Update release images

Prepare release v0.4.0

hack/gen_versions_map.sh

@@ -20,9 +20,28 @@ miss_map=$(echo "$new_map" | awk 'NR==FNR { new_map[$1 " " $2] = $3; next } { if
 resolved_miss_map=$(
   echo "$miss_map" | while read chart version commit; do
     if [ "$commit" = HEAD ]; then
-      line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
+      line=$(awk '/^version:/ {print NR; exit}' "./$chart/Chart.yaml")
-      change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
+      change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
-      commit=$(git describe --always "$change_commit~1")
+       
+      if [ "$change_commit" = "00000000" ]; then
+        # Not commited yet, use previus commit
+        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
+        commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
+        if [ $(echo $commit | cut -c1) = "^" ]; then
+          # Previus commit not exists
+          commit=$(echo $commit | cut -c2-)
+        fi
+      else
+        # Commited, but version_map wasn't updated
+        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
+        change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
+        if [ $(echo $change_commit | cut -c1) = "^" ]; then
+          # Previus commit not exists
+          commit=$(echo $change_commit | cut -c2-)
+        else
+          commit=$(git describe --always "$change_commit~1")
+        fi
+      fi
     fi
     echo "$chart $version $commit"
   done

manifests/cozystack-installer.yaml

@@ -63,7 +63,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.3.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -82,7 +82,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.3.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/Makefile

@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index .
+	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/apps
 	rm -rf "$(TMP)"
 
 fix-chartnames:

packages/apps/clickhouse/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "24.3.0"

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -21,8 +21,8 @@ spec:
     clusters:
       - name: "clickhouse"
         layout:
-          shardsCount: 1
+          shardsCount: {{ .Values.shards }}
-          replicasCount: 2
+          replicasCount: {{ .Values.replicas }}
   {{- with .Values.size }}
   templates:
     volumeClaimTemplates:

packages/apps/clickhouse/values.yaml

@@ -1,4 +1,6 @@
 size: 10Gi
+shards: 1
+replicas: 2
 
 users:
   user1:

packages/apps/http-cache/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.25.3"

packages/apps/http-cache/images/nginx-cache.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:e406d5ac59cc06bbab51e16ae9a520143ad4f54952ef8f8cca982dc89454d616",
+  "containerimage.config.digest": "sha256:9eb68d2d503d7e22afc6fde2635f566fd3456bbdb3caad5dc9f887be1dc2b8ab",
-  "containerimage.digest": "sha256:08e5063e65d2adc17278abee0ab43ce31cf37bc9bc7eb7988ef16f1f1c459862"
+  "containerimage.digest": "sha256:1f44274dbc2c3be2a98e6cef83d68a041ae9ef31abb8ab069a525a2a92702bdd"
 }

packages/apps/http-cache/templates/haproxy/configmap.yaml

@@ -74,7 +74,7 @@ data:
         option redispatch 1
         default-server observe layer7 error-limit 10 on-error mark-down
 
-        {{- range $i, $e := until (int $.Values.replicas) }}
+        {{- range $i, $e := until (int $.Values.nginx.replicas) }}
         server cache{{ $i }} {{ $.Release.Name }}-nginx-cache-{{ $i }}:80 check
         {{- end }}
         {{- range $i, $e := $.Values.endpoints }} 

packages/apps/http-cache/templates/haproxy/deployment.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: 2
+  replicas: {{ .Values.haproxy.replicas }}
   selector:
     matchLabels:
       app: {{ .Release.Name }}-haproxy

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -11,7 +11,7 @@ spec:
   selector:
     matchLabels:
       app: {{ $.Release.Name }}-nginx-cache
-{{- range $i := until 3 }}
+{{- range $i := until (int $.Values.nginx.replicas) }}
 ---
 apiVersion: apps/v1
 kind: Deployment

packages/apps/http-cache/values.yaml

@@ -1,4 +1,10 @@
 external: false
+
+haproxy:
+  replicas: 2
+nginx:
+  replicas: 2
+
 size: 10Gi
 endpoints:
   - 10.100.3.1:80

packages/apps/kafka/Chart.yaml

@@ -22,4 +22,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "3.7.0"

packages/apps/kafka/templates/kafka.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
   kafka:
-    replicas: 3
+    replicas: {{ .Values.replicas }}
     listeners:
       - name: plain
         port: 9092
@@ -41,7 +41,7 @@ spec:
         {{- end }}
         deleteClaim: true
   zookeeper:
-    replicas: 3
+    replicas: {{ .Values.replicas }}
     storage:
       type: persistent-claim
       {{- with .Values.zookeeper.size }}

packages/apps/kafka/values.yaml

@@ -1,8 +1,10 @@
 external: false
 kafka:
   size: 10Gi
+  replicas: 3
 zookeeper:
   size: 5Gi
+  replicas: 3
 
 topics:
   - name: Results

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.19.0"

