description": "The secret key for S3, used for authentication",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                },
+                "resticPassword": {
+                    "type": "string",
+                    "description": "The password for Restic backup encryption",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                }
+            }
+        }
+    }
+}

packages/apps/ferretdb/values.yaml

@@ -0,0 +1,48 @@
+## @section Common parameters
+
+## @param external Enable external access from outside the cluster
+## @param size Persistent Volume size
+## @param replicas Number of Postgres replicas
+##
+external: false
+size: 10Gi
+replicas: 2
+
+## Configuration for the quorum-based synchronous replication
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+quorum:
+  minSyncReplicas: 0
+  maxSyncReplicas: 0
+
+## @section Configuration parameters
+
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2:
+##     password: hackme
+##
+users: {}
+
+## @section Backup parameters
+
+## @param backup.enabled Enable pereiodic backups
+## @param backup.s3Region The AWS S3 region where backups are stored
+## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.resticPassword The password for Restic backup encryption
+backup:
+  enabled: false
+  s3Region: us-east-1
+  s3Bucket: s3.example.org/postgres-backups
+  schedule: "0 2 * * *"
+  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/http-cache/images/nginx-cache.json

@@ -1,4 +1,38 @@
 {
-  "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf",
+  "buildx.build.provenance": {
-  "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb"
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "args": {
+          "build-arg:ARCH": "amd64"
+        },
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "amd64/amd64/gaibgudlqaxqxufa236q5ffdk",
+  "containerimage.config.digest": "sha256:677b0b84d7a11a31971857863a6a83b5bb863583eca86a2c2b1b89c61659e549",
+  "containerimage.digest": "sha256:7f864e2c9c86b77e08953258521117503309f84783ea11c617db8c2534f8b545"
 }

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/topics.yaml

@@ -8,8 +8,12 @@ metadata:
     strimzi.io/cluster: "{{ $.Release.Name }}"
 spec:
   topicName: "{{ $topic.name }}"
-  partitions: 10
+  {{- with $topic.partitions }}
-  replicas: 3
+  partitions: "{{ . }}"
+  {{- end }}
+  {{- with $topic.replicas }}
+  replicas: "{{ . }}"
+  {{- end }}
   {{- with $topic.config }}
   config:
     {{- toYaml . | nindent 4 }}

packages/apps/kafka/values.yaml

@@ -32,6 +32,6 @@ zookeeper:
 ##       max.compaction.lag.ms: 5400000
 ##       min.insync.replicas: 2
 ##     partitions: 1
-##     replicationFactor: 3
+##     replicas: 3
 ##
 topics: []

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.4"
+appVersion: "1.30.1"

packages/apps/kubernetes/Makefile

@@ -1,4 +1,4 @@
-UBUNTU_CONTAINER_DISK_TAG = v1.29.1
+UBUNTU_CONTAINER_DISK_TAG = v1.30.1
 
 include ../../../scripts/common-envs.mk
 

packages/apps/kubernetes/README.md

@@ -36,3 +36,13 @@ kubectl get secret -n <namespace> kubernetes-<clusterName>-admin-kubeconfig -o g
 | `host`                  | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""`  |
 | `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components                                                                             | `2`   |
 | `nodeGroups`            | nodeGroups configuration                                                                                                               | `{}`  |
+
+### Cluster Addons
+
+| Name                          | Description                                                                        | Value   |
+| ----------------------------- | ---------------------------------------------------------------------------------- | ------- |
+| `addons.certManager.enabled`  | Enables the cert-manager                                                           | `false` |
+| `addons.ingressNginx.enabled` | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)           | `false` |
+| `addons.ingressNginx.hosts`   | List of domain names that should be passed through to the cluster by upper cluster | `[]`    |
+| `addons.fluxcd.enabled`       | Enables Flux CD                                                                    | `false` |
+

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,4 +1,38 @@
 {
-  "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e",
+  "buildx.build.provenance": {
-  "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a"
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "args": {
+          "build-arg:ARCH": "amd64"
+        },
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "amd64/amd64/kk2drcq44gorgb3xwa8908pfc",
+  "containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15",
+  "containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b"
 }

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1

packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile

@@ -26,8 +26,8 @@ RUN qemu-img resize image.img 5G \
  && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \
  && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
 # kubernetes repo
- && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
+ && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
- && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
+ && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
 # install containerd
  && guestfish --remote command "apt-get update -y" \
  && guestfish --remote command "apt-get install -y containerd.io" \

packages/apps/kubernetes/templates/cluster.yaml

@@ -2,6 +2,58 @@
 {{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- $kubevirtmachinetemplateNames := list }}
+{{- define "kubevirtmachinetemplate" -}}
+spec:
+  virtualMachineBootstrapCheck:
+    checkStrategy: ssh
+  virtualMachineTemplate:
+    metadata:
+      namespace: {{ $.Release.Namespace }}
+      labels:
+        {{- range .group.roles }}
+        node-role.kubernetes.io/{{ . }}: ""
+        {{- end }}
+    spec:
+      runStrategy: Always
+      template:
+        spec:
+          domain:
+            cpu:
+              threads: 1
+              cores: {{ .group.resources.cpu }}
+              sockets: 1
+            devices:
+              disks:
+              - name: system
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:07:00.0
+              - name: containerd
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:08:00.0
+              - name: kubelet
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:09:00.0
+              networkInterfaceMultiqueue: true
+            memory:
+              guest: {{ .group.resources.memory }}
+          evictionStrategy: External
+          volumes:
+          - name: system
+            containerDisk:
+              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
+          - name: containerd
+            emptyDisk:
+              capacity: 20Gi
+          - name: kubelet
+            emptyDisk:
+              capacity: 20Gi
+{{- end }}
+
+
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
@@ -57,7 +109,7 @@ spec:
       className: "{{ $ingress }}"
   deployment:
   replicas: 2
-  version: 1.29.0
+  version: 1.30.1
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
@@ -101,56 +153,20 @@ spec:
         skipPhases:
         - addon/kube-proxy
 ---
+{{- $context := deepCopy $ }}
+{{- $_ := set $context "group" $group }}
+{{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }}
+{{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }}
+{{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }}
+{{- $kubevirtmachinetemplateNames = append $kubevirtmachinetemplateNames $kubevirtmachinetemplateName }}
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
   namespace: {{ $.Release.Namespace }}
 spec:
   template:
-    spec:
+    {{- $kubevirtmachinetemplate | nindent 4 }}
-      virtualMachineBootstrapCheck:
-        checkStrategy: ssh
-      virtualMachineTemplate:
-        metadata:
-          namespace: {{ $.Release.Namespace }}
-        spec:
-          runStrategy: Always
-          template:
-            spec:
-              domain:
-                cpu:
-                  threads: 1
-                  cores: {{ $group.resources.cpu }}
-                  sockets: 1
-                devices:
-                  disks:
-                  - name: system
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:07:00.0
-                  - name: containerd
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:08:00.0
-                  - name: kubelet
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:09:00.0
-                  networkInterfaceMultiqueue: true
-                memory:
-                  guest: {{ $group.resources.memory }}
-              evictionStrategy: External
-              volumes:
-              - name: system
-                containerDisk:
-                  image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
-              - name: containerd
-                emptyDisk:
-                  capacity: 20Gi
-              - name: kubelet
-                emptyDisk:
-                  capacity: 20Gi
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
@@ -165,18 +181,55 @@ metadata:
 spec:
   clusterName: {{ $.Release.Name }}
   template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
+        cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
+        {{- range $group.roles }}
+        node-role.kubernetes.io/{{ . }}: ""
+        {{- end }}
     spec:
       bootstrap:
         configRef:
           apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
           kind: KubeadmConfigTemplate
           name: {{ $.Release.Name }}-{{ $groupName }}
-          namespace: default
+          namespace: {{ $.Release.Namespace }}
       clusterName: {{ $.Release.Name }}
       infrastructureRef:
         apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
         kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}
+        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
         namespace: default
-      version: v1.29.0
+      version: v1.30.1
+{{- end }}
+---
+{{- /*
+We must preserve all previous KubevirtMachineTemplates until a MachineSet references them.
+*/ -}}
+{{- $mss := (lookup "cluster.x-k8s.io/v1beta1" "MachineSet" $.Release.Namespace "").items }}
+{{- $oldKubevirtmachinetemplates := dict }}
+{{- range $kmt := (lookup "infrastructure.cluster.x-k8s.io/v1alpha1" "KubevirtMachineTemplate" .Release.Namespace "").items }}
+{{- range $or := $kmt.metadata.ownerReferences }}
+{{- if and (eq $or.kind "Cluster") (eq $or.name $.Release.Name) }}
+{{- range $ms := $mss }}
+{{- if and (eq $ms.spec.template.spec.infrastructureRef.kind "KubevirtMachineTemplate") (eq $ms.spec.template.spec.infrastructureRef.name $kmt.metadata.name) }}
+{{- if not (has $kmt.metadata.name $kubevirtmachinetemplateNames) }}
+{{- $oldKubevirtmachinetemplates = merge $oldKubevirtmachinetemplates (dict $kmt.metadata.name $kmt) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- range $oldKubevirtmachinetemplates }}
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
+kind: KubevirtMachineTemplate
+metadata:
+  name: {{ .metadata.name }}
+  namespace: {{ .metadata.Namespace }}
+spec:
+  {{- .spec | toYaml | nindent 2 }}
 {{- end }}

