Prepare release v0.10.4

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Makefile

@@ -6,6 +6,7 @@ build:
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
+	make -C packages/system/kamaji image
 	make -C packages/core/installer image
 	make manifests
 

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.4"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.4"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/templates/postgres.yaml

@@ -16,6 +16,10 @@ spec:
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
 
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
+
   {{- if .Values.users }}
   managed:
     roles:

packages/apps/http-cache/images/nginx-cache.json

@@ -32,17 +32,17 @@
       }
     }
   },
-  "buildx.build.ref": "cozystack/cozystack0/7j4plhjjn8onm0o8q0omik63x",
+  "buildx.build.ref": "buildkit/buildkit0/u67issjnvf8mayitrr0yjhyvg",
-  "containerimage.config.digest": "sha256:f30f57d817c596f7a7d0ecfe734b7b41994eca9d36d43307206314ee37bdb286",
+  "containerimage.config.digest": "sha256:4bfe7bdc746d0f7db6d8fccb4ef68c8b1dc2306c27e2716f589dee951bf86a03",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
+    "digest": "sha256:6b5dbb5319ddcf9f545ba0f7b8b3f2117e85bc96e684b5e3adf23e0fef5dde8d",
     "size": 1094,
     "platform": {
       "architecture": "amd64",
       "os": "linux"
     }
   },
-  "containerimage.digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
+  "containerimage.digest": "sha256:6b5dbb5319ddcf9f545ba0f7b8b3f2117e85bc96e684b5e3adf23e0fef5dde8d",
-  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.4"
 }

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.2
+version: 0.2.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/kafka.yaml

@@ -65,3 +65,8 @@ spec:
   entityOperator:
     topicOperator: {}
     userOperator: {}
+    template:
+      pod:
+        metadata:
+         labels:
+           policy.cozystack.io/allow-to-apiserver: "true"

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -32,7 +32,7 @@
       }
     }
   },
-  "buildx.build.ref": "cozystack/cozystack0/xkanpm0dojuj7v0lo951qocfb",
+  "buildx.build.ref": "buildkit/buildkit0/h1ysl3ux1rjq5dtblsuuc54l9",
   "containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
@@ -44,5 +44,5 @@
     }
   },
   "containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
-  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.4"
 }

packages/apps/kubernetes/templates/ingress.yaml

@@ -7,16 +7,14 @@ kind: Ingress
 metadata:
   name: {{ .Release.Name }}-ingress-nginx
   annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/backend-protocol: AUTO_HTTP
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "AUTO_HTTP"
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
+      if ($scheme = http) {
-      if ($scheme = https) {
+        set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
-        set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-443";
+        set $proxy_host $proxy_upstream_name;
-        set $service_port 443;
       }
-      set $proxy_host $proxy_upstream_name;
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
 spec:
   ingressClassName: "{{ $ingress }}"
   rules:
@@ -30,14 +28,14 @@ spec:
           service:
             name: {{ $.Release.Name }}-ingress-nginx
             port:
-              number: 80
+              number: 443
       - path: /
         pathType: ImplementationSpecific
         backend:
           service:
             name: {{ $.Release.Name }}-ingress-nginx
             port:
-              number: 443
+              number: 80
   {{- end }}
 ---
 apiVersion: v1

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/templates/db.yaml

@@ -19,3 +19,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.3.0
+version: 1.3.1