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:62baab666445d76498fb14cc1d0865fc82e4bdd5cb1d7ba80475dc5024184622",
+  "containerimage.config.digest": "sha256:a7e8e6e35ac07bcf6253c9cfcf21fd3c315bd0653ad0427dd5f0cae95ffd3722",
-  "containerimage.digest": "sha256:9363d717f966f4e7927da332eaaf17401b42203a2fcb493b428f94d096dae3a5"
+  "containerimage.digest": "sha256:c03bffeeb70fe7dd680d2eca3021d2405fbcd9961dd38437f5673560c31c72cc"
 }

packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml

@@ -15,6 +15,12 @@ spec:
       labels:
         app: {{ .Release.Name }}-cluster-autoscaler
     spec:
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
       containers:
       - image: ghcr.io/kvaps/test:cluster-autoscaller
         name: cluster-autoscaler

packages/apps/kubernetes/templates/cluster.yaml

@@ -64,12 +64,13 @@ metadata:
     cluster.x-k8s.io/managed-by: kamaji
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
+{{- range $groupName, $group := .Values.nodeGroups }}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate
 metadata:
-  name: {{ .Release.Name }}-md-0
+  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   template:
     spec:
@@ -78,7 +79,7 @@ spec:
           kubeletExtraArgs: {}
         discovery:
           bootstrapToken:
-            apiServerEndpoint: {{ .Release.Name }}.{{ .Release.Namespace }}.svc:6443
+            apiServerEndpoint: {{ $.Release.Name }}.{{ $.Release.Namespace }}.svc:6443
       initConfiguration:
         skipPhases:
         - addon/kube-proxy
@@ -86,8 +87,8 @@ spec:
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ .Release.Name }}-md-0
+  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   template:
     spec:
@@ -95,7 +96,7 @@ spec:
         checkStrategy: ssh
       virtualMachineTemplate:
         metadata:
-          namespace: {{ .Release.Namespace }}
+          namespace: {{ $.Release.Namespace }}
         spec:
           runStrategy: Always
           template:
@@ -103,7 +104,7 @@ spec:
               domain:
                 cpu:
                   threads: 1
-                  cores: 2
+                  cores: {{ $group.resources.cpu }}
                   sockets: 1
                 devices:
                   disks:
@@ -112,7 +113,7 @@ spec:
                     name: containervolume
                   networkInterfaceMultiqueue: true
                 memory:
-                  guest: 1024Mi
+                  guest: {{ $group.resources.memory }}
               evictionStrategy: External
               volumes:
               - containerDisk:
@@ -122,29 +123,28 @@ spec:
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
 metadata:
-  name: {{ .Release.Name }}-md-0
+  name: {{ $.Release.Name }}-{{ $groupName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
   annotations:
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "2"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "{{ $group.minReplicas }}"
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "0"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "{{ $group.maxReplicas }}"
-    capacity.cluster-autoscaler.kubernetes.io/memory: "1024Mi"
+    capacity.cluster-autoscaler.kubernetes.io/memory: "{{ $group.resources.memory }}"
-    capacity.cluster-autoscaler.kubernetes.io/cpu: "2"
+    capacity.cluster-autoscaler.kubernetes.io/cpu: "{{ $group.resources.cpu }}"
 spec:
-  clusterName: {{ .Release.Name }}
+  clusterName: {{ $.Release.Name }}
-  selector:
-    matchLabels: null
   template:
     spec:
       bootstrap:
         configRef:
           apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
           kind: KubeadmConfigTemplate
-          name: {{ .Release.Name }}-md-0
+          name: {{ $.Release.Name }}-{{ $groupName }}
           namespace: default
-      clusterName: {{ .Release.Name }}
+      clusterName: {{ $.Release.Name }}
       infrastructureRef:
         apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
         kind: KubevirtMachineTemplate
-        name: {{ .Release.Name }}-md-0
+        name: {{ $.Release.Name }}-{{ $groupName }}
         namespace: default
-      version: v1.23.10
+      version: v1.29.0
+{{- end }}

packages/apps/kubernetes/templates/csi/deploy.yaml

@@ -16,12 +16,10 @@ spec:
     spec:
       serviceAccountName: {{ .Release.Name }}-kcsi
       priorityClassName: system-cluster-critical
-      nodeSelector:
-        node-role.kubernetes.io/control-plane: ""
       tolerations:
         - key: CriticalAddonsOnly
           operator: Exists
-        - key: node-role.kubernetes.io/master
+        - key: node-role.kubernetes.io/control-plane
           operator: Exists
           effect: "NoSchedule"
       containers:

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -12,6 +12,12 @@ spec:
     spec:
       serviceAccountName: {{ .Release.Name }}-flux-teardown
       restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
       containers:
         - name: kubectl
           image: docker.io/clastix/kubectl:v1.29.1

packages/apps/kubernetes/templates/kccm/manager.yaml

@@ -14,6 +14,12 @@ spec:
       labels:
         k8s-app: {{ .Release.Name }}-kccm
     spec:
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
       containers:
       - name: kubevirt-cloud-controller-manager
         args:
@@ -44,6 +50,4 @@ spec:
       - secret:
           secretName: {{ .Release.Name }}-admin-kubeconfig
         name: kubeconfig
-      tolerations:
-      - operator: Exists
       serviceAccountName: {{ .Release.Name }}-kccm

packages/apps/kubernetes/values.schema.json

@@ -1,11 +0,0 @@
-{
-  "$schema": "http://json-schema.org/schema#",
-  "type": "object",
-  "properties": {
-    "host": {
-      "type": "string",
-      "title": "Domain name for this kubernetes cluster",
-      "description": "This host will be used for all apps deployed in this tenant"
-    }
-  }
-}

packages/apps/kubernetes/values.yaml

@@ -1 +1,10 @@
 host: ""
+controlPlane:
+  replicas: 2
+nodeGroups:
+  md0:
+    minReplicas: 0
+    maxReplicas: 10
+    resources:
+      cpu: 2
+      memory: 1024Mi

packages/apps/mysql/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "11.0.2"

packages/apps/mysql/templates/mariadb.yaml

@@ -12,7 +12,7 @@ spec:
 
   port: 3306
 
-  replicas: 2
+  replicas: {{ .Values.replicas }}
   affinity:
     podAntiAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
@@ -28,11 +28,13 @@ spec:
             - {{ .Release.Name }}
         topologyKey: "kubernetes.io/hostname"
 
+  {{- if gt (int .Values.replicas) 1 }}
   replication:
     enabled: true
     #primary:
     #  podIndex: 0
     #  automaticFailover: true
+  {{- end }}
 
   metrics:
     enabled: true

packages/apps/mysql/values.yaml

@@ -1,6 +1,8 @@
 external: false
 size: 10Gi
 
+replicas: 2
+
 users:
   root:
     password: strongpassword

packages/apps/postgres/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "16.2"

packages/apps/postgres/templates/db.yaml

@@ -4,7 +4,7 @@ kind: Cluster
 metadata:
   name: {{ .Release.Name }}
 spec:
-  instances: 2
+  instances: {{ .Values.replicas }}
   enableSuperuserAccess: true
 
   postgresql:

packages/apps/postgres/values.yaml

@@ -1,5 +1,6 @@
 external: false
 size: 10Gi
+replicas: 2
 
 users:
   user1:

packages/apps/rabbitmq/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "3.12.2"

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: 3
+  replicas: {{ .Values.replicas }}
   {{- if .Values.external }}
   service:
     type: LoadBalancer

packages/apps/rabbitmq/values.schema.json

@@ -5,6 +5,10 @@
     "external": {
       "type": "boolean",
       "title": "Enable external Access"
+    },
+    "replicas": {
+      "type": "integer",
+      "title": "Replicas"
     }
   }
 }

packages/apps/rabbitmq/values.yaml

@@ -1 +1,2 @@
+replicas: 3
 external: false

packages/apps/redis/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "6.2.6"

packages/apps/redis/templates/redisfailover.yaml

@@ -14,7 +14,7 @@ spec:
       limits:
         memory: 100Mi
   redis:
-    replicas: 3
+    replicas: {{ .Values.replicas }}
     resources:
       requests:
         cpu: 150m

packages/apps/redis/values.schema.json

@@ -9,6 +9,10 @@
     "size": {
       "type": "string",
       "title": "Disk Size"
+    },
+    "replicas": {
+      "type": "integer",
+      "title": "Replicas"
     }
   }
 }

packages/apps/redis/values.yaml

@@ -1,2 +1,3 @@
+replicas: 2
 external: false
 size: 5Gi

packages/apps/tcp-balancer/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "2.9.7"

packages/apps/tcp-balancer/templates/deployment.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: 2
+  replicas: {{ .Values.replicas }}
   selector:
     matchLabels:
       app: {{ .Release.Name }}-haproxy

packages/apps/tcp-balancer/values.yaml

@@ -1,4 +1,5 @@
 external: false
+replicas: 2
 httpAndHttps:
   mode: tcp
   targetPorts:

packages/apps/versions_map

@@ -1,17 +1,26 @@
-clickhouse 0.1.0 HEAD
+clickhouse 0.1.0 ca79f72
-http-cache 0.1.0 HEAD
+clickhouse 0.2.0 HEAD
+http-cache 0.1.0 a956713
+http-cache 0.2.0 HEAD
 kafka 0.1.0 HEAD
-kubernetes 0.1.0 HEAD
+kubernetes 0.1.0 f642698
+kubernetes 0.2.0 HEAD
 mysql 0.1.0 f642698
-mysql 0.2.0 HEAD
+mysql 0.2.0 8b975ff0
-postgres 0.1.0 HEAD
+mysql 0.3.0 HEAD
-rabbitmq 0.1.0 HEAD
+postgres 0.1.0 f642698
-redis 0.1.1 HEAD
+postgres 0.2.0 HEAD
-tcp-balancer 0.1.0 HEAD
+rabbitmq 0.1.0 f642698
+rabbitmq 0.2.0 HEAD
+redis 0.1.1 f642698
+redis 0.2.0 HEAD
+tcp-balancer 0.1.0 f642698
+tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 HEAD
-vpn 0.1.0 HEAD
+vpn 0.1.0 f642698
+vpn 0.2.0 HEAD