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.addons.certManager.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-cert-manager
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: cert-manager
+  chart:
+    spec:
+      chart: cozy-cert-manager
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-cert-manager
+  storageNamespace: cozy-cert-manager
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-cilium
@@ -6,7 +6,7 @@ metadata:
     cozystack.io/repository: system
     coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
-  interval: 1m
+  interval: 5m
   releaseName: cilium
   chart:
     spec:
@@ -23,10 +23,17 @@ spec:
   storageNamespace: cozy-cilium
   install:
     createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
   values:
     cilium:
       tunnel: disabled
-      autoDirectNodeRoutes: true
+      autoDirectNodeRoutes: false
+      bpf:
+        masquerade: true
       cgroup:
         autoMount:
           enabled: true
@@ -38,9 +45,11 @@ spec:
         chainingMode: ~
         customConf: false
         configMap: ""
-      routingMode: native
+      routingMode: tunnel
       enableIPv4Masquerade: true
-      ipv4NativeRoutingCIDR: "10.244.0.0/16"
+      ipv4NativeRoutingCIDR: ""
   dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
+  {{- end }}

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-csi
@@ -6,7 +6,7 @@ metadata:
     cozystack.io/repository: system
     coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
-  interval: 1m
+  interval: 5m
   releaseName: csi
   chart:
     spec:
@@ -23,6 +23,13 @@ spec:
   storageNamespace: cozy-csi
   install:
     createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
   dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
+  {{- end }}

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -20,17 +20,23 @@ spec:
           effect: "NoSchedule"
       containers:
         - name: kubectl
-          image: docker.io/clastix/kubectl:v1.29.1
+          image: docker.io/clastix/kubectl:v1.30.1
           command:
-            - kubectl
+            - /bin/sh
-            - --namespace={{ .Release.Namespace }}
+            - -c
-            - patch
+            - |
-            - helmrelease
+                kubectl
-            - {{ .Release.Name }}-cilium
+                --namespace={{ .Release.Namespace }}
-            - {{ .Release.Name }}-csi
+                patch
-            - -p
+                helmrelease
-            - '{"spec": {"suspend": true}}'
+                {{ .Release.Name }}-cilium
-            - --type=merge
+                {{ .Release.Name }}-csi
+                {{ .Release.Name }}-cert-manager
+                {{ .Release.Name }}-ingress-nginx
+                {{ .Release.Name }}-fluxcd-operator
+                {{ .Release.Name }}-fluxcd
+                -p '{"spec": {"suspend": true}}'
+                --type=merge --field-manager=flux-client-side-apply || true
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -60,6 +66,10 @@ rules:
     resourceNames:
       - {{ .Release.Name }}-cilium
       - {{ .Release.Name }}-csi
+      - {{ .Release.Name }}-cert-manager
+      - {{ .Release.Name }}-ingress-nginx
+      - {{ .Release.Name }}-fluxcd-operator
+      - {{ .Release.Name }}-fluxcd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml

@@ -0,0 +1,84 @@
+{{- if .Values.addons.fluxcd.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-fluxcd-operator
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: fluxcd-operator
+  chart:
+    spec:
+      chart: cozy-fluxcd-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-fluxcd
+  storageNamespace: cozy-fluxcd
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  values:
+    flux-operator:
+      fullnameOverride: flux-operator
+      tolerations: []
+      hostNetwork: false
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-fluxcd
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: fluxcd
+  chart:
+    spec:
+      chart: cozy-fluxcd
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-fluxcd
+  storageNamespace: cozy-fluxcd
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-fluxcd-operator
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml

@@ -0,0 +1,49 @@
+{{- if .Values.addons.ingressNginx.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-ingress-nginx
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: ingress-nginx
+  chart:
+    spec:
+      chart: cozy-ingress-nginx
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-ingress-nginx
+  storageNamespace: cozy-ingress-nginx
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  values:
+    ingress-nginx:
+      fullnameOverride: ingress-nginx
+      controller:
+        kind: DaemonSet
+        hostNetwork: true
+        service:
+          enabled: false
+      nodeSelector:
+        node-role.kubernetes.io/ingress-nginx: ""
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/ingress.yaml

@@ -0,0 +1,45 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- if .Values.addons.ingressNginx.hosts }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-ingress-nginx
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+spec:
+  ingressClassName: "{{ $ingress }}"
+  rules:
+  {{- range .Values.addons.ingressNginx.hosts }}
+  - host: {{ . | quote }}
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $.Release.Name }}-ingress-nginx
+            port:
+              number: 443
+  {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-ingress-nginx
+spec:
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    targetPort: 80
+  - appProtocol: https
+    name: https
+    port: 443
+    targetPort: 443
+  selector:
+    cluster.x-k8s.io/cluster-name: {{ .Release.Name }}
+    node-role.kubernetes.io/ingress-nginx: ""
+{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -16,6 +16,47 @@
                     "default": 2
                 }
             }
+        },
+        "addons": {
+            "type": "object",
+            "properties": {
+                "certManager": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enables the cert-manager",
+                            "default": false
+                        }
+                    }
+                },
+                "ingressNginx": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)",
+                            "default": false
+                        },
+                        "hosts": {
+                            "type": "array",
+                            "description": "List of domain names that should be passed through to the cluster by upper cluster",
+                            "default": [],
+                            "items": {}
+                        }
+                    }
+                },
+                "fluxcd": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enables Flux CD",
+                            "default": false
+                        }
+                    }
+                }
+            }
         }
     }
 }

packages/apps/kubernetes/values.yaml

@@ -16,3 +16,36 @@ nodeGroups:
     resources:
       cpu: 2
       memory: 1024Mi
+    roles:
+    - ingress-nginx
+
+## @section Cluster Addons
+##
+addons:
+
+  ## Cert-manager: automatically creates and manages SSL/TLS certificate
+  ##
+  certManager:
+    ## @param addons.certManager.enabled Enables the cert-manager
+    enabled: false
+
+  ## Ingress-NGINX Controller
+  ##
+  ingressNginx:
+    ## @param addons.ingressNginx.enabled Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)
+    ##
+    enabled: false
+    ## @param addons.ingressNginx.hosts List of domain names that should be passed through to the cluster by upper cluster
+    ## e.g:
+    ## hosts:
+    ## - example.org
+    ## - foo.example.net
+    ##
+    hosts: []
+
+  ## Flux CD
+  ##
+  fluxcd:
+    ## @param addons.fluxcd.enabled Enables Flux CD
+    ##
+    enabled: false

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/README.md

@@ -35,11 +35,13 @@ more details:
 
 ### Common parameters
 
-| Name       | Description                                     | Value   |
+| Name                     | Description                                                                                                             | Value   |
-| ---------- | ----------------------------------------------- | ------- |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external` | Enable external access from outside the cluster | `false` |
+| `external`               | Enable external access from outside the cluster                                                                         | `false` |
-| `size`     | Persistent Volume size                          | `10Gi`  |
+| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
-| `replicas` | Number of MariaDB replicas                      | `2`     |
+| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
 
 ### Configuration parameters
 

packages/apps/postgres/templates/db.yaml

@@ -11,6 +11,9 @@ spec:
     parameters:
       max_wal_senders: "30"
 