packages/apps/tenant/templates/namespace.yaml

@@ -1,3 +1,20 @@
+{{- define "cozystack.namespace-anotations" }}
+{{- $context := index . 0 }}
+{{- $existingNS := index . 1 }}
+{{- range $x := list "etcd" "monitoring" "ingress" }}
+{{- if (index $context.Values $x) }}
+namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $context }}"
+{{- else }}
+namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $context.Release.Namespace $x) }}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- if not $existingNS }}
+{{- fail (printf "error lookup existing namespace: %s" .Release.Namespace) }}
+{{- end }}
+
 {{- if ne (include "tenant.name" .) "tenant-root" }}
 ---
 apiVersion: v1
@@ -5,22 +22,25 @@ kind: Namespace
 metadata:
   name: {{ include "tenant.name" . }}
   {{- if hasPrefix "tenant-" .Release.Namespace }}
-  {{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-  {{- if $existingNS }}
   annotations:
     {{- if .Values.host }}
     namespace.cozystack.io/host: "{{ .Values.host }}"
     {{- else }}
-    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" $.Release.Namespace) }}
+    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" .Release.Namespace) }}
     namespace.cozystack.io/host: "{{ splitList "-" (include "tenant.name" .) | last }}.{{ $parentHost }}"
     {{- end }}
-    {{- range $x := list "etcd" "monitoring" "ingress" }}
+    {{- include "cozystack.namespace-anotations" (list . $existingNS) | nindent 4 }}
-    {{- if (index $.Values $x) }}
+  labels:
-    namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $ }}"
+    tenant.cozystack.io/{{ include "tenant.name" $ }}: ""
-    {{- else }}
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
-    namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $.Release.Namespace $x) }}"
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    tenant.cozystack.io/{{ join "-" (slice $parts 0 (add $i 1)) }}: ""
     {{- end }}
     {{- end }}
+    {{- end }}
+    {{- include "cozystack.namespace-anotations" (list $ $existingNS) | nindent 4 }}
   ownerReferences:
   - apiVersion: v1
     blockOwnerDeletion: true
@@ -28,8 +48,5 @@ metadata:
     kind: Namespace
     name: {{ .Release.Namespace }}
     uid: {{ $existingNS.metadata.uid }}
-  {{- else }}
-  {{- fail (printf "error lookup exiting namespace: %s" .Release.Namespace) }}
-  {{- end }}
   {{- end }}
 {{- end }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -29,55 +29,75 @@ spec:
       - world
 ---
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-from-system
+  name: {{ include "tenant.name" . }}-egress
-  namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector: {}
+  endpointSelector:
-  ingress:
+    matchLabels:
-  - fromEntities:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
-    - cluster
+  egress:
----
+  - toEndpoints:
-{{- if ne (include "tenant.name" .) "tenant-root" }}
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-from-upper-tenants
-  namespace: {{ include "tenant.name" . }}
-spec:
-  endpointSelector: {}
-  ingress:
-  - fromEndpoints:
     - matchLabels:
-        "kubernetes.io/metadata.name": "tenant-root"
+        "k8s:io.cilium.k8s.namespace.labels.tenant.cozystack.io/{{ include "tenant.name" . }}": ""
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - toEndpoints:
     {{- if hasPrefix "tenant-" .Release.Namespace }}
     {{- $parts := splitList "-" .Release.Namespace }}
     {{- range $i, $v := $parts }}
     {{- if ne $i 0 }}
     - matchLabels:
-        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
     {{- end }}
     {{- end }}
     {{- end }}
-{{- end }}
+  {{- end }}
 ---
-{{- if not .Values.etcd }}
-{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-to-etcd
+  name: {{ include "tenant.name" . }}-ingress
-  namespace: {{ include "tenant.name" . }}
 spec:
   endpointSelector:
     matchLabels:
-      policy.cozystack.io/allow-to-etcd: "true"
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
-  egress:
+  ingress:
-  - toEndpoints:
+  - fromEntities:
+    - kube-apiserver
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.cilium.k8s.namespace.labels.cozystack.io/system": "true"
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": kube-system
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - fromEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
     - matchLabels:
-        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
-        cozystack.io/service: etcd
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+---
+{{- if .Values.etcd }}
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "tenant.name" . }}-ingress-etcd
+spec:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+      cozystack.io/service: etcd
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        "k8s:io.cilium.k8s.namespace.labels.namespace.cozystack.io/etcd": "{{ include "tenant.name" . }}"
+        policy.cozystack.io/allow-to-etcd: "true"
 {{- end }}
 ---
 apiVersion: cilium.io/v2
@@ -107,7 +127,7 @@ spec:
   egress:
   - toEndpoints:
     - matchLabels:
-        io.kubernetes.pod.namespace: kube-system
+        "k8s:io.kubernetes.pod.namespace": kube-system
         k8s-app: kube-dns
 ---
 apiVersion: cilium.io/v2
@@ -120,7 +140,7 @@ spec:
   egress:
   - toEndpoints:
       - matchLabels:
-          io.kubernetes.pod.namespace: cozy-dashboard
+          "k8s:io.kubernetes.pod.namespace": cozy-dashboard
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy

packages/apps/versions_map

@@ -1,13 +1,15 @@
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 HEAD
-ferretdb 0.1.0 HEAD
+ferretdb 0.1.0 4ffa8615
+ferretdb 0.1.1 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
-kafka 0.2.2 HEAD
+kafka 0.2.2 d0758692
+kafka 0.2.3 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -15,7 +17,9 @@ kubernetes 0.4.0 6cae6ce8
 kubernetes 0.5.0 6bd2d455
 kubernetes 0.6.0 4cbc8a2c
 kubernetes 0.7.0 ceefae03
-kubernetes 0.8.0 HEAD
+kubernetes 0.8.0 ac11056e
+kubernetes 0.8.1 e54608d8
+kubernetes 0.8.2 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
@@ -24,7 +28,8 @@ postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
 postgres 0.3.0 995dea6f
-postgres 0.4.0 HEAD
+postgres 0.4.0 ec283c33
+postgres 0.4.1 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
@@ -37,7 +42,8 @@ tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
-tenant 1.3.0 HEAD
+tenant 1.3.0 ceefae03
+tenant 1.3.1 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD

packages/core/installer/Makefile

@@ -26,7 +26,7 @@ image-cozystack:
 		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
 		--platform linux/amd64,linux/arm64 \
-		--cache-to type=inline \
+		--cache-to type=inline,mode=max \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
@@ -46,7 +46,7 @@ image-matchbox:
 		--tag $(REGISTRY)/matchbox:$(call settag,$(TAG)) \
 		--tag $(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/matchbox:latest \
-		--cache-to type=inline \
+		--cache-to type=inline,mode=max \
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)

packages/core/installer/images/cozystack.json

@@ -1,10 +1,10 @@
 {
-  "buildx.build.ref": "cozystack/cozystack0/zk58yqp4vkrfgx3gdjumn9k70",
+  "buildx.build.ref": "buildkit/buildkit0/n6lhtwop5zjb6wsgfaxvgm7wi",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
+    "digest": "sha256:629ce818af1441896a499120f62471934faf2fb8f7e9f922631f51c877de7b44",
     "size": 685
   },
-  "containerimage.digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
+  "containerimage.digest": "sha256:629ce818af1441896a499120f62471934faf2fb8f7e9f922631f51c877de7b44",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.10.4"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:latest
+ghcr.io/aenix-io/cozystack/cozystack:v0.10.4

packages/core/installer/images/matchbox.json

@@ -29,17 +29,17 @@
       }
     }
   },
-  "buildx.build.ref": "cozystack/cozystack0/qu2ygr61roizh7ga2l4kkmdx6",
+  "buildx.build.ref": "buildkit/buildkit0/bloh5mrl9qylqab5x8nsx7c3w",
-  "containerimage.config.digest": "sha256:94aa5abc006ac672ccdd91b8d9361fd14de6e0b286299f4e44dd09002becc3b7",
+  "containerimage.config.digest": "sha256:82ae30cc8115b1ff19eeaf9e99130268f25e4440ae285208aa48321da285c5ac",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
+    "digest": "sha256:22a4a0d40c9101af9c934425438ac39ca8312456d8b22ddd8b92d506b15e3517",
     "size": 1488,
     "platform": {
       "architecture": "amd64",
       "os": "linux"
     }
   },
-  "containerimage.digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
+  "containerimage.digest": "sha256:22a4a0d40c9101af9c934425438ac39ca8312456d8b22ddd8b92d506b15e3517",
-  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.4,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.4"
 }

packages/core/platform/bundles/distro-full.yaml

@@ -93,13 +93,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium]
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium]
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.2.0
+version: 1.2.1

packages/extra/monitoring/templates/grafana/db.yaml

@@ -6,3 +6,7 @@ spec:
   instances: 2
   storage:
     size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/extra/monitoring/templates/oncall/oncall-db.yaml

@@ -8,4 +8,8 @@ spec:
   instances: 2
   storage:
     size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
 {{- end }}

packages/extra/versions_map

@@ -8,4 +8,5 @@ ingress 1.1.0 838bee5d
 ingress 1.2.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
-monitoring 1.2.0 HEAD
+monitoring 1.2.0 c9e0d63b
+monitoring 1.2.1 HEAD

packages/system/cilium/images/cilium.json

@@ -11,7 +11,7 @@
       {
         "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
         "digest": {
-          "sha256": "af9b40f2b1851be993763b85288f8434af87b5678af04355b1e33ff530b5765f"
+          "sha256": "39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407"
         }
       },
       {
@@ -45,17 +45,17 @@
       }
     }
   },
-  "buildx.build.ref": "cozystack/cozystack0/3a5uyqqyj3lnwkgdniwjp341a",
+  "buildx.build.ref": "buildkit/buildkit0/t1ir71rh3wc8qnuoktu7d4esj",
-  "containerimage.config.digest": "sha256:db99b8b1e565f406af5b240b1ef76b5cc3ba1b510c6e035e1497c5089d65ee12",
+  "containerimage.config.digest": "sha256:e4a2ffa097cfead78a8e7623cf186d5f594e72e139e4dda5a06bcd1c58c6838e",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282",
+    "digest": "sha256:8110f6b17ec98d87d9aebf3f4b99409f020840a958166e28c74b2d4e1bfb5a51",
     "size": 2083,
     "platform": {
       "architecture": "amd64",
       "os": "linux"
     }
   },
-  "containerimage.digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282",
+  "containerimage.digest": "sha256:8110f6b17ec98d87d9aebf3f4b99409f020840a958166e28c74b2d4e1bfb5a51",
-  "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.10.4"
 }

packages/system/dashboard/images/dashboard.json

@@ -35,17 +35,17 @@
       }
     }
   },
-  "buildx.build.ref": "cozystack/cozystack0/puq8k1x2nsc986l15a2vanb8s",
+  "buildx.build.ref": "buildkit/buildkit0/cwujns3lenpi0n9e0ippe836g",
-  "containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307",
+  "containerimage.config.digest": "sha256:975a58288a675b6fb7b1a8a10d52e0c6090ba0fb3185f618ade444ad0b3c9993",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
+    "digest": "sha256:f6a14b2291c6750cb4cb4c1b8ddefdb5d32081a2a6af661d8b3bcfad731de695",
     "size": 703,
     "platform": {
       "architecture": "amd64",
       "os": "linux"
     }
   },
-  "containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
+  "containerimage.digest": "sha256:f6a14b2291c6750cb4cb4c1b8ddefdb5d32081a2a6af661d8b3bcfad731de695",
-  "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.10.4"
 }

packages/system/dashboard/images/dashboard.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:v0.10.1
+ghcr.io/aenix-io/cozystack/dashboard:v0.10.4

packages/system/dashboard/images/kubeapps-apis.json

@@ -11,7 +11,7 @@
       {
         "uri": "pkg:docker/bitnami/minideb@bookworm?platform=linux%2Famd64",
         "digest": {
-          "sha256": "b13cb4b41be91e22858e9b050a51137b636a34694a92ff17c27cb010e5f93f04"
+          "sha256": "83bb31f8fcd1f639603350886a70a96204dc0de3368cb6b573170642c888cf82"
         }
       },
       {
@@ -41,17 +41,17 @@
       }
     }
   },
-  "buildx.build.ref": "cozystack/cozystack0/nk99hhpt81cl5xu6eecdk86qs",
+  "buildx.build.ref": "buildkit/buildkit0/p6nqttiwicifoqgamrjx2fdrq",
-  "containerimage.config.digest": "sha256:662ea8b8642d1c6662e5eef79ea8329863f5178a80457e1faf983506efe7a611",
+  "containerimage.config.digest": "sha256:348ce29b9ea660f8f9c35d2b103cf164ce82b057935da06a79cae1822934b8f7",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d",
+    "digest": "sha256:236fd33ce19599e06f3fedcc97a287880e1aab2354a6b17634e84a74d092e095",
     "size": 1890,
     "platform": {
       "architecture": "amd64",
       "os": "linux"
     }
   },
-  "containerimage.digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d",
+  "containerimage.digest": "sha256:236fd33ce19599e06f3fedcc97a287880e1aab2354a6b17634e84a74d092e095",
-  "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.4"
 }

packages/system/dashboard/images/kubeapps-apis.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1
+ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.4

packages/system/kamaji/Makefile

@@ -1,6 +1,7 @@
 export NAME=kamaji
 export NAMESPACE=cozy-$(NAME)
 
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package-system.mk
 
 update:
@@ -8,3 +9,19 @@ update:
 	helm repo add clastix https://clastix.github.io/charts
 	helm repo update clastix
 	helm pull clastix/kamaji --untar --untardir charts
+
+image:
+	docker buildx build images/kamaji \
+		--provenance false \
+		--tag $(REGISTRY)/kamaji:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/kamaji:latest \
+		--cache-to type=inline \
+		--metadata-file images/kamaji.json \
+		--push=$(PUSH) \
+		--label "org.opencontainers.image.source=https://github.com/aenix-io/cozystack"
+		--load=$(LOAD)
+	REPOSITORY="$(REGISTRY)/kamaji" \
+		yq -i '.kamaji.image.repository = strenv(REPOSITORY)' values.yaml
+	TAG=$(TAG)@$$(yq e '."containerimage.digest"' images/kamaji.json -o json -r) \
+		yq -i '.kamaji.image.tag = strenv(TAG)' values.yaml
+	rm -f images/kamaji.json

packages/system/kamaji/images/kamaji/Dockerfile

@@ -0,0 +1,25 @@
+# Build the manager binary
+FROM golang:1.22 as builder
+
+ARG VERSION=v1.0.0
+ARG TARGETOS TARGETARCH
+
+WORKDIR /workspace
+
+RUN curl -sSL https://github.com/clastix/kamaji/archive/refs/tags/v1.0.0.tar.gz | tar -xzvf- --strip=1
+
+COPY patches /patches
+RUN git apply /patches/enable-gc.diff
+
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build \
+    -ldflags "-X github.com/clastix/kamaji/internal.GitRepo=$GIT_REPO -X github.com/clastix/kamaji/internal.GitTag=$GIT_LAST_TAG -X github.com/clastix/kamaji/internal.GitCommit=$GIT_HEAD_COMMIT -X github.com/clastix/kamaji/internal.GitDirty=$GIT_MODIFIED -X github.com/clastix/kamaji/internal.BuildTime=$BUILD_DATE" \
+    -a -o kamaji main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/kamaji .
+USER 65532:65532
+
+ENTRYPOINT ["/kamaji"]

packages/system/kamaji/images/kamaji/patches/enable-gc.diff

@@ -0,0 +1,30 @@
+diff --git a/internal/kubeadm/uploadconfig.go b/internal/kubeadm/uploadconfig.go
+index 0dc9e71..e516390 100644
+--- a/internal/kubeadm/uploadconfig.go
++++ b/internal/kubeadm/uploadconfig.go
+@@ -98,21 +98,15 @@ func getKubeletConfigmapContent(kubeletConfiguration KubeletConfiguration) ([]by
+ 				CacheUnauthorizedTTL: zeroDuration,
+ 			},
+ 		},
+-		CgroupDriver:              kubeletConfiguration.TenantControlPlaneCgroupDriver,
+-		ClusterDNS:                kubeletConfiguration.TenantControlPlaneDNSServiceIPs,
+-		ClusterDomain:             kubeletConfiguration.TenantControlPlaneDomain,
+-		CPUManagerReconcilePeriod: zeroDuration,
+-		EvictionHard: map[string]string{
+-			"imagefs.available": "0%",
+-			"nodefs.available":  "0%",
+-			"nodefs.inodesFree": "0%",
+-		},
++		CgroupDriver:                     kubeletConfiguration.TenantControlPlaneCgroupDriver,
++		ClusterDNS:                       kubeletConfiguration.TenantControlPlaneDNSServiceIPs,
++		ClusterDomain:                    kubeletConfiguration.TenantControlPlaneDomain,
++		CPUManagerReconcilePeriod:        zeroDuration,
+ 		EvictionPressureTransitionPeriod: zeroDuration,
+ 		FileCheckFrequency:               zeroDuration,
+ 		HealthzBindAddress:               "127.0.0.1",
+ 		HealthzPort:                      pointer.To(int32(10248)),
+ 		HTTPCheckFrequency:               zeroDuration,
+-		ImageGCHighThresholdPercent:      pointer.To(int32(100)),
+ 		NodeStatusUpdateFrequency:        zeroDuration,
+ 		NodeStatusReportFrequency:        zeroDuration,
+ 		RotateCertificates:               true,

packages/system/kamaji/values.yaml

@@ -1,3 +1,7 @@
 kamaji:
   etcd:
     deploy: false
+  image:
+    pullPolicy: IfNotPresent
+    tag: v0.10.4@sha256:f7e4036ed809176dafc671953a5c95a652dc7d637a67470142e625103f91ca3d
+    repository: ghcr.io/aenix-io/cozystack/kamaji

packages/system/kubeovn/images/kubeovn.json

@@ -3,15 +3,15 @@
     "buildType": "https://mobyproject.org/buildkit@v1",
     "materials": [
       {
-        "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64",
+        "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.12.19?platform=linux%2Famd64",
         "digest": {
-          "sha256": "789041d6e02edaa9a28f9385e2175d47cecd564d163e7a0fb89d225de8ada2a2"
+          "sha256": "9f9e2199be2a0a10d058c3f45bda08d3a3ea9a8817170219a8f898c90ffbdf9e"
         }
       },
       {
         "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
         "digest": {
-          "sha256": "800e361142daeb47b5e5bce2ede55be8d67159be75748cb31cbb48798ebec39d"
+          "sha256": "39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407"
         }
       }
     ],
@@ -35,17 +35,17 @@
       }
     }
   },
-  "buildx.build.ref": "mybuild/mybuild0/sgrxqzg8w1l4zxyi2tpcluk8p",
+  "buildx.build.ref": "buildkit/buildkit0/m5gbswwgqddc64uba1uy011fy",
-  "containerimage.config.digest": "sha256:7bdcdea14eb90de0b87b53e79e1b1fbe35ead5be316a7b4f83859454cb5506af",
+  "containerimage.config.digest": "sha256:050f4b7fe5e8812106c70cc8865b109258f55e9d32f5ab92f1a76347ff620144",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:89cac6416d9a8bae534d1f5276b0d0a399e873d6b919bb6a3ad780ecf71c8b81",
+    "digest": "sha256:af48ff43d05006403f2dbc072a98a1b167a4ddd7ba6d90a7063c9a30401f4bc5",
-    "size": 4621,
+    "size": 5015,
     "platform": {
       "architecture": "amd64",
       "os": "linux"
     }
   },
-  "containerimage.digest": "sha256:89cac6416d9a8bae534d1f5276b0d0a399e873d6b919bb6a3ad780ecf71c8b81",
+  "containerimage.digest": "sha256:af48ff43d05006403f2dbc072a98a1b167a4ddd7ba6d90a7063c9a30401f4bc5",
-  "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.10.0"
+  "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.10.4"
 }

packages/system/kubeovn/images/kubeovn/Dockerfile

@@ -1,4 +1,4 @@
-ARG VERSION=v1.13.0
+ARG VERSION=v1.12.19
 ARG BASE_TAG=$VERSION
 
 FROM golang:1.22-bookworm as builder