packages/apps/vpn/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vpn
-description: Establish a connection from your computer
+description: Managed VPN service
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Outline_VPN_icon.png/600px-Outline_VPN_icon.png
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.8.1"

packages/apps/vpn/templates/deployment.yaml

@@ -4,7 +4,7 @@ kind: Deployment
 metadata:
   name: {{ .Release.Name }}-vpn
 spec:
-  replicas: 2
+  replicas: {{ .Values.replicas }}
   selector:
     matchLabels:
       app: {{ .Release.Name }}-vpn

packages/apps/vpn/values.yaml

@@ -1,4 +1,5 @@
 external: false
+replicas: 2
 
 users:
   user1:

packages/core/installer/images/cozystack.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:29b11ecbb92bae830f2e55cd4b6f7f3ada09b2f5514c0eeee395bd2dbd12fb81",
+  "containerimage.config.digest": "sha256:aefc3ca9f56f69270d7ce6f56a1ce5b531332d5641481eb54c8e74b66b0f3341",
-  "containerimage.digest": "sha256:791df989ff37a76062c7c638dbfc93435df9ee0db48797f2045c80b6d6b937c0"
+  "containerimage.digest": "sha256:a2bf43cb7eb812166edfeb1a4fae6a76a4ddba93be2c0ba9040a804ccb53c261"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.3.1
+ghcr.io/aenix-io/cozystack/cozystack:v0.4.0

packages/core/installer/images/matchbox.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:d63ac434876b4e47c130e6b99f0c9657e718f9d97f522f5ccd878eab75844122",
+  "containerimage.config.digest": "sha256:68ea72fcc581352fabfd87fa6fd482968cc85ee520cab7a614f1244d7ae36eb0",
-  "containerimage.digest": "sha256:9963580a02ac4ddccafb60f2411365910bcadd73f92d1c9187a278221306a4ed"
+  "containerimage.digest": "sha256:cea915e08a19eb6892f3facf3b3648368cd4a05abefc49bc2616ba3340c27e82"
 }

packages/core/installer/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/matchbox:v1.6.4
+ghcr.io/aenix-io/cozystack/matchbox:v1.7.1

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: initramfs
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: installer
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: iso
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: kernel
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,25 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
-  kind: image
+  kind: nocloud
   imageOptions: { diskSize: 1306525696, diskFormat: raw }
   outFormat: .xz

packages/core/platform/bundles/distro-full.yaml

@@ -52,6 +52,12 @@ releases:
   privileged: true
   dependsOn: [cilium]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cilium,cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/bundles/distro-hosted.yaml

@@ -26,6 +26,12 @@ releases:
   privileged: true
   dependsOn: [victoria-metrics-operator]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/bundles/paas-full.yaml

@@ -81,6 +81,12 @@ releases:
   privileged: true
   dependsOn: [cilium,kubeovn]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cilium,kubeovn,cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/bundles/paas-hosted.yaml

@@ -26,6 +26,12 @@ releases:
   privileged: true
   dependsOn: [victoria-metrics-operator]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/templates/helmreleases.yaml

@@ -23,9 +23,11 @@ spec:
   interval: 1m
   releaseName: {{ $x.releaseName | default $x.name }}
   install:
+    crds: CreateReplace
     remediation:
       retries: -1
   upgrade:
+    crds: CreateReplace
     remediation:
       retries: -1
   chart:

packages/extra/Makefile

@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index .
+	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/extra
 	rm -rf "$(TMP)"
 
 fix-chartnames:

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 1.0.0
+version: 2.0.0

packages/extra/etcd/templates/datastore.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: kamaji.clastix.io/v1alpha1
+kind: DataStore
+metadata:
+  name: {{ .Release.Namespace }}
+spec:
+  driver: etcd
+  endpoints:
+  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc:2379
+  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc:2379
+  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc:2379
+  tlsConfig:
+    certificateAuthority:
+      certificate:
+        secretReference:
+          keyPath: tls.crt
+          name: etcd-ca-tls
+          namespace: {{ .Release.Namespace }}
+      privateKey:
+        secretReference:
+          keyPath: tls.key
+          name: etcd-ca-tls
+          namespace: {{ .Release.Namespace }}
+    clientCertificate:
+      certificate:
+        secretReference:
+          keyPath: tls.crt
+          name: etcd-client-tls
+          namespace: {{ .Release.Namespace }}
+      privateKey:
+        secretReference:
+          keyPath: tls.key
+          name: etcd-client-tls
+          namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-ca-tls
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/resource-policy: keep
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-client-tls
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/resource-policy: keep

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -0,0 +1,176 @@
+---
+apiVersion: etcd.aenix.io/v1alpha1
+kind: EtcdCluster
+metadata:
+  name: etcd
+spec:
+  storage: {}
+  security:
+    tls:
+      peerTrustedCASecret: etcd-peer-ca-tls
+      peerSecret: etcd-peer-tls
+      serverSecret: etcd-server-tls
+      clientTrustedCASecret: etcd-ca-tls
+      clientSecret: etcd-client-tls
+  podTemplate:
+    spec:
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: "kubernetes.io/hostname"
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/instance: etcd
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: etcd-selfsigning-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-peer-ca
+spec:
+  isCA: true
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "cert sign"
+  commonName: etcd-peer-ca
+  subject:
+    organizations:
+      - ACME Inc.
+    organizationalUnits:
+      - Widgets
+  secretName: etcd-peer-ca-tls
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-selfsigning-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-ca
+spec:
+  isCA: true
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "cert sign"
+  commonName: etcd-ca
+  subject:
+    organizations:
+      - ACME Inc.
+    organizationalUnits:
+      - Widgets
+  secretName: etcd-ca-tls
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-selfsigning-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: etcd-peer-issuer
+spec:
+  ca:
+    secretName: etcd-peer-ca-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: etcd-issuer
+spec:
+  ca:
+    secretName: etcd-ca-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-server
+spec:
+  secretName: etcd-server-tls
+  isCA: false
+  usages:
+    - "server auth"
+    - "signing"
+    - "key encipherment"
+  dnsNames:
+  - etcd-0
+  - etcd-0.etcd-headless
+  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-1
+  - etcd-1.etcd-headless
+  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-2
+  - etcd-2.etcd-headless
+  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
+  - localhost
+  - "127.0.0.1"
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-peer
+spec:
+  secretName: etcd-peer-tls
+  isCA: false
+  usages:
+    - "server auth"
+    - "client auth"
+    - "signing"
+    - "key encipherment"
+  dnsNames:
+  - etcd-0
+  - etcd-0.etcd-headless
+  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-1
+  - etcd-1.etcd-headless
+  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-2
+  - etcd-2.etcd-headless
+  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
+  - localhost
+  - "127.0.0.1"
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-peer-issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-client
+spec:
+  commonName: root
+  secretName: etcd-client-tls
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "client auth"
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-issuer
+    kind: Issuer

packages/extra/etcd/templates/kamaji-etcd.yaml

@@ -1,19 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: kamaji-etcd
-spec:
-  chart:
-    spec:
-      chart: cozy-kamaji-etcd
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '*'
-  interval: 1m0s
-  timeout: 5m0s
-  values:
-    kamaji-etcd:
-      fullnameOverride: etcd

packages/extra/versions_map

@@ -1,3 +1,4 @@
-etcd 1.0.0 HEAD
+etcd 1.0.0 f7eaab0
+etcd 2.0.0 HEAD
 ingress 1.0.0 HEAD
 monitoring 1.0.0 HEAD

packages/system/capi-providers/templates/providers.yaml

@@ -13,7 +13,7 @@ spec:
   deployment:
     containers:
     - name: manager
-      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.6.0-fix7
+      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: BootstrapProvider

packages/system/dashboard/charts/kubeapps/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 18.19.2
+  version: 19.0.2
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 13.4.6
+  version: 15.2.4
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.19.0
+  version: 2.19.1
-digest: sha256:b4965a22517e61212e78abb8d1cbe86e800c8664b3139e2047f4bd62b3e55b24
+digest: sha256:2ff034d67cb1b9c11f0243b3ab9a6a8642bf12142df2f86043f9006adf6dbba1
-generated: "2024-03-13T11:51:34.216594+01:00"
+generated: "2024-04-08T09:01:34.727544997Z"

packages/system/dashboard/charts/kubeapps/Chart.yaml

@@ -2,33 +2,33 @@ annotations:
   category: Infrastructure
   images: |
     - name: kubeapps-apis
-      image: docker.io/bitnami/kubeapps-apis:2.9.0-debian-12-r19
+      image: docker.io/bitnami/kubeapps-apis:2.10.0-debian-12-r0
     - name: kubeapps-apprepository-controller
-      image: docker.io/bitnami/kubeapps-apprepository-controller:2.9.0-debian-12-r18
+      image: docker.io/bitnami/kubeapps-apprepository-controller:2.10.0-debian-12-r0
     - name: kubeapps-asset-syncer
-      image: docker.io/bitnami/kubeapps-asset-syncer:2.9.0-debian-12-r19
+      image: docker.io/bitnami/kubeapps-asset-syncer:2.10.0-debian-12-r0
     - name: kubeapps-dashboard
-      image: docker.io/bitnami/kubeapps-dashboard:2.9.0-debian-12-r18
+      image: docker.io/bitnami/kubeapps-dashboard:2.10.0-debian-12-r0
     - name: kubeapps-oci-catalog
-      image: docker.io/bitnami/kubeapps-oci-catalog:2.9.0-debian-12-r17
+      image: docker.io/bitnami/kubeapps-oci-catalog:2.10.0-debian-12-r0
     - name: kubeapps-pinniped-proxy
-      image: docker.io/bitnami/kubeapps-pinniped-proxy:2.9.0-debian-12-r17
+      image: docker.io/bitnami/kubeapps-pinniped-proxy:2.10.0-debian-12-r0
     - name: nginx
-      image: docker.io/bitnami/nginx:1.25.4-debian-12-r3
+      image: docker.io/bitnami/nginx:1.25.4-debian-12-r7
     - name: oauth2-proxy
-      image: docker.io/bitnami/oauth2-proxy:7.6.0-debian-12-r4
+      image: docker.io/bitnami/oauth2-proxy:7.6.0-debian-12-r7
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.9.0
+appVersion: 2.10.0
 dependencies:
 - condition: packaging.flux.enabled
   name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 18.x.x
+  version: 19.x.x
 - condition: packaging.helm.enabled
   name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 13.x.x
+  version: 15.x.x
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   tags:
@@ -51,4 +51,4 @@ maintainers:
 name: kubeapps
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/kubeapps
-version: 14.7.2
+version: 15.0.2

packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml

@@ -2,7 +2,7 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.19.0
+appVersion: 2.19.1
 description: A Library Helm Chart for grouping common logic between bitnami charts.
   This chart is not deployable by itself.
 home: https://bitnami.com
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts
 type: library
-version: 2.19.0
+version: 2.19.1

packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl

@@ -11,7 +11,7 @@ These presets are for basic testing and not meant to be used in production
 {{ include "common.resources.preset" (dict "type" "nano") -}}
 */}}
 {{- define "common.resources.preset" -}}
-{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
 {{- $presets := dict 
   "nano" (dict 
       "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
@@ -34,11 +34,11 @@ These presets are for basic testing and not meant to be used in production
       "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
    )
   "xlarge" (dict 
-      "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
+      "requests" (dict "cpu" "1.5" "memory" "4096Mi" "ephemeral-storage" "50Mi")
       "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
    )
   "2xlarge" (dict 
-      "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
+      "requests" (dict "cpu" "1.5" "memory" "4096Mi" "ephemeral-storage" "50Mi")
       "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
    )
  }}
@@ -47,4 +47,4 @@ These presets are for basic testing and not meant to be used in production
 {{- else -}}
 {{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}

packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml

@@ -35,4 +35,4 @@ maintainers:
 name: redis
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/redis
-version: 18.19.2
+version: 19.0.2

packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml

@@ -28,8 +28,8 @@ spec:
       {{- if .Values.metrics.podMonitor.honorLabels }}
       honorLabels: {{ .Values.metrics.podMonitor.honorLabels }}
       {{- end }}
-      {{- if .Values.metrics.podMonitor.relabellings }}
+      {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }}
-      relabelings: {{- toYaml .Values.metrics.podMonitor.relabellings | nindent 6 }}
+      relabelings: {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- if .Values.metrics.podMonitor.metricRelabelings }}
       metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }}
@@ -45,8 +45,8 @@ spec:
       {{- if .honorLabels }}
       honorLabels: {{ .honorLabels }}
       {{- end }}
-      {{- if .relabellings }}
+      {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }}
-      relabelings: {{- toYaml .relabellings | nindent 6 }}
+      relabelings: {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- if .metricRelabelings }}
       metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }}

packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml

@@ -598,8 +598,9 @@ spec:
           image: {{ template "redis.kubectl.image" . }}
           imagePullPolicy: {{ .Values.kubectl.image.pullPolicy | quote }}
           command: {{- toYaml .Values.kubectl.command | nindent 12 }}
-          securityContext:
+          {{- if .Values.kubectl.containerSecurityContext.enabled }}
-            runAsUser: 0
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.kubectl.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: kubectl-shared
               mountPath: /etc/shared

packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml

@@ -28,8 +28,8 @@ spec:
       {{- if .Values.metrics.serviceMonitor.honorLabels }}
       honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
       {{- end }}
-      {{- if .Values.metrics.serviceMonitor.relabellings }}
+      {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }}
-      relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }}
+      relabelings: {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
       metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }}
@@ -45,8 +45,8 @@ spec:
       {{- if .honorLabels }}
       honorLabels: {{ .honorLabels }}
       {{- end }}
-      {{- if .relabellings }}
+      {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }}
-      relabelings: {{- toYaml .relabellings | nindent 6 }}
+      relabelings: {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- if .metricRelabelings }}
       metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }}

packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml

@@ -30,7 +30,7 @@ global:
     openshift:
       ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
       ##
-      adaptSecurityContext: disabled
+      adaptSecurityContext: auto
 ## @section Common parameters
 ##
 
@@ -275,7 +275,7 @@ master:
   ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -315,12 +315,12 @@ master:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
     allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -737,7 +737,7 @@ replica:
   ## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -777,12 +777,12 @@ replica:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
     allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -1306,7 +1306,7 @@ sentinel:
   ## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -1332,12 +1332,12 @@ sentinel:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
     allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -1708,12 +1708,12 @@ metrics:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
     allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -1729,7 +1729,7 @@ metrics:
   ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -1812,7 +1812,10 @@ metrics:
     ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended
     ##
     scrapeTimeout: ""
-    ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping.
+    ## @param metrics.serviceMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping.
+    ##
+    relabelings: []
+    ## @skip metrics.serviceMonitor.relabellings DEPRECATED: Use `metrics.serviceMonitor.relabelings` instead.
     ##
     relabellings: []
     ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion.
@@ -1866,7 +1869,10 @@ metrics:
     ## @param metrics.podMonitor.scrapeTimeout The timeout after which the scrape is ended
     ##
     scrapeTimeout: ""
-    ## @param metrics.podMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping.
+    ## @param metrics.podMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping.
+    ##
+    relabelings: []
+    ## @skip metrics.podMonitor.relabellings DEPRECATED: Use `metrics.podMonitor.relabelings` instead.
     ##
     relabellings: []
     ## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion.
@@ -1988,7 +1994,7 @@ volumePermissions:
   ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -2009,7 +2015,7 @@ volumePermissions:
   ##   "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
   ##
   containerSecurityContext:
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 0
 
 ## Kubectl InitContainer
@@ -2046,6 +2052,30 @@ kubectl:
   ## @param kubectl.command kubectl command to execute
   ##
   command: ["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]
+  ## Configure Container Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param kubectl.containerSecurityContext.enabled Enabled kubectl containers' Security Context
+  ## @param kubectl.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+  ## @param kubectl.containerSecurityContext.runAsUser Set kubectl containers' Security Context runAsUser
+  ## @param kubectl.containerSecurityContext.runAsGroup Set kubectl containers' Security Context runAsGroup
+  ## @param kubectl.containerSecurityContext.runAsNonRoot Set kubectl containers' Security Context runAsNonRoot
+  ## @param kubectl.containerSecurityContext.allowPrivilegeEscalation Set kubectl containers' Security Context allowPrivilegeEscalation
+  ## @param kubectl.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem
+  ## @param kubectl.containerSecurityContext.seccompProfile.type Set kubectl containers' Security Context seccompProfile
+  ## @param kubectl.containerSecurityContext.capabilities.drop Set kubectl containers' Security Context capabilities to drop
+  ##
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: {}
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop: ["ALL"]
   ## Bitnami Kubectl resource requests and limits
   ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
   ## @param kubectl.resources.limits The resources limits for the kubectl containers
@@ -2096,7 +2126,7 @@ sysctl:
   ## @param sysctl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param sysctl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:

packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml

@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
 metadata:
   name: {{ template "kubeapps.apprepository.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/apprepository/networkpolicy.yaml

@@ -0,0 +1,59 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.packaging.helm.enabled .Values.apprepository.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "kubeapps.apprepository.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: apprepository
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.apprepository.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: apprepository
+  {{- if .Values.apprepository.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+        {{- range $port := .Values.apprepository.networkPolicy.kubeAPIServerPorts }}
+        - port: {{ $port }}
+        {{- end }}
+    # Allow connection to PostgreSQL
+    - ports:
+        - port: {{ include "kubeapps.postgresql.port" . }}
+      {{- if .Values.postgresql.enabled }}
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: postgresql
+              app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- end }}
+    {{- if .Values.apprepository.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.apprepository.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    {{- if .Values.apprepository.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.apprepository.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}

packages/system/dashboard/charts/kubeapps/templates/apprepository/rbac.yaml

@@ -12,7 +12,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: Role
 metadata:
   name: {{ template "kubeapps.apprepository.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: apprepository
   {{- if .Values.commonAnnotations }}
@@ -73,7 +73,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: RoleBinding
 metadata:
   name: {{ template "kubeapps.apprepository.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: apprepository
   {{- if .Values.commonAnnotations }}
@@ -112,7 +112,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: Role
 metadata:
   name: {{ printf "%s-repositories-read" .Release.Name }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: apprepository
   {{- if .Values.commonAnnotations }}
@@ -132,7 +132,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: Role
 metadata:
   name: {{ printf "%s-repositories-write" .Release.Name }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: apprepository
   {{- if .Values.commonAnnotations }}

packages/system/dashboard/charts/kubeapps/templates/apprepository/serviceaccount.yaml

@@ -8,7 +8,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "kubeapps.apprepository.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -8,7 +8,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "kubeapps.dashboard-config.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml

@@ -3,12 +3,12 @@ Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-{{- if .Values.dashboard.enabled -}}
+{{- if .Values.dashboard.enabled }}
 apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
 metadata:
   name: {{ template "kubeapps.dashboard.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/dashboard/networkpolicy.yaml

@@ -0,0 +1,71 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.dashboard.enabled .Values.dashboard.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "kubeapps.dashboard.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dashboard
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dashboard.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: dashboard
+  {{- if .Values.dashboard.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+        {{- range $port := .Values.dashboard.networkPolicy.kubeAPIServerPorts }}
+        - port: {{ $port }}
+        {{- end }}
+    {{- if .Values.dashboard.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.dashboard.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    # Allow inbound connections
+    - ports:
+        - port: {{ .Values.dashboard.containerPorts.http }}
+      {{- if not .Values.dashboard.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+        {{- if .Values.dashboard.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.dashboard.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.dashboard.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.dashboard.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.dashboard.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.dashboard.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}

packages/system/dashboard/charts/kubeapps/templates/dashboard/service.yaml

@@ -8,7 +8,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "kubeapps.dashboard.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "kubeapps.frontend-config.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml

@@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
 metadata:
   name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/frontend/networkpolicy.yaml

@@ -0,0 +1,77 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.frontend.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: frontend
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.frontend.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: frontend
+  {{- if .Values.frontend.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+        {{- range $port := .Values.frontend.networkPolicy.kubeAPIServerPorts }}
+        - port: {{ $port }}
+        {{- end }}
+    {{- if .Values.frontend.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.frontend.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    # Allow inbound connections
+    - ports:
+        - port: {{ .Values.frontend.containerPorts.http }}
+        {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }}
+        - port: {{ .Values.authProxy.containerPorts.proxy }}
+        {{- end }}
+        {{- if .Values.pinnipedProxy.enabled }}
+        - port: {{ .Values.pinnipedProxy.containerPorts.pinnipedProxy }}
+        {{- end }}
+      {{- if not .Values.frontend.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+        {{- if .Values.frontend.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.frontend.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.frontend.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.frontend.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.frontend.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.frontend.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}

packages/system/dashboard/charts/kubeapps/templates/frontend/oauth2-secret.yaml

@@ -8,7 +8,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "kubeapps.oauth2_proxy-secret.name" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/frontend/service.yaml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
@@ -64,7 +64,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "kubeapps.pinniped-proxy.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: frontend
   {{- if or .Values.pinnipedProxy.service.annotations .Values.commonAnnotations }}

packages/system/dashboard/charts/kubeapps/templates/ingress-api.yaml

@@ -15,7 +15,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ template "common.names.fullname" . }}-http-api
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
   {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
@@ -75,7 +75,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if or .Values.featureFlags.apiOnly.grpc.annotations .Values.ingress.annotations .Values.commonAnnotations }}
   {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.featureFlags.apiOnly.grpc.annotations .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}

packages/system/dashboard/charts/kubeapps/templates/ingress.yaml

@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
   {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/configmap.yaml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ printf "%s-configmap" (include "kubeapps.kubeappsapis.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml

@@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
 metadata:
   name: {{ template "kubeapps.kubeappsapis.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/networkpolicy.yaml

@@ -0,0 +1,74 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.kubeappsapis.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "kubeapps.kubeappsapis.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: kubeappsapis
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.kubeappsapis.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: kubeappsapis
+  {{- if .Values.kubeappsapis.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+        {{- range $port := .Values.kubeappsapis.networkPolicy.kubeAPIServerPorts }}
+        - port: {{ $port }}
+        {{- end }}
+    {{- if .Values.kubeappsapis.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.kubeappsapis.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    # Allow inbound connections
+    - ports:
+        - port: {{ .Values.kubeappsapis.containerPorts.http }}
+        {{- if .Values.ociCatalog.enabled }}
+        - port: {{ .Values.ociCatalog.containerPorts.grpc }}
+        {{- end }}
+      {{- if not .Values.kubeappsapis.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+        {{- if .Values.kubeappsapis.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.kubeappsapis.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.kubeappsapis.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.kubeappsapis.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.kubeappsapis.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.kubeappsapis.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml

@@ -53,6 +53,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ include "common.names.namespace" . | quote }}
 {{- end }}
 {{- end }}

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/service.yaml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "kubeapps.kubeappsapis.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/serviceaccount.yaml

@@ -8,7 +8,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/shared/config.yaml

@@ -8,7 +8,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "kubeapps.clusters-config.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}

packages/system/dashboard/charts/kubeapps/templates/tls-secrets.yaml

@@ -30,7 +30,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $secretName }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}