+  minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
+  maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
+
   monitoring:
     enablePodMonitor: true
 

packages/apps/postgres/templates/init-script.yaml

@@ -100,13 +100,13 @@ stringData:
     echo "== assign roles to users"
     psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
     {{- range $database, $d := .Values.databases }}
-    {{- range $user, $u := $.Values.roles }}
+    {{- range $user, $u := $.Values.users }}
-    {{- if has $user $d.users.admin }}
+    {{- if has $user $d.roles.admin }}
     GRANT {{ $database }}_admin TO {{ $user }};
     {{- else }}
     REVOKE {{ $database }}_admin FROM {{ $user }};
     {{- end }}
-    {{- if has $user $d.users.readonly }}
+    {{- if has $user $d.roles.readonly }}
     GRANT {{ $database }}_readonly TO {{ $user }};
     {{- else }}
     REVOKE {{ $database }}_readonly FROM {{ $user }};

packages/apps/postgres/values.schema.json

@@ -14,9 +14,24 @@
         },
         "replicas": {
             "type": "number",
-            "description": "Number of MariaDB replicas",
+            "description": "Number of Postgres replicas",
             "default": 2
         },
+        "quorum": {
+            "type": "object",
+            "properties": {
+                "minSyncReplicas": {
+                    "type": "number",
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "default": 0
+                },
+                "maxSyncReplicas": {
+                    "type": "number",
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "default": 0
+                }
+            }
+        },
         "databases": {
             "type": "object",
             "description": "Databases configuration",

packages/apps/postgres/values.yaml

@@ -2,12 +2,19 @@
 
 ## @param external Enable external access from outside the cluster
 ## @param size Persistent Volume size
-## @param replicas Number of MariaDB replicas
+## @param replicas Number of Postgres replicas
 ##
 external: false
 size: 10Gi
 replicas: 2
 
+## Configuration for the quorum-based synchronous replication
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+quorum:
+  minSyncReplicas: 0
+  maxSyncReplicas: 0
+
 ## @section Configuration parameters
 
 ## @param users [object] Users configuration

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg
 
 type: application
-version: 1.1.0
+version: 1.2.0

packages/apps/tenant/README.md

@@ -25,7 +25,7 @@ tenant-root (example.org)
 
 Thus, you can create `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`. And create another tenant namespace `tenant-u2` inside of `tenant-u1`.
 
-Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namesapce.
+Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namespace.
 
 Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`, the applications will use the cluster services of the parent tenant.  
 This in turn means:

packages/apps/tenant/templates/etcd.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.etcd }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: etcd

packages/apps/tenant/templates/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.ingress }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: ingress

packages/apps/tenant/templates/monitoring.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.monitoring }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: monitoring

packages/apps/versions_map

@@ -1,17 +1,25 @@
 clickhouse 0.1.0 ca79f72
-clickhouse 0.2.0 HEAD
+clickhouse 0.2.0 7cd7de73
+clickhouse 0.2.1 HEAD
+ferretdb 0.1.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
-kafka 0.2.0 HEAD
+kafka 0.2.0 a2cc83d
+kafka 0.2.1 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
-kubernetes 0.3.0 HEAD
+kubernetes 0.3.0 7caccec1
+kubernetes 0.4.0 6cae6ce8
+kubernetes 0.5.0 6bd2d455
+kubernetes 0.6.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
 postgres 0.1.0 f642698
-postgres 0.2.0 HEAD
+postgres 0.2.0 7cd7de73
+postgres 0.2.1 4a97e297
+postgres 0.3.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
@@ -22,7 +30,8 @@ tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
-tenant 1.1.0 HEAD
+tenant 1.1.0 4da8ac3b
+tenant 1.2.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD

packages/core/fluxcd/Makefile

@@ -1,13 +0,0 @@
-NAME=fluxcd
-NAMESPACE=cozy-$(NAME)
-
-API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
-
-show:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
-
-apply:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
-
-diff:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-

packages/core/fluxcd/charts/flux2/Chart.yaml

@@ -1,11 +0,0 @@
-annotations:
-  artifacthub.io/changes: |
-    - "[Chore]: Update App Version to upstream 2.2.3"
-apiVersion: v2
-appVersion: 2.2.3
-description: A Helm chart for flux2
-name: flux2
-sources:
-- https://github.com/fluxcd-community/helm-charts
-type: application
-version: 2.12.4

packages/core/fluxcd/charts/flux2/README.md

@@ -1,174 +0,0 @@
-# flux2
-
-![Version: 2.12.4](https://img.shields.io/badge/Version-2.12.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.3](https://img.shields.io/badge/AppVersion-2.2.3-informational?style=flat-square)
-
-A Helm chart for flux2
-
-This helm chart is maintained and released by the fluxcd-community on a best effort basis.
-
-## Source Code
-
-* <https://github.com/fluxcd-community/helm-charts>
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| cli.affinity | object | `{}` |  |
-| cli.annotations | object | `{}` |  |
-| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` |  |
-| cli.nodeSelector | object | `{}` |  |
-| cli.serviceAccount.automount | bool | `true` |  |
-| cli.tag | string | `"v2.2.3"` |  |
-| cli.tolerations | list | `[]` |  |
-| clusterDomain | string | `"cluster.local"` |  |
-| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep |
-| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
-| helmController.affinity | object | `{}` |  |
-| helmController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| helmController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| helmController.container.additionalArgs | list | `[]` |  |
-| helmController.create | bool | `true` |  |
-| helmController.extraEnv | list | `[]` |  |
-| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` |  |
-| helmController.imagePullPolicy | string | `""` |  |
-| helmController.labels | object | `{}` |  |
-| helmController.nodeSelector | object | `{}` |  |
-| helmController.priorityClassName | string | `""` |  |
-| helmController.resources.limits | object | `{}` |  |
-| helmController.resources.requests.cpu | string | `"100m"` |  |
-| helmController.resources.requests.memory | string | `"64Mi"` |  |
-| helmController.serviceAccount.annotations | object | `{}` |  |
-| helmController.serviceAccount.automount | bool | `true` |  |
-| helmController.serviceAccount.create | bool | `true` |  |
-| helmController.tag | string | `"v0.37.4"` |  |
-| helmController.tolerations | list | `[]` |  |
-| imageAutomationController.affinity | object | `{}` |  |
-| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| imageAutomationController.container.additionalArgs | list | `[]` |  |
-| imageAutomationController.create | bool | `true` |  |
-| imageAutomationController.extraEnv | list | `[]` |  |
-| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` |  |
-| imageAutomationController.imagePullPolicy | string | `""` |  |
-| imageAutomationController.labels | object | `{}` |  |
-| imageAutomationController.nodeSelector | object | `{}` |  |
-| imageAutomationController.priorityClassName | string | `""` |  |
-| imageAutomationController.resources.limits | object | `{}` |  |
-| imageAutomationController.resources.requests.cpu | string | `"100m"` |  |
-| imageAutomationController.resources.requests.memory | string | `"64Mi"` |  |
-| imageAutomationController.serviceAccount.annotations | object | `{}` |  |
-| imageAutomationController.serviceAccount.automount | bool | `true` |  |
-| imageAutomationController.serviceAccount.create | bool | `true` |  |
-| imageAutomationController.tag | string | `"v0.37.1"` |  |
-| imageAutomationController.tolerations | list | `[]` |  |
-| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers |
-| imageReflectionController.affinity | object | `{}` |  |
-| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| imageReflectionController.container.additionalArgs | list | `[]` |  |
-| imageReflectionController.create | bool | `true` |  |
-| imageReflectionController.extraEnv | list | `[]` |  |
-| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` |  |
-| imageReflectionController.imagePullPolicy | string | `""` |  |
-| imageReflectionController.labels | object | `{}` |  |
-| imageReflectionController.nodeSelector | object | `{}` |  |
-| imageReflectionController.priorityClassName | string | `""` |  |
-| imageReflectionController.resources.limits | object | `{}` |  |
-| imageReflectionController.resources.requests.cpu | string | `"100m"` |  |
-| imageReflectionController.resources.requests.memory | string | `"64Mi"` |  |
-| imageReflectionController.serviceAccount.annotations | object | `{}` |  |
-| imageReflectionController.serviceAccount.automount | bool | `true` |  |
-| imageReflectionController.serviceAccount.create | bool | `true` |  |
-| imageReflectionController.tag | string | `"v0.31.2"` |  |
-| imageReflectionController.tolerations | list | `[]` |  |
-| installCRDs | bool | `true` |  |
-| kustomizeController.affinity | object | `{}` |  |
-| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| kustomizeController.container.additionalArgs | list | `[]` |  |
-| kustomizeController.create | bool | `true` |  |
-| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. |
-| kustomizeController.extraEnv | list | `[]` |  |
-| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret |
-| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` |  |
-| kustomizeController.imagePullPolicy | string | `""` |  |
-| kustomizeController.labels | object | `{}` |  |
-| kustomizeController.nodeSelector | object | `{}` |  |
-| kustomizeController.priorityClassName | string | `""` |  |
-| kustomizeController.resources.limits | object | `{}` |  |
-| kustomizeController.resources.requests.cpu | string | `"100m"` |  |
-| kustomizeController.resources.requests.memory | string | `"64Mi"` |  |
-| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. |
-| kustomizeController.secret.data | object | `{}` |  |
-| kustomizeController.secret.name | string | `""` |  |
-| kustomizeController.serviceAccount.annotations | object | `{}` |  |
-| kustomizeController.serviceAccount.automount | bool | `true` |  |
-| kustomizeController.serviceAccount.create | bool | `true` |  |
-| kustomizeController.tag | string | `"v1.2.2"` |  |
-| kustomizeController.tolerations | list | `[]` |  |
-| logLevel | string | `"info"` |  |
-| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which don’t have spec.serviceAccountName specified, will use the default account from the tenant’s namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. |
-| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown |
-| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. |
-| notificationController.affinity | object | `{}` |  |
-| notificationController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| notificationController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| notificationController.container.additionalArgs | list | `[]` |  |
-| notificationController.create | bool | `true` |  |
-| notificationController.extraEnv | list | `[]` |  |
-| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` |  |
-| notificationController.imagePullPolicy | string | `""` |  |
-| notificationController.labels | object | `{}` |  |
-| notificationController.nodeSelector | object | `{}` |  |
-| notificationController.priorityClassName | string | `""` |  |
-| notificationController.resources.limits | object | `{}` |  |
-| notificationController.resources.requests.cpu | string | `"100m"` |  |
-| notificationController.resources.requests.memory | string | `"64Mi"` |  |
-| notificationController.service.annotations | object | `{}` |  |
-| notificationController.service.labels | object | `{}` |  |
-| notificationController.serviceAccount.annotations | object | `{}` |  |
-| notificationController.serviceAccount.automount | bool | `true` |  |
-| notificationController.serviceAccount.create | bool | `true` |  |
-| notificationController.tag | string | `"v1.2.4"` |  |
-| notificationController.tolerations | list | `[]` |  |
-| notificationController.webhookReceiver.ingress.annotations | object | `{}` |  |
-| notificationController.webhookReceiver.ingress.create | bool | `false` |  |
-| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` |  |
-| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` |  |
-| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
-| notificationController.webhookReceiver.ingress.labels | object | `{}` |  |
-| notificationController.webhookReceiver.ingress.tls | list | `[]` |  |
-| notificationController.webhookReceiver.service.annotations | object | `{}` |  |
-| notificationController.webhookReceiver.service.labels | object | `{}` |  |
-| policies.create | bool | `true` |  |
-| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint |
-| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` |  |
-| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` |  |
-| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` |  |
-| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` |  |
-| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep |
-| rbac.create | bool | `true` |  |
-| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources |
-| sourceController.affinity | object | `{}` |  |
-| sourceController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| sourceController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| sourceController.container.additionalArgs | list | `[]` |  |
-| sourceController.create | bool | `true` |  |
-| sourceController.extraEnv | list | `[]` |  |
-| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` |  |
-| sourceController.imagePullPolicy | string | `""` |  |
-| sourceController.labels | object | `{}` |  |
-| sourceController.nodeSelector | object | `{}` |  |
-| sourceController.priorityClassName | string | `""` |  |
-| sourceController.resources.limits | object | `{}` |  |
-| sourceController.resources.requests.cpu | string | `"100m"` |  |
-| sourceController.resources.requests.memory | string | `"64Mi"` |  |
-| sourceController.service.annotations | object | `{}` |  |
-| sourceController.service.labels | object | `{}` |  |
-| sourceController.serviceAccount.annotations | object | `{}` |  |
-| sourceController.serviceAccount.automount | bool | `true` |  |
-| sourceController.serviceAccount.create | bool | `true` |  |
-| sourceController.tag | string | `"v1.2.4"` |  |
-| sourceController.tolerations | list | `[]` |  |
-| watchAllNamespaces | bool | `true` |  |

