Update values.yaml with image metadata after build

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Makefile

@@ -3,6 +3,7 @@
 build:
 	make -C packages/apps/http-cache image
 	make -C packages/apps/kubernetes image
+	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/core/installer image

hack/build-images.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -e
+
+REGISTRY=$1
+NAME=$2
+TYPE=$3
+PUSH=$4
+LOAD=$5
+
+# an example for packages/system/capi-operator, native image and transformed one
+# registry.k8s.io/capi-operator/cluster-api-operator:v0.8.1
+# ghcr.io/aenix-io/cozystack/system/capi-operator/cluster-api-operator:v0.8.1
+
+find images -mindepth 1 -maxdepth 1 -type d | \
+    while read dockerfile_path; do
+        image_name=$(echo $dockerfile_path | awk -F/ '{print $2}')
+        tag=$(egrep -o "FROM .*$image_name.*" $dockerfile_path/Dockerfile | awk -F: '{print $NF}')
+        docker buildx build $dockerfile_path \
+            --provenance=false \
+            --tag=$REGISTRY/$TYPE/$image_name:$tag \
+            --cache-from=type=registry,ref=$REGISTRY/$TYPE/$image_name:latest \
+            --cache-to=type=inline \
+            --push=$PUSH \
+            --load=$LOAD
+    done
+

hack/update-dockerfiles.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -e
+
+function update_dockerfile() {
+    local image=$1
+    local image_name=$(echo $image | awk -F/ '{print $NF}' | awk -F: '{print $1}')
+
+    [[ -z $image_name ]] && { echo "image_name is empty for image: $image">&2; exit 1; }
+    mkdir -p images/$image_name
+    if [[ ! -f images/$image_name/Dockerfile ]];
+        then
+            echo "FROM $image" > images/$image_name/Dockerfile
+        else
+            sed -i "s|FROM .*$image_name.*|FROM $image|" images/$image_name/Dockerfile
+        fi
+}
+
+
+function with_helm() {
+    helm template . | awk '/^[ \t"-]*image["]*: [a-zA-Z0-9/:@"\.-]+$/{print $NF}' | sed 's/"//g' | \
+        while read image; do
+            update_dockerfile $image
+        done
+}
+
+function with_grep() {
+}
+
+[[ -z $1 ]] && with_helm || $1
+

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -14,6 +14,7 @@ spec:
       {{- range $name, $u := . }}
       {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
+      {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
     {{- end }}
     profiles:

packages/apps/http-cache/images/nginx-cache.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf",
-  "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb"
+  "containerimage.config.digest": "sha256:31dedc466b9f92131f3e0f35b47d1f3771b6895d5b9a6cc089786b76b00c3a25",
+  "containerimage.digest": "sha256:86c7a8f2a11cbede492c778ffd67c759f722ab6958cab4a9df66af4035b1d7d9"
 }

packages/apps/versions_map

@@ -1,5 +1,6 @@
 clickhouse 0.1.0 ca79f72
-clickhouse 0.2.0 HEAD
+clickhouse 0.2.0 7cd7de73
+clickhouse 0.2.1 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2

packages/core/installer/images/cozystack.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188",
-  "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2"
+  "containerimage.config.digest": "sha256:6d54a5b971e80fbaace664054d4e67f24fd1fbb7807ebaffd036d4ea7195df10",
+  "containerimage.digest": "sha256:a6b167235d8556ff7e45f4582c2491a2ad48292a46005dcf767908e2fb78e74e"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.6.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.7.0

packages/core/installer/images/matchbox.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64",
-  "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6"
+  "containerimage.config.digest": "sha256:ed483d1187cdfeb92df319a30dde57141ceb1d4bafcc28ba006a1e60abc445ff",
+  "containerimage.digest": "sha256:000a46c2bffc3cf13909dc0ca570cdcea9692d85b1ef2a875afe08ea8136d2c2"
 }

packages/core/platform/bundles/distro-hosted.yaml

@@ -54,13 +54,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator

packages/core/platform/bundles/paas-hosted.yaml

@@ -54,13 +54,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator

packages/system/capi-operator/Makefile

@@ -1,11 +1,42 @@
 NAME=capi-operator
 NAMESPACE=cozy-cluster-api
+TYPE=system
 
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package-system.mk
 
-update:
+update: update-charts update-dockerfiles update-images
+
+update-charts:
 	rm -rf charts
 	helm repo add capi-operator https://kubernetes-sigs.github.io/cluster-api-operator
 	helm repo update capi-operator
 	helm pull capi-operator/cluster-api-operator --untar --untardir charts
 	rm -rf charts/cluster-api-operator/charts
+
+update-dockerfiles:
+	../../../hack/update-dockerfiles.sh with_helm
+
+components := $(subst /,,$(subst images/,,$(dir $(wildcard images/*/Dockerfile))))
+img_targets := $(addprefix image-,$(components))
+
+update-images: $(img_targets)
+
+.PHONY: $(img_targets)
+$(img_targets):
+	@$(eval name := $(subst image-,,$@))
+	@$(eval tag := $(shell egrep -o "FROM .*$(name).*" images/$(name)/Dockerfile | awk -F: '{print $$NF}'))
+	BUILDX_METADATA_PROVENANCE=0 docker buildx build images/$(name)/ \
+		--provenance false \
+		--tag $(subst //,/,$(REGISTRY)/$(TYPE)/$(name):$(tag)) \
+		--cache-from type=registry,ref=$(subst //,/,$(REGISTRY)/$(TYPE)/$(name):latest) \
+		--cache-to type=inline \
+		--metadata-file images/$(name).json \
+		--push=$(PUSH) \
+		--load=$(LOAD) && \
+	img_name=$$(jq -r '."image.name" | split(":")[:-1] | join(":")' images/$(name).json) \
+		yq -i '.$(name).image.manager.repository = ("$${img_name}"|envsubst(nu,ne))' values.yaml && \
+	img_tag=$$(jq -r '."image.name" | split(":")[-1]' images/$(name).json) \
+	img_digest=$$(jq -r '."containerimage.digest"' images/$(name).json) \
+		yq -i '.$(name).image.manager.tag = ("$${img_tag}@$${img_digest}"|envsubst(nu,ne))' values.yaml
+

packages/system/capi-operator/images/cluster-api-operator.json

@@ -0,0 +1,6 @@
+{
+  "buildx.build.ref": "default/default/7nxaun3sgw6z95qhgc4c873qo",
+  "containerimage.config.digest": "sha256:0ff1e569cc97f686d6c0c9ed6e6396c72eca93df746e7ca469f97124cae1e73d",
+  "containerimage.digest": "sha256:79282412e0b891630235ecf919c45b0531f25a0926825385a51bb2a7dde880fb",
+  "image.name": "localhost:5000/aenix-io/cozystack/system/cluster-api-operator:v0.8.1"
+}

packages/system/capi-operator/images/cluster-api-operator/Dockerfile

@@ -0,0 +1 @@
+FROM registry.k8s.io/capi-operator/cluster-api-operator:v0.8.1

packages/system/capi-operator/values.yaml

@@ -0,0 +1,5 @@
+cluster-api-operator:
+  image:
+    manager:
+      repository: "localhost:5000/aenix-io/cozystack/system/cluster-api-operator"
+      tag: "v0.8.1@sha256:79282412e0b891630235ecf919c45b0531f25a0926825385a51bb2a7dde880fb"

packages/system/cilium/Makefile

@@ -1,6 +1,9 @@
+CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml)
+
 NAME=cilium
 NAMESPACE=cozy-$(NAME)
 
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package-system.mk
 
 update:
@@ -8,5 +11,20 @@ update:
 	helm repo add cilium https://helm.cilium.io/
 	helm repo update cilium
 	helm pull cilium/cilium --untar --untardir charts --version 1.15
+	ln -s ../../images charts/cilium/images
+	sed -i 's/include "cilium.image" .Values.image/include "cilium.image" ./g' charts/cilium/templates/cilium-agent/daemonset.yaml
 	sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
-	patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch
+	version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \
+	sed -i "s/ARG VERSION=.*/ARG VERSION=v$${version}/" images/cilium/Dockerfile
+
+image:
+	docker buildx build images/cilium \
+		--provenance false \
+		--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)) \
+		--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)-$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/cilium:latest \
+		--cache-to type=inline \
+		--metadata-file images/cilium.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag

packages/system/cilium/charts/cilium/images

@@ -0,0 +1 @@
+../../images

packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -94,7 +94,7 @@ spec:
       {{- end }}
       containers:
       - name: cilium-agent
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if .Values.sleepAfterInit }}
         command:
@@ -398,7 +398,7 @@ spec:
         {{- end }}
       {{- if .Values.monitor.enabled }}
       - name: cilium-monitor
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /bin/bash
@@ -430,7 +430,7 @@ spec:
       {{- end }}
       initContainers:
       - name: config
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - cilium-dbg
@@ -485,7 +485,7 @@ spec:
       # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
       # We use nsenter command with host's cgroup and mount namespaces enabled.
       - name: mount-cgroup
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         env:
         - name: CGROUP_ROOT
@@ -531,7 +531,7 @@ spec:
               - ALL
           {{- end}}
       - name: apply-sysctl-overwrites
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -580,7 +580,7 @@ spec:
       # from a privileged container because the mount propagation bidirectional
       # only works from privileged containers.
       - name: mount-bpf-fs
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -605,7 +605,7 @@ spec:
       {{- end }}
       {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
       - name: wait-for-node-init
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -625,7 +625,7 @@ spec:
           mountPath: "/tmp/cilium-bootstrap.d"
       {{- end }}
       - name: clean-cilium-state
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /init-container.sh
@@ -697,7 +697,7 @@ spec:
         {{- end }}
       {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true"))  }}
       - name: wait-for-kube-proxy
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -735,7 +735,7 @@ spec:
       {{- if .Values.cni.install }}
       # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
       - name: install-cni-binaries
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
           - "/install-plugin.sh"

packages/system/cilium/images/cilium.json

@@ -0,0 +1,4 @@
+{
+  "containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f",
+  "containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab"
+}

packages/system/cilium/images/cilium.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/cilium:v0.7.0

packages/system/cilium/images/cilium/Dockerfile

@@ -0,0 +1,16 @@
+# syntax=docker/dockerfile:experimental
+
+ARG VERSION=v1.15.5
+
+FROM golang:1.22-bookworm as builder
+
+WORKDIR /source
+
+COPY enforce-device-detection.diff /enforce-device-detection.diff
+
+RUN wget -O- https://github.com/cilium/cilium/archive/refs/tags/v1.15.5.tar.gz | tar xzf - --strip-components=1
+RUN git apply /enforce-device-detection.diff
+RUN make build-agent
+
+FROM quay.io/cilium/cilium:${VERSION}
+COPY --from=builder /source/daemon/cilium-agent /usr/bin/cilium-agent

packages/system/cilium/images/cilium/enforce-device-detection.diff

@@ -0,0 +1,244 @@
+diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
+index 9435b2570b..416c34ed7a 100644
+--- a/daemon/cmd/daemon_main.go
++++ b/daemon/cmd/daemon_main.go
+@@ -222,6 +222,9 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
+ 	flags.StringSlice(option.Devices, []string{}, "List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'")
+ 	option.BindEnv(vp, option.Devices)
+ 
++	flags.Bool(option.EnforceDeviceDetection, false, "Enforces the auto-detection of devices, even if specific devices are explicitly listed")
++	option.BindEnv(vp, option.EnforceDeviceDetection)
++
+ 	flags.String(option.DirectRoutingDevice, "", "Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)")
+ 	option.BindEnv(vp, option.DirectRoutingDevice)
+ 
+diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
+index 6a92a83040..bf728ce32e 100644
+--- a/install/kubernetes/cilium/README.md
++++ b/install/kubernetes/cilium/README.md
+@@ -309,6 +309,7 @@ contributors across the globe, there is almost always someone available to help.
+ | endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. |
+ | endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. |
+ | endpointStatus | object | `{"enabled":false,"status":""}` | Enable endpoint status. Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. |
++| enforceDeviceDetection | bool | `false` | Enforces the auto-detection of devices, even if specific devices are explicitly listed |
+ | eni.awsEnablePrefixDelegation | bool | `false` | Enable ENI prefix delegation |
+ | eni.awsReleaseExcessIPs | bool | `false` | Release IPs not used from the ENI |
+ | eni.ec2APIEndpoint | string | `""` | EC2 API endpoint to use |
+diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
+index 9531ca18a8..1ce677f8ce 100644
+--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
++++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
+@@ -688,6 +688,10 @@ data:
+   enable-runtime-device-detection: "true"
+ {{- end }}
+ 
++{{- if .Values.enforceDeviceDetection }}
++  enforce-device-detection: "true"
++{{- end }}
++
+   kube-proxy-replacement: {{ $kubeProxyReplacement | quote }}
+ 
+ {{- if ne $kubeProxyReplacement "disabled" }}
+diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
+index e81d3ebffd..2196bbb814 100644
+--- a/install/kubernetes/cilium/values.yaml
++++ b/install/kubernetes/cilium/values.yaml
+@@ -690,6 +690,9 @@ daemon:
+ # be considered.
+ enableRuntimeDeviceDetection: false
+ 
++# -- Enforces the auto-detection of devices, even if specific devices are explicitly listed
++enforceDeviceDetection: false
++
+ # -- Chains to ignore when installing feeder rules.
+ # disableIptablesFeederRules: ""
+ 
+diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
+index 679b4cac07..3ed0b8f88b 100644
+--- a/install/kubernetes/cilium/values.yaml.tmpl
++++ b/install/kubernetes/cilium/values.yaml.tmpl
+@@ -687,6 +687,9 @@ daemon:
+ # be considered.
+ enableRuntimeDeviceDetection: false
+ 
++# -- Enforces the auto-detection of devices, even if specific devices are explicitly listed
++enforceDeviceDetection: false
++
+ # -- Chains to ignore when installing feeder rules.
+ # disableIptablesFeederRules: ""
+ 
+diff --git a/pkg/datapath/cells.go b/pkg/datapath/cells.go
+index 69d6d71836..c0f4947d73 100644
+--- a/pkg/datapath/cells.go
++++ b/pkg/datapath/cells.go
+@@ -114,7 +114,8 @@ var Cell = cell.Module(
+ 		// This is temporary until DevicesController takes ownership of the
+ 		// device-related configuration options.
+ 		return linuxdatapath.DevicesConfig{
+-			Devices: cfg.GetDevices(),
++			Devices:                cfg.GetDevices(),
++			EnforceDeviceDetection: option.Config.EnforceDeviceDetection,
+ 		}
+ 	}),
+ 
+diff --git a/pkg/datapath/linux/devices_controller.go b/pkg/datapath/linux/devices_controller.go
+index fdfde8d4ec..cac3e44a32 100644
+--- a/pkg/datapath/linux/devices_controller.go
++++ b/pkg/datapath/linux/devices_controller.go
+@@ -84,6 +84,9 @@ type DevicesConfig struct {
+ 	// If empty the devices are auto-detected according to rules defined
+ 	// by isSelectedDevice().
+ 	Devices []string
++	// EnforceDeviceDetection forces the auto-detection of devices,
++	// even if user-specific devices are explicitly listed.
++	EnforceDeviceDetection bool
+ }
+ 
+ type devicesControllerParams struct {
+@@ -103,9 +106,10 @@ type devicesController struct {
+ 	params devicesControllerParams
+ 	log    logrus.FieldLogger
+ 
+-	initialized    chan struct{}
+-	filter         deviceFilter
+-	l3DevSupported bool
++	initialized          chan struct{}
++	filter               deviceFilter
++	enforceAutoDetection bool
++	l3DevSupported       bool
+ 
+ 	// deadLinkIndexes tracks the set of links that have been deleted. This is needed
+ 	// to avoid processing route or address updates after a link delete as they may
+@@ -121,11 +125,12 @@ func newDevicesController(lc cell.Lifecycle, p devicesControllerParams) (*device
+ 		p.RouteTable,
+ 	)
+ 	dc := &devicesController{
+-		params:          p,
+-		initialized:     make(chan struct{}),
+-		filter:          deviceFilter(p.Config.Devices),
+-		log:             p.Log,
+-		deadLinkIndexes: sets.New[int](),
++		params:               p,
++		initialized:          make(chan struct{}),
++		filter:               deviceFilter(p.Config.Devices),
++		enforceAutoDetection: p.Config.EnforceDeviceDetection,
++		log:                  p.Log,
++		deadLinkIndexes:      sets.New[int](),
+ 	}
+ 	lc.Append(dc)
+ 	return dc, p.DeviceTable, p.RouteTable
+@@ -529,12 +534,15 @@ func (dc *devicesController) isSelectedDevice(d *tables.Device, txn statedb.Writ
+ 	}
+ 
+ 	// If user specified devices or wildcards, then skip the device if it doesn't match.
+-	// If the device does match, then skip further checks.
++	// If the device does match and user not requested auto detection, then skip further checks.
++	// If the device does match and user requested auto detection, then continue to further checks.
+ 	if dc.filter.nonEmpty() {
+ 		if dc.filter.match(d.Name) {
+ 			return true, ""
+ 		}
+-		return false, fmt.Sprintf("not matching user filter %v", dc.filter)
++		if !dc.enforceAutoDetection {
++			return false, fmt.Sprintf("not matching user filter %v", dc.filter)
++		}
+ 	}
+ 
+ 	// Skip devices that have an excluded interface flag set.
+diff --git a/pkg/datapath/linux/devices_test.go b/pkg/datapath/linux/devices_test.go
+index cd9fdcc7ad..031894498f 100644
+--- a/pkg/datapath/linux/devices_test.go
++++ b/pkg/datapath/linux/devices_test.go
+@@ -254,7 +254,36 @@ func (s *DevicesSuite) TestDetect(c *C) {
+ 		c.Assert(devices, checker.DeepEquals, []string{"bond0", "dummy0", "dummy1", "dummy_v6", "veth0"})
+ 		option.Config.SetDevices([]string{})
+ 		dm.Stop()
++
++		// EnforceDeviceDetection enabled with specific devices
++		option.Config.SetDevices([]string{"dummy1"})
++		option.Config.EnforceDeviceDetection = true
++		c.Assert(createDummy("dummy0", "192.168.0.1/24", false), IsNil)
++		c.Assert(createDummy("dummy1", "192.168.1.1/24", false), IsNil)
++
++		dm, err = newDeviceManagerForTests()
++		c.Assert(err, IsNil)
++		devices, err = dm.Detect(true)
++		c.Assert(err, IsNil)
++		c.Assert(devices, checker.DeepEquals, []string{"dummy0", "dummy1"})
++		option.Config.SetDevices([]string{})
++		option.Config.DirectRoutingDevice = ""
++		dm.Stop()
++
++		// EnforceDeviceDetection disabled with specific devices
++		option.Config.SetDevices([]string{"dummy1"})
++		option.Config.EnforceDeviceDetection = false
++
++		dm, err = newDeviceManagerForTests()
++		c.Assert(err, IsNil)
++		devices, err = dm.Detect(true)
++		c.Assert(err, IsNil)
++		c.Assert(devices, checker.DeepEquals, []string{"dummy1"})
++		option.Config.SetDevices([]string{})
++		option.Config.DirectRoutingDevice = ""
++		dm.Stop()
+ 	})
++
+ }
+ 
+ func (s *DevicesSuite) TestExpandDevices(c *C) {
+diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go
+index fe34caa624..f095ff9a42 100644
+--- a/pkg/defaults/defaults.go
++++ b/pkg/defaults/defaults.go
+@@ -554,6 +554,10 @@ const (
+ 	// identity in a numeric identity. Values > 255 will decrease the number of
+ 	// allocatable identities.
+ 	MaxConnectedClusters = 255
++
++	// EnforceDevicesDetection enforces the auto-detection of devices,
++	// even if specific devices are explicitly listed
++	EnforceDeviceDetection = false
+ )
+ 
+ var (
+diff --git a/pkg/option/config.go b/pkg/option/config.go
+index 27c697d9e3..9ba4367b2e 100644
+--- a/pkg/option/config.go
++++ b/pkg/option/config.go
+@@ -123,6 +123,9 @@ const (
+ 	// Devices facing cluster/external network for attaching bpf_host
+ 	Devices = "devices"
+ 
++	// Enforces the auto-detection of devices, even if specific devices are explicitly listed
++	EnforceDeviceDetection = "enforce-device-detection"
++
+ 	// DirectRoutingDevice is the name of a device used to connect nodes in
+ 	// direct routing mode (only required by BPF NodePort)
+ 	DirectRoutingDevice = "direct-routing-device"
+@@ -2447,6 +2450,10 @@ type DaemonConfig struct {
+ 
+ 	// ServiceNoBackendResponse determines how we handle traffic to a service with no backends.
+ 	ServiceNoBackendResponse string
++
++	// EnforceDeviceDetection forces the auto-detection of devices,
++	// even if specific devices are explicitly listed
++	EnforceDeviceDetection bool
+ }
+ 
+ var (
+@@ -2490,6 +2497,7 @@ var (
+ 		AllocatorListTimeout:            defaults.AllocatorListTimeout,
+ 		EnableICMPRules:                 defaults.EnableICMPRules,
+ 		UseCiliumInternalIPForIPsec:     defaults.UseCiliumInternalIPForIPsec,
++		EnforceDeviceDetection:          defaults.EnforceDeviceDetection,
+ 
+ 		K8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery,
+ 
+@@ -3563,6 +3571,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
+ 	c.UseCiliumInternalIPForIPsec = vp.GetBool(UseCiliumInternalIPForIPsec)
+ 	c.BypassIPAvailabilityUponRestore = vp.GetBool(BypassIPAvailabilityUponRestore)
+ 	c.EnableK8sTerminatingEndpoint = vp.GetBool(EnableK8sTerminatingEndpoint)
++	c.EnforceDeviceDetection = vp.GetBool(EnforceDeviceDetection)
+ 
+ 	// Disable Envoy version check if L7 proxy is disabled.
+ 	c.DisableEnvoyVersionCheck = vp.GetBool(DisableEnvoyVersionCheck)

packages/system/cilium/templates/_helpers.tpl

@@ -0,0 +1,3 @@
+{{- define "cilium.image" -}}
+{{ .Files.Get "images/cilium.tag" | trim }}@{{ index (.Files.Get "images/cilium.json" | fromJson) "containerimage.digest" }}
+{{- end -}}

packages/system/cilium/values.yaml

@@ -24,4 +24,11 @@ cilium:
     configMap: cni-configuration
   routingMode: native
   enableIPv4Masquerade: false
+  enableIPv6Masquerade: false
   enableIdentityMark: false
+  enableRuntimeDeviceDetection: true
+  #enforceDeviceDetection: true
+  devices: ovn0
+  extraEnv:
+  - name: CILIUM_ENFORCE_DEVICE_DETECTION
+    value: "true"

packages/system/dashboard/images/dashboard.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:v0.6.0
+ghcr.io/aenix-io/cozystack/dashboard:v0.7.0

packages/system/dashboard/images/kubeapps-apis.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:79ac02f0fe54d2007b222efe05596a1bf35b8557e406d018f825a2334bd73249",
-  "containerimage.digest": "sha256:1c1dbee8e5c4be14e5df36a69be75a6a2907445564379e23b7f8fbea1afc7093"
+  "containerimage.config.digest": "sha256:44db4f7c92adb68c79eb3e152c95318e559e5c1ac0ba6e3d467596b1315f37a1",
+  "containerimage.digest": "sha256:b0c355cf5387b376e676a9e395fa0a11790409123a29e637a7080a413fe7f10d"
 }

packages/system/dashboard/images/kubeapps-apis.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.6.0
+ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.7.0

packages/system/kubeovn/Makefile

@@ -17,7 +17,6 @@ update:
 image:
 	docker buildx build images/kubeovn \
 		--provenance false \
-		--tag $(REGISTRY)/kubeovn:$(call settag,$(TAG)) \
 		--tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \
 		--tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \

packages/system/kubeovn/images/kubeovn.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:f83db05cfc7228a02d1308721de535e90e355d1b147b2d36bb98e10a848c3ef6",
-  "containerimage.digest": "sha256:440075488baba3610d7f8be6283f89ab3862ff3a9556c51a0e99ec6d46315192"
+  "containerimage.config.digest": "sha256:b3d76d1764c8c470a32b4d3b19e48592eda547710e8e6508666930e1db1b4cb3",
+  "containerimage.digest": "sha256:e5275d3a367aba3b4a7ec0bf25583cc21241e320da2ffd86f5c9cf4a7f6fac77"
 }

packages/system/kubeovn/images/kubeovn.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeovn:latest
+ghcr.io/aenix-io/cozystack/kubeovn:v0.7.0

scripts/installer.sh

@@ -3,7 +3,7 @@ set -o pipefail
 set -e
 
 BUNDLE=$(set -x; kubectl get configmap -n cozy-system cozystack -o 'go-template={{index .data "bundle-name"}}')
-VERSION=3
+VERSION=4
 
 run_migrations() {
   if ! kubectl get configmap -n cozy-system cozystack-version; then

scripts/migrations/3

@@ -0,0 +1,12 @@
+#!/bin/sh
+# Migration 3 --> 4
+
+# Fix kubeovn crds
+kubeovn_crds=$(kubectl get crd -o name | grep '\.kubeovn\.io$')
+if [ -n "$kubeovn_crds" ]; then
+  kubectl annotate $kubeovn_crds meta.helm.sh/release-namespace=cozy-kubeovn meta.helm.sh/release-name=kubeovn
+  kubectl label $kubeovn_crds app.kubernetes.io/managed-by=Helm
+fi
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=4 --dry-run=client -o yaml | kubectl apply -f-