packages/core/fluxcd/charts/flux2/templates/_helper.tpl

@@ -1,7 +0,0 @@
-{{- define "template.image" -}}
-{{- if eq (substr 0 7 .tag) "sha256:" -}}
-{{- printf "%s@%s" .image .tag -}}
-{{- else -}}
-{{- printf "%s:%s" .image .tag -}}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml

@@ -1,47 +0,0 @@
-{{- if .Values.rbac.createAggregation }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: flux-edit
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - notification.toolkit.fluxcd.io
-      - source.toolkit.fluxcd.io
-      - helm.toolkit.fluxcd.io
-      - image.toolkit.fluxcd.io
-      - kustomize.toolkit.fluxcd.io
-    resources: ["*"]
-    verbs:
-      - create
-      - delete
-      - deletecollection
-      - patch
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: flux-view
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-rules:
-  - apiGroups:
-      - notification.toolkit.fluxcd.io
-      - source.toolkit.fluxcd.io
-      - helm.toolkit.fluxcd.io
-      - image.toolkit.fluxcd.io
-      - kustomize.toolkit.fluxcd.io
-    resources: ["*"]
-    verbs:
-      - get
-      - list
-      - watch
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml

@@ -1,26 +0,0 @@
-{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: cluster-reconciler
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ .Values.rbac.roleRef.name }}
-subjects:
-- kind: ServiceAccount
-  name: kustomize-controller
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: helm-controller
-  namespace: {{ .Release.Namespace }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml

@@ -1,19 +0,0 @@
-{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: cluster-reconciler-impersonator
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-rules:
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["impersonate"]
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml

@@ -1,26 +0,0 @@
-{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: cluster-reconciler-impersonator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-reconciler-impersonator
-subjects:
-- kind: ServiceAccount
-  name: kustomize-controller
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: helm-controller
-  namespace: {{ .Release.Namespace }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml

@@ -1,82 +0,0 @@
-{{- if and .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: crd-controller
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-rules:
-- apiGroups: ['source.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['kustomize.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['helm.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['notification.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['image.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - secrets
-  - configmaps
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-# required by leader election
-- apiGroups:
-    - ""
-  resources:
-    - configmaps
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - patch
-    - delete
-- apiGroups:
-    - ""
-  resources:
-    - configmaps/status
-  verbs:
-    - get
-    - update
-    - patch
-- apiGroups:
-  - "coordination.k8s.io"
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml

@@ -1,38 +0,0 @@
-{{- if and .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: crd-controller
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: crd-controller
-subjects:
-  - kind: ServiceAccount
-    name: kustomize-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: helm-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: source-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: notification-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: image-reflector-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: image-automation-controller
-    namespace: {{ .Release.Namespace }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml

@@ -1,4 +0,0 @@
-{{ range .Values.extraObjects }}
----
-{{ tpl (toYaml .) $ }}
-{{ end }}

packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.helmController.create}}
-{{- if .Values.helmController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: helm-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: helm-controller
-  {{- with .Values.helmController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml

@@ -1,133 +0,0 @@
-{{- if and .Values.helmController.create}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: helm-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.helmController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: helm-controller
-spec:
-  {{- if kindIs "invalid" .Values.helmController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.helmController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: helm-controller
-  template:
-    metadata:
-      {{- with .Values.helmController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: helm-controller
-{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }}
-    {{- if .Values.helmController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.helmController.initContainers | nindent 8}}
-    {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.helmController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.helmController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.helmController }}
-        {{- if .Values.helmController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.helmController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.helmController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.helmController.securityContext }}
-        securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.helmController.volumeMounts }}
-        {{- toYaml .Values.helmController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.helmController.priorityClassName }}
-      priorityClassName: {{ .Values.helmController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.helmController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }}
-      {{- end }}
-      serviceAccountName: helm-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 600
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.helmController.volumes }}
-      {{- toYaml .Values.helmController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.helmController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.helmController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.helmController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.imageAutomationController.create }}
-{{- if .Values.imageAutomationController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: image-automation-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: image-automation-controller
-  {{- with .Values.imageAutomationController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml

@@ -1,326 +0,0 @@
-{{- if and .Values.installCRDs .Values.imageAutomationController.create }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
-    {{- with .Values.crds.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  labels:
-    app.kubernetes.io/component: image-automation-controller
-    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-  name: imageupdateautomations.image.toolkit.fluxcd.io
-spec:
-  group: image.toolkit.fluxcd.io
-  names:
-    kind: ImageUpdateAutomation
-    listKind: ImageUpdateAutomationList
-    plural: imageupdateautomations
-    singular: imageupdateautomation
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastAutomationRunTime
-      name: Last run
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: ImageUpdateAutomation is the Schema for the imageupdateautomations
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation
-            properties:
-              git:
-                description: GitSpec contains all the git-specific definitions. This
-                  is technically optional, but in practice mandatory until there are
-                  other kinds of source allowed.
-                properties:
-                  checkout:
-                    description: Checkout gives the parameters for cloning the git
-                      repository, ready to make changes. If not present, the `spec.ref`
-                      field from the referenced `GitRepository` or its default will
-                      be used.
-                    properties:
-                      ref:
-                        description: Reference gives a branch, tag or commit to clone
-                          from the Git repository.
-                        properties:
-                          branch:
-                            description: Branch to check out, defaults to 'master'
-                              if no other field is defined.
-                            type: string
-                          commit:
-                            description: "Commit SHA to check out, takes precedence
-                              over all reference fields. \n This can be combined with
-                              Branch to shallow clone the branch, in which the commit
-                              is expected to exist."
-                            type: string
-                          name:
-                            description: "Name of the reference to check out; takes
-                              precedence over Branch, Tag and SemVer. \n It must be
-                              a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
-                              Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\",
-                              \"refs/pull/420/head\", \"refs/merge-requests/1/head\""
-                            type: string
-                          semver:
-                            description: SemVer tag expression to check out, takes
-                              precedence over Tag.
-                            type: string
-                          tag:
-                            description: Tag to check out, takes precedence over Branch.
-                            type: string
-                        type: object
-                    required:
-                    - ref
-                    type: object
-                  commit:
-                    description: Commit specifies how to commit to the git repository.
-                    properties:
-                      author:
-                        description: Author gives the email and optionally the name
-                          to use as the author of commits.
-                        properties:
-                          email:
-                            description: Email gives the email to provide when making
-                              a commit.
-                            type: string
-                          name:
-                            description: Name gives the name to provide when making
-                              a commit.
-                            type: string
-                        required:
-                        - email
-                        type: object
-                      messageTemplate:
-                        description: MessageTemplate provides a template for the commit
-                          message, into which will be interpolated the details of
-                          the change made.
-                        type: string
-                      signingKey:
-                        description: SigningKey provides the option to sign commits
-                          with a GPG key
-                        properties:
-                          secretRef:
-                            description: SecretRef holds the name to a secret that
-                              contains a 'git.asc' key corresponding to the ASCII
-                              Armored file containing the GPG signing keypair as the
-                              value. It must be in the same namespace as the ImageUpdateAutomation.
-                            properties:
-                              name:
-                                description: Name of the referent.
-                                type: string
-                            required:
-                            - name
-                            type: object
-                        type: object
-                    required:
-                    - author
-                    type: object
-                  push:
-                    description: Push specifies how and where to push commits made
-                      by the automation. If missing, commits are pushed (back) to
-                      `.spec.checkout.branch` or its default.
-                    properties:
-                      branch:
-                        description: Branch specifies that commits should be pushed
-                          to the branch named. The branch is created using `.spec.checkout.branch`
-                          as the starting point, if it doesn't already exist.
-                        type: string
-                      options:
-                        additionalProperties:
-                          type: string
-                        description: 'Options specifies the push options that are
-                          sent to the Git server when performing a push operation.
-                          For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt'
-                        type: object
-                      refspec:
-                        description: 'Refspec specifies the Git Refspec to use for
-                          a push operation. If both Branch and Refspec are provided,
-                          then the commit is pushed to the branch and also using the
-                          specified refspec. For more details about Git Refspecs,
-                          see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec'
-                        type: string
-                    type: object
-                required:
-                - commit
-                type: object
-              interval:
-                description: Interval gives an lower bound for how often the automation
-                  run should be attempted.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
-                type: string
-              sourceRef:
-                description: SourceRef refers to the resource giving access details
-                  to a git repository.
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  kind:
-                    default: GitRepository
-                    description: Kind of the referent.
-                    enum:
-                    - GitRepository
-                    type: string
-                  name:
-                    description: Name of the referent.
-                    type: string
-                  namespace:
-                    description: Namespace of the referent, defaults to the namespace
-                      of the Kubernetes resource object that contains the reference.
-                    type: string
-                required:
-                - kind
-                - name
-                type: object
-              suspend:
-                description: Suspend tells the controller to not run this automation,
-                  until it is unset (or set to false). Defaults to false.
-                type: boolean
-              update:
-                default:
-                  strategy: Setters
-                description: Update gives the specification for how to update the
-                  files in the repository. This can be left empty, to use the default
-                  value.
-                properties:
-                  path:
-                    description: Path to the directory containing the manifests to
-                      be updated. Defaults to 'None', which translates to the root
-                      path of the GitRepositoryRef.
-                    type: string
-                  strategy:
-                    default: Setters
-                    description: Strategy names the strategy to be used.
-                    enum:
-                    - Setters
-                    type: string
-                required:
-                - strategy
-                type: object
-            required:
-            - interval
-            - sourceRef
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImageUpdateAutomationStatus defines the observed state of
-              ImageUpdateAutomation
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastAutomationRunTime:
-                description: LastAutomationRunTime records the last time the controller
-                  ran this automation through to completion (even if no updates were
-                  made).
-                format: date-time
-                type: string
-              lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
-                type: string
-              lastPushCommit:
-                description: LastPushCommit records the SHA1 of the last commit made
-                  by the controller, for this automation object
-                type: string
-              lastPushTime:
-                description: LastPushTime records the time of the last pushed change.
-                format: date-time
-                type: string
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml

@@ -1,135 +0,0 @@
-{{- if and .Values.imageAutomationController.create}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: image-automation-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.imageAutomationController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: image-automation-controller
-spec:
-  {{- if kindIs "invalid" .Values.imageAutomationController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.imageAutomationController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: image-automation-controller
-  template:
-    metadata:
-      {{- with .Values.imageAutomationController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: image-automation-controller
-{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }}
-      {{- if .Values.imageAutomationController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.imageAutomationController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.imageAutomationController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.imageAutomationController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.imageAutomationController }}
-        {{- if .Values.imageAutomationController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.imageAutomationController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.imageAutomationController.securityContext }}
-        securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.imageAutomationController.volumeMounts }}
-        {{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.imageAutomationController.priorityClassName }}
-      priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.imageAutomationController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: image-automation-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.imageAutomationController.volumes }}
-      {{- toYaml .Values.imageAutomationController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.imageAutomationController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageAutomationController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageAutomationController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.imageReflectionController.create }}
-{{- if .Values.imageReflectionController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: image-reflector-controller
-  {{- with .Values.imageReflectionController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml

@@ -1,901 +0,0 @@
-{{- if and .Values.installCRDs .Values.imageReflectionController.create }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
-    {{- with .Values.crds.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-  name: imagepolicies.image.toolkit.fluxcd.io
-spec:
-  group: image.toolkit.fluxcd.io
-  names:
-    kind: ImagePolicy
-    listKind: ImagePolicyList
-    plural: imagepolicies
-    singular: imagepolicy
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.latestImage
-      name: LatestImage
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: ImagePolicy is the Schema for the imagepolicies API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImagePolicySpec defines the parameters for calculating the
-              ImagePolicy
-            properties:
-              filterTags:
-                description: FilterTags enables filtering for only a subset of tags
-                  based on a set of rules. If no rules are provided, all the tags
-                  from the repository will be ordered and compared.
-                properties:
-                  extract:
-                    description: Extract allows a capture group to be extracted from
-                      the specified regular expression pattern, useful before tag
-                      evaluation.
-                    type: string
-                  pattern:
-                    description: Pattern specifies a regular expression pattern used
-                      to filter for image tags.
-                    type: string
-                type: object
-              imageRepositoryRef:
-                description: ImageRepositoryRef points at the object specifying the
-                  image being scanned
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                  namespace:
-                    description: Namespace of the referent, when not specified it
-                      acts as LocalObjectReference.
-                    type: string
-                required:
-                - name
-                type: object
-              policy:
-                description: Policy gives the particulars of the policy to be followed
-                  in selecting the most recent image
-                properties:
-                  alphabetical:
-                    description: Alphabetical set of rules to use for alphabetical
-                      ordering of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the letters of the alphabet as tags, ascending order
-                          would select Z, and descending order would select A.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  numerical:
-                    description: Numerical set of rules to use for numerical ordering
-                      of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the integer values from 0 to 9 as tags, ascending
-                          order would select 9, and descending order would select
-                          0.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  semver:
-                    description: SemVer gives a semantic version range to check against
-                      the tags available.
-                    properties:
-                      range:
-                        description: Range gives a semver range for the image tag;
-                          the highest version within the range that's a tag yields
-                          the latest image.
-                        type: string
-                    required:
-                    - range
-                    type: object
-                type: object
-            required:
-            - imageRepositoryRef
-            - policy
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImagePolicyStatus defines the observed state of ImagePolicy
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              latestImage:
-                description: LatestImage gives the first in the list of images scanned
-                  by the image repository, when filtered and ordered according to
-                  the policy.
-                type: string
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .status.latestImage
-      name: LatestImage
-      type: string
-    name: v1beta2
-    schema:
-      openAPIV3Schema:
-        description: ImagePolicy is the Schema for the imagepolicies API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImagePolicySpec defines the parameters for calculating the
-              ImagePolicy.
-            properties:
-              filterTags:
-                description: FilterTags enables filtering for only a subset of tags
-                  based on a set of rules. If no rules are provided, all the tags
-                  from the repository will be ordered and compared.
-                properties:
-                  extract:
-                    description: Extract allows a capture group to be extracted from
-                      the specified regular expression pattern, useful before tag
-                      evaluation.
-                    type: string
-                  pattern:
-                    description: Pattern specifies a regular expression pattern used
-                      to filter for image tags.
-                    type: string
-                type: object
-              imageRepositoryRef:
-                description: ImageRepositoryRef points at the object specifying the
-                  image being scanned
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                  namespace:
-                    description: Namespace of the referent, when not specified it
-                      acts as LocalObjectReference.
-                    type: string
-                required:
-                - name
-                type: object
-              policy:
-                description: Policy gives the particulars of the policy to be followed
-                  in selecting the most recent image
-                properties:
-                  alphabetical:
-                    description: Alphabetical set of rules to use for alphabetical
-                      ordering of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the letters of the alphabet as tags, ascending order
-                          would select Z, and descending order would select A.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  numerical:
-                    description: Numerical set of rules to use for numerical ordering
-                      of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the integer values from 0 to 9 as tags, ascending
-                          order would select 9, and descending order would select
-                          0.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  semver:
-                    description: SemVer gives a semantic version range to check against
-                      the tags available.
-                    properties:
-                      range:
-                        description: Range gives a semver range for the image tag;
-                          the highest version within the range that's a tag yields
-                          the latest image.
-                        type: string
-                    required:
-                    - range
-                    type: object
-                type: object
-            required:
-            - imageRepositoryRef
-            - policy
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImagePolicyStatus defines the observed state of ImagePolicy
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              latestImage:
-                description: LatestImage gives the first in the list of images scanned
-                  by the image repository, when filtered and ordered according to
-                  the policy.
-                type: string
-              observedGeneration:
-                format: int64
-                type: integer
-              observedPreviousImage:
-                description: ObservedPreviousImage is the observed previous LatestImage.
-                  It is used to keep track of the previous and current images.
-                type: string
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
-    {{- with .Values.crds.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-  name: imagerepositories.image.toolkit.fluxcd.io
-spec:
-  group: image.toolkit.fluxcd.io
-  names:
-    kind: ImageRepository
-    listKind: ImageRepositoryList
-    plural: imagerepositories
-    singular: imagerepository
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastScanResult.scanTime
-      name: Last scan
-      type: string
-    - jsonPath: .status.lastScanResult.tagCount
-      name: Tags
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: ImageRepository is the Schema for the imagerepositories API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImageRepositorySpec defines the parameters for scanning an
-              image repository, e.g., `fluxcd/flux`.
-            properties:
-              accessFrom:
-                description: AccessFrom defines an ACL for allowing cross-namespace
-                  references to the ImageRepository object based on the caller's namespace
-                  labels.
-                properties:
-                  namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
-                    items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
-                      properties:
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                    type: array
-                required:
-                - namespaceSelectors
-                type: object
-              certSecretRef:
-                description: "CertSecretRef can be given the name of a secret containing
-                  either or both of \n - a PEM-encoded client certificate (`certFile`)
-                  and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
-                  \n and whichever are supplied, will be used for connecting to the
-                  registry. The client cert and key are useful if you are authenticating
-                  with a certificate; the CA cert is useful if you are using a self-signed
-                  server certificate."
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              exclusionList:
-                description: ExclusionList is a list of regex strings used to exclude
-                  certain tags from being stored in the database.
-                items:
-                  type: string
-                type: array
-              image:
-                description: Image is the name of the image repository
-                type: string
-              interval:
-                description: Interval is the length of time to wait between scans
-                  of the image repository.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
-                type: string
-              secretRef:
-                description: SecretRef can be given the name of a secret containing
-                  credentials to use for the image registry. The secret should be
-                  created with `kubectl create secret docker-registry`, or the equivalent.
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              serviceAccountName:
-                description: ServiceAccountName is the name of the Kubernetes ServiceAccount
-                  used to authenticate the image pull if the service account has attached
-                  pull secrets.
-                maxLength: 253
-                type: string
-              suspend:
-                description: This flag tells the controller to suspend subsequent
-                  image scans. It does not apply to already started scans. Defaults
-                  to false.
-                type: boolean
-              timeout:
-                description: Timeout for image scanning. Defaults to 'Interval' duration.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
-                type: string
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImageRepositoryStatus defines the observed state of ImageRepository
-            properties:
-              canonicalImageName:
-                description: CanonicalName is the name of the image repository with
-                  all the implied bits made explicit; e.g., `docker.io/library/alpine`
-                  rather than `alpine`.
-                type: string
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
-                type: string
-              lastScanResult:
-                description: LastScanResult contains the number of fetched tags.
-                properties:
-                  scanTime:
-                    format: date-time
-                    type: string
-                  tagCount:
-                    type: integer
-                required:
-                - tagCount
-                type: object
-              observedGeneration:
-                description: ObservedGeneration is the last reconciled generation.
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastScanResult.scanTime
-      name: Last scan
-      type: string
-    - jsonPath: .status.lastScanResult.tagCount
-      name: Tags
-      type: string
-    name: v1beta2
-    schema:
-      openAPIV3Schema:
-        description: ImageRepository is the Schema for the imagerepositories API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImageRepositorySpec defines the parameters for scanning an
-              image repository, e.g., `fluxcd/flux`.
-            properties:
-              accessFrom:
-                description: AccessFrom defines an ACL for allowing cross-namespace
-                  references to the ImageRepository object based on the caller's namespace
-                  labels.
-                properties:
-                  namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
-                    items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
-                      properties:
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                    type: array
-                required:
-                - namespaceSelectors
-                type: object
-              certSecretRef:
-                description: "CertSecretRef can be given the name of a Secret containing
-                  either or both of \n - a PEM-encoded client certificate (`tls.crt`)
-                  and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`)
-                  \n and whichever are supplied, will be used for connecting to the
-                  registry. The client cert and key are useful if you are authenticating
-                  with a certificate; the CA cert is useful if you are using a self-signed
-                  server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.
-                  \n Note: Support for the `caFile`, `certFile` and `keyFile` keys
-                  has been deprecated."
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              exclusionList:
-                default:
-                - ^.*\.sig$
-                description: ExclusionList is a list of regex strings used to exclude
-                  certain tags from being stored in the database.
-                items:
-                  type: string
-                maxItems: 25
-                type: array
-              image:
-                description: Image is the name of the image repository
-                type: string
-              insecure:
-                description: Insecure allows connecting to a non-TLS HTTP container
-                  registry.
-                type: boolean
-              interval:
-                description: Interval is the length of time to wait between scans
-                  of the image repository.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
-                type: string
-              provider:
-                default: generic
-                description: The provider used for authentication, can be 'aws', 'azure',
-                  'gcp' or 'generic'. When not specified, defaults to 'generic'.
-                enum:
-                - generic
-                - aws
-                - azure
-                - gcp
-                type: string
-              secretRef:
-                description: SecretRef can be given the name of a secret containing
-                  credentials to use for the image registry. The secret should be
-                  created with `kubectl create secret docker-registry`, or the equivalent.
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              serviceAccountName:
-                description: ServiceAccountName is the name of the Kubernetes ServiceAccount
-                  used to authenticate the image pull if the service account has attached
-                  pull secrets.
-                maxLength: 253
-                type: string
-              suspend:
-                description: This flag tells the controller to suspend subsequent
-                  image scans. It does not apply to already started scans. Defaults
-                  to false.
-                type: boolean
-              timeout:
-                description: Timeout for image scanning. Defaults to 'Interval' duration.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
-                type: string
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImageRepositoryStatus defines the observed state of ImageRepository
-            properties:
-              canonicalImageName:
-                description: CanonicalName is the name of the image repository with
-                  all the implied bits made explicit; e.g., `docker.io/library/alpine`
-                  rather than `alpine`.
-                type: string
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
-                type: string
-              lastScanResult:
-                description: LastScanResult contains the number of fetched tags.
-                properties:
-                  latestTags:
-                    items:
-                      type: string
-                    type: array
-                  scanTime:
-                    format: date-time
-                    type: string
-                  tagCount:
-                    type: integer
-                required:
-                - tagCount
-                type: object
-              observedExclusionList:
-                description: ObservedExclusionList is a list of observed exclusion
-                  list. It reflects the exclusion rules used for the observed scan
-                  result in spec.lastScanResult.
-                items:
-                  type: string
-                type: array
-              observedGeneration:
-                description: ObservedGeneration is the last reconciled generation.
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml

@@ -1,139 +0,0 @@
-{{- if and .Values.imageReflectionController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.imageReflectionController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: image-reflector-controller
-spec:
-  {{- if kindIs "invalid" .Values.imageReflectionController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.imageReflectionController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: image-reflector-controller
-  template:
-    metadata:
-      {{- with .Values.imageReflectionController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: image-reflector-controller
-{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }}
-      {{- if .Values.imageReflectionController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.imageReflectionController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.imageReflectionController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.imageReflectionController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.imageReflectionController }}
-        {{- if .Values.imageReflectionController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.imageReflectionController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.imageReflectionController.securityContext }}
-        securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        - mountPath: /data
-          name: data
-        {{- if .Values.imageReflectionController.volumeMounts }}
-        {{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.imageReflectionController.priorityClassName }}
-      priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.imageReflectionController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: image-reflector-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: temp
-      - emptyDir: {}
-        name: data
-      {{- if .Values.imageReflectionController.volumes }}
-      {{- toYaml .Values.imageReflectionController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.imageReflectionController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageReflectionController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageReflectionController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.kustomizeController.create }}
-{{- if .Values.kustomizeController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: kustomize-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: kustomize-controller
-  {{- with .Values.kustomizeController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.kustomizeController.secret.create }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.kustomizeController.secret.name }}
-  namespace:  {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-type: Opaque
-data:
-  {{- range $key, $value := .Values.kustomizeController.secret.data }}
-  {{ $key }}: {{ $value | toString | b64enc | quote }}
-  {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml

@@ -1,158 +0,0 @@
-{{- if and .Values.kustomizeController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: kustomize-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.kustomizeController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: kustomize-controller
-spec:
-  {{- if kindIs "invalid" .Values.kustomizeController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.kustomizeController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: kustomize-controller
-  template:
-    metadata:
-      {{- with .Values.kustomizeController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: kustomize-controller
-{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }}
-      {{- if .Values.kustomizeController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.kustomizeController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.kustomizeController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.kustomizeController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }}
-        envFrom:
-          {{- if .Values.kustomizeController.envFrom.map.name }}
-          - configMapRef:
-              name: {{ .Values.kustomizeController.envFrom.map.name }}
-          {{- end }}
-          {{- if .Values.kustomizeController.envFrom.secret.name }}
-          - secretRef:
-              name: {{ .Values.kustomizeController.envFrom.secret.name }}
-          {{- end }}
-        {{- end }}
-        image: {{ template "template.image" .Values.kustomizeController }}
-        {{- if .Values.kustomizeController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.kustomizeController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.kustomizeController.securityContext }}
-        securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.kustomizeController.volumeMounts }}
-        {{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.kustomizeController.priorityClassName }}
-      priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }}
-      {{- end }}
-      {{- range .Values.kustomizeController.extraSecretMounts }}
-        - name: {{ .name }}
-          mountPath: {{ .mountPath }}
-          subPath: {{ .subPath }}
-          readOnly: {{ .readOnly }}
-      {{- end }}
-      {{- if .Values.kustomizeController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: kustomize-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 60
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.kustomizeController.volumes }}
-      {{- toYaml .Values.kustomizeController.volumes | nindent 6 }}
-      {{- end}}
-      {{- range .Values.kustomizeController.extraSecretMounts }}
-      - name: {{ .name }}
-        secret:
-          secretName: {{ .secretName }}
-      {{- end }}
-      {{- with .Values.kustomizeController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.kustomizeController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.kustomizeController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml

@@ -1,49 +0,0 @@
-{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  {{- with .Values.notificationController.webhookReceiver.ingress.annotations }}
-  annotations:
-    {{- range $key, $value := . }}
-    {{ $key }}: {{ tpl $value $ | quote }}
-    {{- end }}
-  {{- end }}
-  name: webhook-receiver
-spec:
-  {{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
-  ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
-  {{- end -}}
-  {{- if .Values.notificationController.webhookReceiver.ingress.tls }}
-  tls:
-    {{- range .Values.notificationController.webhookReceiver.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
-  {{- end }}
-  rules:
-    {{- range .Values.notificationController.webhookReceiver.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            pathType: {{ .pathType }}
-            backend:
-              service:
-                name: webhook-receiver
-                port:
-                  number: 80
-          {{- end }}
-    {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.notificationController.create -}}
-{{- if .Values.notificationController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: notification-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: notification-controller
-  {{- with .Values.notificationController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml

@@ -1,29 +0,0 @@
-{{- if and .Values.notificationController.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  name: notification-controller
-  {{- with .Values.notificationController.service.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: http
-  {{- if .Values.notificationController.service.ports }}
-  {{- toYaml .Values.notificationController.service.ports | nindent 2 }}
-  {{- end}}
-  selector:
-    app: notification-controller
-  type: ClusterIP
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml

@@ -1,26 +0,0 @@
-{{- if and .Values.notificationController.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  name: webhook-receiver
-  {{- with .Values.notificationController.webhookReceiver.service.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 9292
-  selector:
-    app: notification-controller
-  type: ClusterIP
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml

@@ -1,136 +0,0 @@
-{{- if and .Values.notificationController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: notification-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: notification-controller
-spec:
-  {{- if kindIs "invalid" .Values.notificationController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.notificationController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: notification-controller
-  template:
-    metadata:
-      {{- with .Values.notificationController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: notification-controller
-{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }}
-      {{- if .Values.notificationController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.notificationController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.notificationController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.notificationController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.notificationController }}
-        {{- if .Values.notificationController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 9090
-          name: http
-          protocol: TCP
-        - containerPort: 9292
-          name: http-webhook
-          protocol: TCP
-        - containerPort: 8080
-          name: http-prom
-          protocol: TCP
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.notificationController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.notificationController.securityContext }}
-        securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.notificationController.volumeMounts }}
-        {{- toYaml .Values.notificationController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.notificationController.priorityClassName }}
-      priorityClassName: {{ .Values.notificationController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.notificationController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }}
-      {{- end }}
-      serviceAccountName: notification-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.notificationController.volumes }}
-      {{- toYaml .Values.notificationController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.notificationController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.notificationController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.notificationController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml

@@ -1,32 +0,0 @@
-{{ if .Values.prometheus.podMonitor.create }}
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: {{ .Release.Name }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    {{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }}
-    {{ $key }}: {{ $value | quote }}
-    {{- end }}
-spec:
-  namespaceSelector:
-    matchNames:
-      - {{ .Release.Namespace }}
-  selector:
-    matchExpressions:
-      - key: app
-        operator: In
-        values:
-          - helm-controller
-          - source-controller
-          - kustomize-controller
-          - notification-controller
-          - image-automation-controller
-          - image-reflector-controller
-  podMetricsEndpoints:
-{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/policies.yaml

@@ -1,63 +0,0 @@
-{{- if and .Values.policies.create}}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: allow-egress
-spec:
-  egress:
-  - {}
-  ingress:
-  - from:
-    - podSelector: {}
-  podSelector: {}
-  policyTypes:
-  - Ingress
-  - Egress
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: allow-scraping
-spec:
-  ingress:
-  - from:
-    - namespaceSelector: {}
-    ports:
-    - port: 8080
-      protocol: TCP
-  podSelector: {}
-  policyTypes:
-  - Ingress
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: allow-webhooks
-spec:
-  ingress:
-  - from:
-    - namespaceSelector: {}
-  podSelector:
-    matchLabels:
-      app: notification-controller
-  policyTypes:
-  - Ingress
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: "{{ .Release.Name }}-flux-check"
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-10"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml

@@ -1,72 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-flux-check"
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
-  backoffLimit: 1
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-      {{- with .Values.cli.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-        app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-        app.kubernetes.io/part-of: flux
-        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-    spec:
-      restartPolicy: Never
-      serviceAccountName: "{{ .Release.Name }}-flux-check"
-      automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }}
-      containers:
-      - name: flux-cli
-        image: {{ template "template.image" .Values.cli }}
-        command: ["/usr/local/bin/flux", "check",  "--pre", "--namespace", {{ .Release.Namespace }}]
-        {{- with .Values.cli.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.cli.securityContext }}
-        securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        {{- if .Values.cli.volumeMounts }}
-        volumeMounts:
-        {{- toYaml .Values.cli.volumeMounts | nindent 10 }}
-        {{- end}}
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      {{- with .Values.cli.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- if .Values.cli.volumes }}
-      volumes:
-      {{- toYaml .Values.cli.volumes | nindent 8 }}
-      {{- end}}
-      {{- with .Values.cli.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.cli.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}

packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml

@@ -1,29 +0,0 @@
-{{- if .Values.sourceController.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  name: source-controller
-  {{- with .Values.sourceController.service.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: http
-  {{- if .Values.sourceController.service.ports }}
-  {{- toYaml .Values.sourceController.service.ports | nindent 2 }}
-  {{- end}}
-  selector:
-    app: source-controller
-  type: ClusterIP
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml

@@ -1,18 +0,0 @@
-{{- if .Values.sourceController.create -}}
-{{- if .Values.sourceController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: source-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: source-controller
-  {{- with .Values.sourceController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/source-controller.yaml

@@ -1,140 +0,0 @@
-{{- if .Values.sourceController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: source-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.sourceController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: source-controller
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: source-controller
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      {{- with .Values.sourceController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: source-controller
-{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }}
-      {{- if .Values.sourceController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.sourceController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        - --storage-path=/data
-        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
-        {{- range .Values.sourceController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.sourceController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.sourceController }}
-        {{- if .Values.sourceController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 9090
-          name: http
-          protocol: TCP
-        - containerPort: 8080
-          name: http-prom
-          protocol: TCP
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /
-            port: http
-        {{- with .Values.sourceController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.sourceController.securityContext }}
-        securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /data
-          name: data
-        - mountPath: /tmp
-          name: tmp
-        {{- if .Values.sourceController.volumeMounts }}
-        {{- toYaml .Values.sourceController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.sourceController.priorityClassName }}
-      priorityClassName: {{ .Values.sourceController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.sourceController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: source-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: data
-      - emptyDir: {}
-        name: tmp
-      {{- if .Values.sourceController.volumes }}
-      {{- toYaml .Values.sourceController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.sourceController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.sourceController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.sourceController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/values.yaml

@@ -1,327 +0,0 @@
-# global
-
-installCRDs: true
-crds:
-  # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
-  annotations: {}
-
-multitenancy:
-  # -- Implement the patches for Multi-tenancy lockdown.
-  # See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
-  enabled: false
-  # -- All Kustomizations and HelmReleases which don’t have spec.serviceAccountName
-  # specified, will use the default account from the tenant’s namespace.
-  # Tenants have to specify a service account in their Flux resources to be able
-  # to deploy workloads in their namespaces as the default account has no permissions.
-  defaultServiceAccount: "default"
-  # -- Both kustomize-controller and helm-controller service accounts run privileged
-  # with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
-  # minimum set of permissions.
-  privileged: true
-
-clusterDomain: cluster.local
-
-cli:
-  image: ghcr.io/fluxcd/flux-cli
-  tag: v2.2.3
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-  annotations: {}
-  serviceAccount:
-    automount: true
-
-# controllers
-
-helmController:
-  create: true
-  image: ghcr.io/fluxcd/helm-controller
-  tag: v0.37.4
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  nodeSelector: {}
-  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
-  # for example:
-  #   affinity:
-  #     nodeAffinity:
-  #      requiredDuringSchedulingIgnoredDuringExecution:
-  #        nodeSelectorTerms:
-  #        - matchExpressions:
-  #          - key: foo.bar.com/role
-  #            operator: In
-  #            values:
-  #            - master
-
-  affinity: {}
-  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
-  # for example:
-  #   tolerations:
-  #   - key: foo.bar.com/role
-  #     operator: Equal
-  #     value: master
-  #     effect: NoSchedule
-
-  tolerations: []
-
-imageAutomationController:
-  create: true
-  image: ghcr.io/fluxcd/image-automation-controller
-  tag: v0.37.1
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-imageReflectionController:
-  create: true
-  image: ghcr.io/fluxcd/image-reflector-controller
-  tag: v0.31.2
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-kustomizeController:
-  create: true
-  image: ghcr.io/fluxcd/kustomize-controller
-  tag: v1.2.2
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  secret:
-    # -- Create a secret to use it with extraSecretMounts. Defaults to false.
-    create: false
-    name: ""
-    data: {}
-  # -- Defines envFrom using a configmap and/or secret.
-  envFrom:
-    map:
-      name: ""
-    secret:
-      name: ""
-  # -- Defines additional mounts with secrets.
-  # Secrets must be manually created in the namespace or with kustomizeController.secret
-  extraSecretMounts: []
-  # - name: secret-files
-  #   mountPath: /etc/secrets
-  #   subPath: ""
-  #   secretName: secret-files
-  #   readOnly: true
-
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-notificationController:
-  create: true
-  image: ghcr.io/fluxcd/notification-controller
-  tag: v1.2.4
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  service:
-    labels: {}
-    annotations: {}
-  webhookReceiver:
-    service:
-      labels: {}
-      annotations: {}
-    ingress:
-      create: false
-      # ingressClassName: nginx
-      annotations: {}
-      # kubernetes.io/ingress.class: nginx
-      # kubernetes.io/tls-acme: "true"
-      labels: {}
-      hosts:
-        - host: flux-webhook.example.com
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-      tls: []
-      #  - secretName: flux-webhook-tls
-      #    hosts:
-      #      - flux-webhook.example.com
-
-
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-sourceController:
-  create: true
-  image: ghcr.io/fluxcd/source-controller
-  tag: v1.2.4
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  service:
-    labels: {}
-    annotations: {}
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-  extraEnv: []
-
-policies:
-  create: true
-
-rbac:
-  create: true
-  # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
-  createAggregation: true
-  # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
-  annotations: {}
-  roleRef:
-    name: cluster-admin
-
-logLevel: info
-watchAllNamespaces: true
-
-# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers
-imagePullSecrets: []
-
-# -- Array of extra K8s manifests to deploy
-extraObjects: []
-# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication
-# - apiVersion: source.toolkit.fluxcd.io/v1beta2
-#   kind: Bucket
-#   metadata:
-#     name: podinfo
-#     namespace: default
-#   spec:
-#     interval: 1m
-#     provider: generic
-#     bucketName: podinfo
-#     endpoint: minio.minio.svc.cluster.local:9000
-#     insecure: true
-#     secretRef:
-#       name: minio-credentials
-# - apiVersion: v1
-#   kind: Secret
-#   metadata:
-#     name: minio-credentials
-#     namespace: default
-#   type: Opaque
-#   data:
-#     accesskey: <BASE64>
-#     secretkey: <BASE64>
-
-# Enables podMonitor creation for the Prometheus Operator
-prometheus:
-  podMonitor:
-    # -- Enables podMonitor endpoint
-    create: false
-    podMetricsEndpoints:
-      - port: http-prom
-        relabelings:
-          # https://github.com/prometheus-operator/prometheus-operator/issues/4816
-          - sourceLabels: [__meta_kubernetes_pod_phase]
-            action: keep
-            regex: Running

packages/core/installer/Makefile

@@ -25,6 +25,7 @@ image-cozystack:
 		--provenance false \
 		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
+		--platform linux/amd64,linux/arm64 \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
@@ -34,8 +35,8 @@ image-cozystack:
 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
-	docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 
 image-matchbox:
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel

packages/core/installer/images/cozystack.json

@@ -1,4 +1,10 @@
 {
-  "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188",
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6",
-  "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2"
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+    "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
+    "size": 685
+  },
+  "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.6.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.9.0

packages/core/installer/images/cozystack/Dockerfile

@@ -3,12 +3,15 @@ FROM golang:alpine3.19 as k8s-await-election-builder
 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
 
+# TARGETARCH is a docker special variable: https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
+ARG TARGETARCH
+
 RUN apk add --no-cache git make
 RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
  && cd /usr/local/go/k8s-await-election \
  && git reset --hard v${K8S_AWAIT_ELECTION_VERSION} \
  && make \
- && mv ./out/k8s-await-election-amd64 /k8s-await-election
+ && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election
 
 FROM alpine:3.19 AS builder
 

packages/core/installer/images/matchbox.json

@@ -1,4 +1,45 @@
 {
-  "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64",
+  "buildx.build.provenance": {
-  "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6"
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/k5n5is33n6zu6an3nmlnylejx",
+  "containerimage.config.digest": "sha256:4676a205eae74f1b16a9065921c612ee85e123ab6566a238edb4bbaf79b2e148",
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7",
+    "size": 1488,
+    "platform": {
+      "architecture": "amd64",
+      "os": "linux"
+    }
+  },
+  "containerimage.digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7",
+  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.0,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.0"
 }

packages/core/platform/bundles/distro-full.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator,cilium]
+
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium

packages/core/platform/bundles/distro-hosted.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator]
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -54,13 +67,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator

packages/core/platform/bundles/paas-full.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator,cilium,kubeovn]
+
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium
@@ -153,8 +166,8 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   dependsOn: [cilium,kubeovn]
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
+  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
+  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
     kubeapps:
       redis: